Logged-in Indians find themselves defenceless against rising cyberattacks
x

Logged-in Indians find themselves defenceless against rising cyberattacks


Tina (name changed) was sitting in Gurugram when she received an email from her boss in the United States. She was asked to deposit Rs 28,400 in a local vendor’s account in New Delhi. In the same mail, the boss had assured her that the amount will be returned to the 26-year-old employee in a day or two. Tina unhesitantly made the transaction. Within hours of making the first transaction,...

Tina (name changed) was sitting in Gurugram when she received an email from her boss in the United States. She was asked to deposit Rs 28,400 in a local vendor’s account in New Delhi. In the same mail, the boss had assured her that the amount will be returned to the 26-year-old employee in a day or two. Tina unhesitantly made the transaction.

Within hours of making the first transaction, Tina received two more emails from her boss asking for two more transfers – one worth nearly Rs 40,000 and the other worth Rs 52,000. She made both the payments. With the transaction close to nearly Rs 1.2 lakh done, Tina had to tell her boss that she had exhausted her account balance when the fourth mail popped in. The boss wrote back telling her to borrow from a colleague.

Following the boss’s instructions, she sent an email to a colleague. It was only then she learnt that the emails from the boss and all the orders for transactions were not actually sent by him but someone who used a fake email ID in his name. Tina knew she had been cheated. “I was so convinced by the language of the email. It really looked like my boss was asking me to transfer the money. The language and tone used in the mails were exactly like what my boss uses,” Tina said.

Tina, however, is not alone. Every employee working in her company has received similar mails on separate occasions. Ashit Joshi, CEO of NuCash, told The Federal, “Since the time we started our company, almost every new employee gets mail from someone posing as me and asking for money for some vendor. One of my team members, out of sheer innocence and the intention to help me and the company, sent the money. The fraud was reported but to no avail.”

According to a study by tech giant IBM, the cost incurred by Indian organisations on account of top three cyberattacks —phishing, malicious insider, and physical security compromise during the pandemic (April 2020- March 2021) — was over Rs 70 crore.

Researchers from IBM’s X-Force Threat Intelligence team found that Asia was the most-attacked region by cyber-criminals in 2021, accounting for one in four attacks globally, and India was among top three nations that experienced most server access and ransomware attacks in the region, a new report showed on Thursday.

Industry experts peg the total losses incurred from various forms of cyberattacks for the same period at Rs 2 lakh crore. The sectors worst hit by data breaches due to malware include finance, education and public sector. According to a study by CISCO published in September 2021, in India, malware attacks, which affected 92 per cent of small and medium businesses (SMBs), topped the charts, followed by phishing (76 per cent).

SMBs in the country who participated in the CISCO study said cyberattacks took away Rs 3.5 crore to Rs 7 crore of their revenues between 2020 and 2021. About 62 per cent of SMBs said they incurred business losses of more than Rs 3.5 crore while nearly 13 per cent respondents lost over Rs 7 crore because of cyber intrusions in the year 2020.

SMBs that suffered a ‘cyber incident’ also lost internal emails (73 per cent), employee data (71 per cent), intellectual property (74 per cent), and financial information (75 per cent). In addition, 73 per cent companies said it disrupted their operations, 76 per cent admitted it negatively impacted their reputation, and 70 per cent said it resulted in a loss of customer trust, the study further said.

Pandemic push

At a time we were obsessing over the rising number of Covid cases, the number most did not pay heed to was the staggering rise in cybercrimes. India witnessed a 572 per cent increase in cyber incidents over the last three years. Between 2018 and 2021, there was an over five-fold jump in the number of cybercrimes and frauds recorded by the government. The data was revealed by the Ministry of Electronics and Information Technology (Meity) before a parliamentary panel.

According to the Indian Computer Emergency Response Team (Cert-In), the number of incidents rose from 208,456 in 2018 to 1,402,809 in 2021. As many as 212,485 such cases were recorded in the first two months of 2022.

According to a McAfee Enterprise and FireEye’s report published in October 2021 titled ‘Cybercrime in a Pandemic World: The Impact of Covid-19’, the three most threatening cyber risks that were detected included malware attacks, data breaches, ransomware and cloud jacking. Many IT professionals also experienced vulnerabilities in their Internet of Things devices.

Spending more time with gadgets could actually be making us more vulnerable to cyberattacks.

“Cyberattacks tend to skyrocket in India during the holiday season as we tend to spend more time online and often let our guard down. Taking advantage of this, bad actors adopt newer techniques and sophisticated means to target businesses when they’re most vulnerable,” said Venkat Krishnapur, Vice President of engineering and managing director, McAfee Enterprise India said in a statement.

The Global Cybersecurity Outlook 2022 also highlighted that the Covid-19 pandemic has increased digitisation and cybercrimes with more and more people forced to work from home, technology has become increasingly vital in professional and personal lives.

Experts say many organisations fail to create a ‘cyber-safe’ remote-working environment despite enhanced technology. Research has found that people who work from home have higher chances of being victims of cybercrimes, with 47 per cent falling victim to scams. Due to the increased vulnerability to attacks in cyberspace, the rise in remote working necessitates greater attention to cyber security.

According to the report, the number of cyberattacks per organisation increased by 31 per cent in 2021 compared to 2020. The price of these breaches has also escalated with organisations needing an average of 280 days to detect and respond to a cyberattack. The report also states that in 2021 every successful cyberattack could have cost a firm around $3.6 million.

Cyberattacks impacted around 55 per cent enterprises worldwide in 2021. Identity theft accounts for 24 per cent of all attacks, while ransomware assaults account for 20 per cent. Moreover, ransomware, social engineering, and malicious insider activity are the top three cyberattacks that cyber leaders worldwide are the most concerned about.

Vijayashankar Nagarajarao, executive chairman at the Foundation of Data Protection Professionals in India, pointed out that the pandemic has increased hacking opportunities because there is greater use of technology by people who may be new to online services, for example, those who were forced by the pandemic-induced lockdowns to use online banking services or people forced to turn delivery agents as their routine jobs shut shop.

“In industries, work from home has also introduced a new threat, and companies which have not been thinking about security face the music. So that is a reason why cybercrimes have gone up,” he said.

Organisations hit the most

A new study published by CyberPeace Foundation in April 2022, along with Autobot Infosec and CyberPeace Center of Excellence, has found that Indian oil companies faced 3.6 lakh cyberattacks from October 2021-March 2022.

Among these the most noticeable in recent weeks has been the targeting of Oil India Limited (OIL). On April 13, it was reported that PSU major OIL’s registered headquarter at Duliajan in Assam’s Dibrugarh district purportedly came under a cyberattack which led the company to shut down all its computers and IT systems at the office.

The next day, the company received a ransom demand of $75,00,000 (roughly Rs 57 crore) from the perpetrator. A case was registered under various sections of the Indian Penal Code and the Information Technology Act, 2000, after the company approached the police.

The report highlighted that from the observed activity, October 2021 had 1,17,633 attacks. This figure stood at 55,871 in November 2021, while December registered a fall with 20,714 attacks. January 2022 saw the figure going up once again with 52,298 breaches. Similarly, February and March recorded 19,342 and 69,998 hits, respectively. As of April 12, there were 23,833 hits.

CyberPeace Foundation also detected a significant increase in phishing and social engineering attacks on Indian organisations in the oil and refining industries. Such attacks are used to dupe users into sharing sensitive information like passwords and other access details. Hackers are even using WhatsApp to send phishing messages with malicious links in the name of IOC, the firm said.

Globally, industries like finance, manufacturing and healthcare encountered maximum cyber threats. In January 2021, homegrown payment processing platform Juspay reportedly compromised the data of over 100 million customers. In March, Indian IT company Tech Mahindra which is managing the smart city project for Pimpri-Chinchwad Municipal Corporation filed a criminal report about a ransomware attack that occurred on February 26.

In March, Rajaharia claimed that a large data set containing sensitive know-your-customer (KYC) data of 110 million customers linked to mobile wallet and payment company MobiKwik was put up for sale on a hacker forum on the dark web.

In May 2021, India’s national airline Air India said its data servers were targeted by a cyberattack and sensitive data of 4.5 million customers around the world was believed to be compromised. During the same month the Air India breach was reported, data of 180 million customers who had ordered pizza from Domino’s India was allegedly published on the dark web.

Cybersecurity firm CyberX9 reportedly found a vulnerability in the exchange servers of leading public sector bank Punjab National Bank and claimed that the personal and financial information of close to 180 million customers was left exposed for seven months.

Talking about the recent cyber threats that the country had faced, Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, said, “India faced a million cybersecurity incidents in recent times, which were tracked and reported by the Indian Computer Emergency Response Team (Cert-IN) over the last year, which made the country the second most attacked as far as cybercrime was concerned.”

“India needs investment in cybersecurity tech to make India a cyber-safe country. While the government is doing that, the private players should also step up.”

A clear lack data protection has left cyber users at the mercy of hakcers and cyber criminals.

Supreme Court lawyer and cyber law expert Karnika Seth said the legislation to govern the handling of data is much-needed as cyber crimes, breaches of privacy and unauthorised collection of data have become rampant, while India’s existing Information Technology Act and Information Technology Rules, enacted years ago, is not enough to protect personal data and prevent cyber crimes.

Cybersecurity expert and author Na Vijayshankar concurs saying, “If you are collecting huge data and you did not do anything for the security of that data, the impact will be huge. While the IT Act comes into play only after a crime happens, a data protection law is needed to continuously monitor so the data remains uncompromised.”

Only a 1 per cent convicted

Tina, who lost close to Rs 1.2 lakh, made a few calls to the bank she transferred the money to. The bank refused to put a hold on the account of the person saying that they cannot do that to a third-party account and asked her to go to the police. She called her own bank as well apart from putting a hold on her account itself while advising her to go to the police.

Tina reached Gurugram cybersecurity police station. They noted her complaint and said she has to wait till the morning for the receiver’s account to be put on hold. Tina said she told the police that the fraudster continued to mail her and asked if the cops could track him down from his IP address.

The police reportedly told Tina that such fraudsters sit in small shanties and there are thousands of such shanties that cannot be tracked. As Tina broke down in front of the police officers realising her hard-earned money was gone, the police official said, “Madam ro kyu rahi ho, subh subh ek bande ne Rs 5 lakh gawae, bada hanskar report likhwakr gaya (Why are you crying? This morning, a person lost Rs 5 lakh. He was laughing while filing an FIR.)”

Tina says she continued getting emails and kept telling the police about it but they neither tracked the IP address nor made any other effort to track the culprit.

Sandeep Singh, inspector, cyber division, Gurgaon, said, “It is very difficult to catch these frauds as they use fake SIM cards, bank accounts and phones. We try our best but we are still behind them.”

The success rate at solving cyber fraud is putting Indians at risk of losing their earnings. In India’s Silicon Valley Bengaluru, only one of every eight cybercrimes reported in the city in 2021 has been solved. Statistics provided by the Mumbai Police revealed that only 11.5 per cent cybercrime cases were solved in 2021.

If one files a complaint at the cyber crime police station, chances are that the police will not find time to investigate the case at all, and one may never recover the money lost.

Dr Pavan Duggal, an advocate at the Supreme Court of India and Conference Director, International Conference on Cyberlaw, Cybercrime and Cybersecurity, said, “The persecution rate is only 1 per cent in India as far as cybercrime is concerned. So this is a golden age for cyber fraudsters targeting India. We don’t have a cybersecurity law. Police are not trained in dealing with cybercrimes. The cases are piling up. Police are also not citizen-friendly. Cybercrime is a low priority at this moment but it is no less than a pandemic.”

“There are many attacks that are not mentioned in the Indian Penal Code. There is a need for a dedicated cyber law. Every day new types of cybercrimes are emerging and by the time the police start to find ways to tackle one, many new ones already emerge,” Duggal added.

 

Next Story