The 2019 Norton-Life-Lock Cyber Safety Insights Report, which was conducted online by the Harris Poll among 10,063 adults in 10 countries has following few findings:

✓  131.2 million is the number of cyber crime victims in India in 2019, compared with 350 million worldwide.
✓  Rs.1.24 trillion is the amount lost in India in the past 12 months due to cyber crime.
✓  81% Indians are alarmed about their privacy, the highest in 10 countries, with the global average being 67%.
✓  4 in 10 consumers in India have experienced identity theft, with 10% impacted in the past year.

Source: The Economics Times Wealth Dated Apr 13, 2020

With billions of Smartphone users across the globe and multi-billion social media accounts, the hackers have a field day with quite a huge platform of potentially unsecured user data. A naive user falls for even a simple ploy by a hacker and ends up with losing all his savings. The trend of social engineering and usage of social media applications to commit cyber crime is on steep rise. The only remediation is awareness about such acts and following security best practices.

Case Study 1:

A new modus operandi of social engineering frauds using mobile numbers resembling a Bank/ UPI/ Card Service Provider/Banking Central Agency Toll Free number and registering these mobile numbers in the name of those said entity on caller identification mobile apps such as “True Caller”. This is called Social engineering fraud using Mobile numbers similar to bank’s toll free number and the modus operandi is as follows:

Suppose that an entity’s toll free number is 1800 123 1234 (not an actual number). The fraudster obtains a number, say 800 123 1234, resembling the SE’s toll free number and registers successfully on the True caller app (or any caller identification application) as the toll free number of that SE. An unsuspecting customer (victim) looking to contact the Entity contacts the fraudster’s number registered on the True Caller application (800 123 1234) instead of the genuine toll-free number of the SE (1800 123 1234). The person (fraudster) attending this call then lures the victim into providing sensitive details such as debit/ card credentials, username, OTP, etc. to access the victim’s account and carry out fraudulent transactions.

In another case one person fade up with the BSNL mobile network searches for BSNL customer care number on Google. Unfortunately, he falls for a phishing act calling on such a fraudulent customer care number. The fraudster in turn asks him to download AnyDesk remote desktop application and takes control of his device. Eventually the fraudster asks him to do a small transaction while former records all his details to empty his bank accounts completely.

In a similar case one person searches for PayTM customer care number on Google. Then rest of modus operandi is similar to the above case.

Sometimes the fraudster takes the pretext of KYC update for Bank/ UPI/ Card account or mobile SIM Card.

Customers are advised to no call any number found in Google search or otherwise and always look for authorised services available on Bank/UPI/ Card Service Provider/Banking Central Agency’s website or any other authorised publications.

Case Study 2:

OCAC CEO’s WhatsApp account was hacked and his WhatsApp contacts were asked to deposit certain amount in a designated bank account. All this happened keeping the said CEO in dark and blocking his WhatsApp account on his own device.

The Odisha Computer Application Centre or OCAC is a designated as Technical Directorate of Information Technology Department, Government of Odisha. The said CEO got a call from a girl about a wrongly delivered OTP at the former’s mobile no, which the CEO inadvertently gives to that caller. That was actually the WhatsApp verification OTP which was generated when the fraudster installed WhatsApp and registered the same with the OCAC CEO’s mobile number. With the installation the fraudster can access the entire contact list and chat history. The fraudster then sends a message to ask certain amount of money to his contacts. The CEO was able to know about this fraud when one of his friend suspected some mischief and informed the CEO about the same. But by then many of his friends actually tricked by the fraudster and transferred a lot of money to the fraudster’s account.

This type of phishing is called whaling directed to specific individuals or companies and senior executives or high profile targets respectively.

Customers are advised not to share OTP with anyone. OTP: One Time Password is 2nd factor authentication, on the failure of which the security is breached and the vulnerability is exposed for a crime to take place.

E-SIM fraud uses similar modus operandi. The e-SIM was first launched by Apple and then came on few Google devices. Now this embedded SIM is available on few select Samsung mobiles.

E-SIMs can be registered with any telecom service providers. However the hackers register the e-SIMs against any number by accessing the OTP sent by the telecom service provider and gain access to victim’s online profile registered with the mobile no. A mobile number can be active on any one device so once the hacker activates the e-SIM, victim’s mobile number is completely blocked and becomes not accessible. The hacker may commit now anything from financial theft to identity theft.

So OTP is the key and the best practice is not to share that with anyone. People holding high value positions need to be extra care full as these hacking attacks are orchestrated to target them. The e-SIM fraud can happen with any one even without an e-SIM enabled device.

Case Study 3:

An incident occurred recently with a girl in Bhubaneswar who was attempting to sell furniture on the renowned internet marketplace OLX. An unsuspicious buyer first confirmed the purchase of the product and negotiated the price further to mutually agree on a price

over WhatsApp. The sham buyer then shared a QR code, pledging to pay the whole sum in advance. The fraudulent QR code posted on her WhatsApp account has Rs.9,500 written underneath it. After scanning the code, the user was required to input the UPI pin. She had no idea about the fraudulent deed until she entered the UPI pin, which promptly debited Rs. 9,500 from her bank account. The fraudster requested to repeat the transaction again to which she agreed and another Rs.9,500 debited from her account. By that time she realised that she had been deceived as the fraudster asks her to continue with such transactions.

In order to win her confidence the fraudster first asked her to do a similar transaction just for Rs.5 which she did and against that the fraudster transferred Rs.5 twice. But later he convinced her that for bigger amounts she had to do the transaction twice in order to receive three times the amount.

A QR (Quick Response) app can simply recognize the QR (the longer phrase- Quick Response) code. The QR Code scam is on the rise now since last few months. The fraudster distributes QR codes on social networking platforms or using UPI’s request functionality to send phone payment requests with texts like ‘Enter your UPI PIN to receive money’.

Customers are advised to avoid scanning any random QR code and treat them as a possible threat. Use only authentic QR Code Scanner App after thorough due diligence like reading the App’s reviews and ratings.

Case Study 4:

In another case a fraudster is found to be using a particular UPI spoof mobile app. The fraudster first enters details such as Name, Mobile No, Amount, Transaction Date and Time etc. and generates a false transaction receipt resembling original transaction receipt pertaining to that UPI.

Customers are advised to check messages on their own mobile or UPI/Bank account instead of being fooled by such spoofed transaction receipt.