Be prudent towards cybersecurity before its too late

Be prudent towards cybersecurity before its too late

Hollywood movies give us an insight as to how it is going to feel when someone puts a gun on your head and asks you for ransom. The good part is we can anticipate the reaction and prevention of any such situation. However, virtual life is significantly different from the ones we see in reel or sometimes unfortunately in real life. People stay under the misapprehension of the virtual world being a safe one, as no physical or face to face contact is made. If you think the same, you may want to rethink it.

The advancement in technology is no doubt, making life much easier. All it takes is just one click to flourish businesses, contact and lock deals and expand the clientele base. Communication has become easier and people can contact anyone from any corner of the world. But are these advantages turning into a bane? In recent years, it most definitely has. Cybersecurity is one of the biggest concerns of businesses that carry most of its operations online. Phishing, vishing, ransomware, smshing are few of many cyber threats occurring on an hourly if not daily basis. One such cyber threat that has caught the attention of cyber police and tech enthusiasts is ransomware.

What is ransomware?

Ransomware is a kind of malware that is used to infect the devices of individuals or businesses. There are a few variants available as of now including the ones which either infect the device and encrypt the files. The other ones get access to the device and either delete the files or block them till they get the desired ransom. The amount of ransom can be anything between $200-$20,000, gift cards or bitcoins with no specific pattern in the value of ransom.

The loss related to a ransomware attack is not only limited to the amount of ransom itself, but it hits the victim in many ways. The losses include the loss of data, amount of ransom, legal charges, IT costs, cybersecurity software and loss of productivity. One ransomware attack can affect the victim in numerous ways, from which it takes months or even years to recover. When a phisher attacks a victim he makes sure to take full advantage of the opportunity and attacks all the devices including the desktops and even the smartphones; leading to complete wreck in the system.

How does a ransomware attack work?

The attacks vectors it’s way to the victim because of his own activities. When the victim clicks on unauthorised links, e-mails containing malicious attachments, compromised websites or sometimes drive-by downloads; the malware gets downloaded automatically and infects the system. 

Another method used by phishers to trap their victims is the use of cyber threat actors. This method is a combination of spear-phishing and ransomware. When the attacker intends to attack a specific person, this method stands by far most successful. After mining all the information, the phisher contacts the victim, win the trust and then attack him by persuading him to click the malicious link or attachment. Using actors in such attacks helps in gaining more money or ransom in comparison to sending mass e-mails or messages. 

Top 3 important steps for mitigation of ransomware attack

  • Incidental response plan- This is very similar to cybersecurity training where the employees of an organization are trained on how to prevent, respond and identify various phishing attacks. During the ransomware attack, the employees, employer or individual are trained on how to respond to a ransomware attack.
  • Anti-spam and antivirus- The antivirus and anti-spam solutions are your go-to preventive measures when it comes to phishing attacks. Make sure you upgrade them time-to-time for better protection.
  • Backups are saviors- The main element of a ransomware attack is stealing or encryption of important data. If you already own a backup of all the important data which you know may cause trouble if it gets stolen or deleted, it will significantly mitigate the loss caused by an attack.

Facts and figures

  • The bar graph below is the clear representation of the growth in damage and cost of ransomware which shows a whopping increase to an estimated $20billion dollar in 2020 alone
be-prudent-towards-cybersec-growthstats

To sum up final thoughts

The greed for quick and easy money by people with ill-intentions has stooped them down to a level where they use their brightest brains to weave ideas for trapping people. The ransomware attacks are getting more and more sophisticated which is making it difficult to avoid or prevent them. However, with proper training and preventive measures as stated above; the task doesn’t seem impossible. Therefore, its high time one must get alert with the activities online to save oneself and businesses from huge losses.

Don’t let new tactics get you phished!

Don’t let new tactics get you phished!

Evolving and progressing in life goes hand in hand. One must always make efforts to progress so life doesn’t get stagnant. However, in recent years phishers seem to have taken this mantra way too seriously; as every year they tend to come up with new tactics to phish their victims. Just with the onset of the new decade, phishers came up with a new technique to swindle victims using the same old phishing technique but with a new twist to make it look more genuine and easy to trick.

What is the hype all about?

In the month of January this year, computer expert Terence Eden brought into the knowledge of people about a new trick that is being used by the phishers. Reportedly, the phishers sent a message to his wife masquerading themselves to be from EE asking for personal information using a different type of URL. Fortunately, Eden’s wife was not a user of EE; however, Eden did manage to notice a weird and new thing in the message. The message read:

As can be clearly seen in the URL above, the phishers have managed to use three elements to make it look genuine.

  1. The use of HTTPS://
  2. Using the real and official subdomain, that is ee.co.uk and,
  3. The main element of the date, that is Jan 02

What is the cause of concern

The elements as stated above has caught all the attention and also the causes of concern.

  1. Use of HTTPS:// – One of the main concerns and reason to worry about is the throwaway prices at which the domain servers provide sub-domain these days. Anyone can easily get access to domain names of popular and established companies, making it difficult for non-tech savvy and people unaware of such attacks to become prey of one. These hoax websites manage to get the SSL certificates due to which the sign of lock is shown in the address bar; which makes the whole act look even more real.
  2. The ee.co.uk was just a subdomain that was replicated and constructed by adding other information which is usually not added in phishing e-mails, making them look more genuine.
  3. The current date was added in the URL which is a new card played by the phisher. When a potential victim comes across such a message, they see “jan02.info” which makes them believe that the link has been directed from the company itself.

How to protect yourself from such attacks?

One can find multiple alternatives to save oneself from phishing attacks like security awareness training, e-mail filters, etc. but to tackle this specific new type of phishing using DMARC protocol has to be your best bet.

DMARC is an abbreviation for domain-based message authentication, reporting, and conformance. This is a protocol that further uses a combination of two frameworks namely, sender policy framework (SPF) and DomainKeys identified mail (DKIM) to authenticate the legitimacy of a website. When the SPF and DKIM fail in proving the authenticity of an e-mail, only then the DMARC protocol works towards protecting the user.

When a DMARC policy is properly configured, it helps the user in deciding whether or not to accept or reject an e-mail from a particular sender. When you use a DMARC for protecting your brand or your individual information, it saves you from receiving messages from unauthorized senders.

DMARC not only protects you from receiving e-mails from phishers but its reports also provide you with information on people who are sending e-mails to other people using the name or domain of your company.

Finally, DMARC does more than just identifying and analyzing e-mails and bogus websites. It also helps in creating a community which helps in establishing a policy that authenticates the messages in circulation. When this happens the overall email environment becomes a safe and secure one.

According to research, more than 70% of e-mails around the globe are fake, 30% of these phishing emails are opened by victims, 9 out of 10 emails have some form of ransomware in it and steady growth of over 4,00,000 phishing sites from the year 2016 has been observed. If these figures were enough to spook you, there is more to it. Therefore before you become one of the victims of such attacks, get your DMARC program installed today.

To sum up final thoughts

The beginning of the new decade has brought with itself some new risks as well. Phishers are trying their best to stay one step ahead and trick people into traps. However, as an aware netizen, you must try not to fall in such a trap and be alert with the link and websites you are visiting. Keeping track of all the new tricks used by phishers and the precautions available to protect oneself will help you in the long run.

TIKAJ’s Anti-phishing service will help secure your intangible treasure.

Make anti-phishing solutions ride shotgun in your company’s modus operandi

Make anti-phishing solutions ride shotgun in your company’s modus operandi

A person is always very particular and vigilant when it comes to his or her close one’s secrets. They try to protect it while keeping their lives on stake. This is because they understand the sensitivity and tenderness of the secret and the chaos it can create if they beans get spilled. The same situation works for a company as well. The business owner or the core workers know they sweat and blood they had to invest to make they the company stand at the position it stands today. Therefore, it becomes their utmost priority to safeguard not only the company’s sensitive data but also the reputation and trust the employees and customers lay in it.

The company holds a lot of important matters with it which includes the data, finance, intellectual and intangible property. The security of these elements is as important as the assets itself. When these elements get into the hands of attackers, it can land the company into problems with irreversible consequences. Therefore along with proper awareness among the employers and employees, effective solutions are equally vital. With the advancement of technology and a detailed analysis of the pattern of the attacks by phishers, a number of solutions are now available which can help the company in the long run.

Need for anti-phishing solutions

The need for any solution or service can be best understood by the urgency of its use. Starting with the statistics, in 2018 alone around 880 million phishing e-mails and messages were detected around the globe.

Phishing e-mails disguise themselves as if they are from familiar websites or companies. The e-mails are usually sent in bulk which is a time and cost-efficient method of catching prey. They add attachments or links which contain malware and ransomware making them very dangerous even if a victim clicks on it. Although the phishers have now specialized and upgraded their game, where they attack their victims by creating personalized e-mails for them, which increases the success rate of them falling for it.

The scariest and worrisome part of a phishing attack is that if the attacker gets access to your data, it will months before you could even detect the breach. Even after you detect the breach, it will take you months to contain and get back on its feet to control the damage. This gives the phishers straight-eight months of a headstart to continue with their malicious venture. These reasons add up as to why every company is under the radar of the phishers and how important are these anti-phishing solutions.

How do anti-phishing solutions work?

  • Scans the incoming e-mails- The most important feature of an anti-phishing solution is to scan the e-mails. This is because most phishers make their way into your device through the malicious e-mails they send you. When you click these links or attachments the malware infects your device. However, when you install anti-phishing solutions to your system, the software intercepts the e-mails and lets you know whether or not the e-mail is safe to go ahead with.
  • Processes smart quarantine- You might be wondering what if your important e-mails are marked as spam or get blocked and never reaches you. However, the anti-phishing solutions provide you with smart quarantine which means it will never mess up with your important e-mails or mark it as junk.
  • Real-time blocking of malicious URLs and links- No matter how aware or experience you are with surfing the internet, one misclick is enough to infect your whole network. Therefore, installing a proper anti-phishing solution will stop you in the first place from loading into malicious webpages or clicking on the links. So now you can safely surf the internet and without worrying about malicious webpages or links.
  • Protects all the devices other than a computer- While a number of excellent solutions are available for protecting your computer; there is a lack of cybersecurity options for your mobile phones. As more and more people prefer using their phones for carrying out most of their activities, having proper security options for your phone is equally important. Anti-phishing solutions come as a good tiding as it includes multiple software for protection of your mobile phone and similar devices as well.
  • Prevention from spoofing- If your website earns a lot of traffic or is gaining popularity, you may be a possible target of phishers. They spoof your website and misuse it under your name. Phishers these days also use a number of spoofing e-mails that you might receive. In such cases, anti-phishing solutions sniff out any incoming spoofed e-mail or help in detecting spoofed websites; decreasing truckload of the responsibility off you.

Some final thoughts

It is an important step for all companies to educate and create awareness among the employer and employees regarding the prevalence of phishing attacks and all the possible techniques used by them to phish their victims. It is equally important for them to provide insights as to how these attacks can affect the company in multiple ways. Having said that, the implementation of only security awareness training is not enough for providing all-round security for the company. Every company must install software which can ensure that any kind of phishing attack can be prevented both at the internal and external level; which gets us to the conclusion that anti-phishing solutions are a must in every company or individual’s modus operandi.

How to save yourself from falling into the “phishing trap”?

How to save yourself from falling into the “phishing trap”?

When we hear the word Phishing, what image do we visualize exactly? Don’t we see a fisherman, sitting with a fishing stick to trap fishes? Yes, we do.

Oh! I think I’ve made a small mistake. I wrote “Phishing” instead of “Fishing”. But was it really a mistake that was made? No. I’ve written it deliberately. But why?

Phishing is a thing which is actually the same as fishing, though not literally. In “Fishing”, a fisherman makes TRAPs for fishes to get trapped and here Dodgers prepare TRAPs for users to get trapped. The only difference is in the techniques. Formally phishing is mainly a cybercrime. It is a fraudulent attempt of getting personal and sensitive information like passwords, pin codes, debit and credit card details by cloning oneself as a trustable entity in electronic communication like Gmail, telephone or text messages.

TRAP

As mentioned above, we are also trapped by the TRAPs. If you think that it was a sarcastic comment, then let us get you a clear picture as to what we meant by it.

Let us be aware of the TRAP:

T – Tab nabbing

It is a kind of phishing attack and computer exploitation that persuades users to submit their login details along with passwords to renowned websites by impersonating those sites along with convincing the user that the site is authentic. 

R – Redirection (Covert Redirection)

Redirection refers to Covert Redirection. It is a subtle procedure to perform phishing attacks that make links appear legitimate but actually redirecting it to a forger’s or attacker’s account.

A – Adulteration (Website Forgery)

The word “Adulteration” means Forgery. This refers to Website Forgery. Some forgers can use JavaScript commands in order to change the address bar of the website they lead to. This is performed either by placing an image of a legitimate URL over the address bar or by eliminating the original bar and opening up a new one with the legitimate URL. 

P – Pageant (Clone Phishing)

The pageant is the synonym to clone or disguise. It is a type of phishing attack where phishing takes place through emails. It is a type where a legitimate and pre-delivered email containing an attachment or link which has its content and recipient address(es) taken and used to prepare an almost identical or cloned email. 

Consequences

As you are quite aware of the TRAP, now we can easily get into its consequences. 

We are quite aware of the term OTP, right? We are also aware of its full form and what OTP means. It’s a One-Time Password. But presently, it defines something else. Its present abbreviation is Officially Trapping People. Maybe it sounds ridiculous but this is the actual fact. 

OTP (One-Time Password) is considered an effective deterrent against cybercriminals trying to extort money from the bank through online transactions. 

There are many such cases where criminals fooled customers and forced them to reveal their OTP, accessed it by android hacking or learned how to hack OTP of other mobile numbers. But now, they found another way of looting. They request your bank to change your phone number linked with a bank account. A cybercriminal can smartly walk into the bank, impersonate you, request a change in the registered number and use the connection to receive the OTP. Impersonation is a quick and simple process to carry out an OTP theft. 

A resident of Janakpuri in Delhi has been duped by a criminal, who was victimized by losing Rs11.5 lakh from his current account recently by impersonation, according to a TOI report.

Police informed on August 31, that two persons arrived at the bank and one of them impersonated the account holder. They requested alteration in the registered number and fill in the prescribed form. After registering the new one, they carried out online transfers from the victim’s account using the OTPs sent to the new mobile number. They withdrew Rs11.5 lakh and transferred to six different accounts held in a bank in Dwarka and then further withdrawn through ATMs and cheques. After the crime was committed, they just switched their number off. 

There is another way of OTP theft. Criminals can dupe a bank customer by contacting the mobile operator with fake identity proof and get a mimicked SIM card. When the operator deactivates the original SIM, the criminal generates OTP on the new number and conducts online transactions and this is how to hack OTP of other mobile numbers.

Conclusion

It is becoming impossible day by day for banks and the government to take preventive measures and make the customers aware of such transactions. If you’re now aware of what OTP means (Officially Trapping People), kindly take precautionary measures. Don’t give your personal and sensitive details to anyone. Don’t fall for a better opportunity and don’t get trapped into the TRAP of the fraudsters.

TIKAJ’s Anti-phishing service will help secure your intangible treasure.

Anti-phishing-protection-

Phishing: The emergence of sinister side of the corporate world

“Success is how high you bounce when you hit bottom.” – General George Patton

Well it seems like the youths of India are hitting the “bottom” so hard these days that their desires of bouncing back to the top, has blinded them from scrutinizing whether the opportunities they are getting are genuine or not.

The phishing attacks percentage has increased in recent years, for example, In January, 2019, CEO of an Award Winning Recruitment Firm, Wisdom Jobs, was arrested with 13 staffers. Working since the year 2009, they’ve duped a whopping 1.04 lakh jobless people scamming nearly Rs70 crores in return of promising fake jobs inside and outside India.

In September, 2018, 7 fraudsters were held in custody in Delhi for defrauding 20 jobless youths, by taking 2 lakh for each instead of providing fake jobs at ONGC. So, if you’re living in India, looking for a job inside India or abroad, you need to know first who are you going to deal with before even getting your appointment letter.

Although, India has secured the seventh place in the rankings of international nominal GDP in 2018, the unemployment rate has gone up to more than 7.5% in 2019. The scammers are taking advantage of this situation by providing non-existent jobs and thereby, increasing the phishing attacks percentage.

Freshers passing out of colleges are easily getting trapped for being unable to handle the peer pressure from their families, and the fake consultants are using every opportunity that they are getting because of the easy accessibility of the internet. Families of these youths are now blinded by their desires of seeing their kids working into MNCs in the Gulf or abroad, since they’ve invested lakhs of money for 3 – 4 years.

The embassies and companies are putting advisories to warn the new applicants on their official websites. Renowned groups like TCS, Shell, and Monster.com have also put warnings to save the youths from being duped.

However, here are the steps that you need to be aware about these fraudsters use to hunt:

  • Getting access of applicant profiles from job recruitment sites.
  • Sending mass emails to potential candidates they search for.
  • Posing as job consultants, setting up fake offices, fake websites to convince those candidates.
  • Candidates are asked to deposit a particular amount through wallet or bank transfer.
  • Fake appointment letters are provided after conducting online or telephonic interview.

How to save yourself from getting duped by phishers

People who are mainly from tier 2, or sometimes tier 3 cities, passing out from lesser known colleges, having linguistic barriers along with less interpersonal skills, lack of education and charisma for not having real world interactions, are most likely to become the victims. Most of them are in their early 20’s with 0 – 5 years of job experience in the corporate world; they are falling in the traps before even starting their job career. These setbacks are putting some of them into long depressive phases that are hard to overcome.

Phishing is probably the easiest way that these deceivers use to trick their candidates and they do this by using different phishing attack types. By just posing as a job consultant, they scour multiple job portals like Naukri.com, Times jobs, Shine etc. Mails are then sent to the job applicants en masse. Even if the job seekers get duped by 5%, it turns out to be a lot of money.

The mails typically ask for a security deposit, interview fee or any other charges, a comfortable schedule for an interview. While some tricksters would just disappear as soon as they get the money, others go so far as to conduct a quick online or telephonic interview before giving a fake appointment letter.

So, how to avoid being duped? To avoid getting trapped into one of many phishing attack types, here are some of the ways that you should go for:

Infographic says about phishing and how to not get phished or how to not get duped by phishers [By - TIKAJ]

Feel free to use this image on your website, use the code below :

<figure><img src="https://tikaj.com/blog/wp-content/uploads/2019/12/Not-get-duped-1.jpg" alt="Infographic By - TIKAJ" width="580" height="1463"/></figure>
<a alt="Infographic By - TIKAJ" href="https://tikaj.com">Infographic by www.tikaj.com</a>

  1. Browse Official Websites

    Companies put advertisements about vacancies on their official websites. Instead of replying to unrecognizable mails, go to the career pages of the companies and apply on their official sites. Even with online job portals, make sure that you route your resumes through the original sites, not by responding to a mail link. For jobs in foreign land, you should either go to government portals, or local job consultancy websites of the country you are applying for a job. Do not approach agents living in India for securing your foreign job positions.

  2. Paying For Securing The Post

    “No employer seeks any fee from a job-seeker at any stage of the hiring process.” says Abhijeet Mukherjee, CEO, Monster.com (APAC & Gulf). The awareness needs to be spread among the youths about the companies or individuals, who seek any kind of fees or charges as security deposit, registration or document verification. This can be done through bank transfer, cash or through a wire transfer. They can even ask for sensitive information of the user like card details, online banking

  3. Red Flags in Mail/Letter

    Youths can ward off scammers who approach through mails by scrutinizing the letter minutely. “Beware if the mail is from a free email address, not the company email,” says Mukherjee. Also proofreading the letter i.e. thorough reading of the format of the letter, spelling mistakes, poor syntax or wrong spacing. Even the name and sign of the person who is sending you the mail, as well as the company address and contact details can be indications of it is being sent from the fraudsters.

  4. Confirming By Calling Firms

    If you have any doubts about the offer or appointment letter, call the company on its registered contact numbers immediately. Check whether or not the person who mailed you exists and whether the organization has a vacancy for the post or position you’ve applied for. Conduct gradually a proper research about the company before applying for the job.

  5. Maturity is In Being Cautious

    Youth needs to handle approaches very maturely when the company is portraying itself too good to be trusted, if the company claims to provide 70% – 80% increment in salary after couple of months of joining, or a position development that’s beyond your capabilities and experience, then the company’s foundation lies on scamming. Youths have to remain alert about getting appointment letters without even conducting formal interview. Make sure that you are called to have a personal or a face-to-face interview, ideally at the registered address of the company. Be on the lookout  if you are called to a residential area or place that has no signage related to the company. The interviewer’s background should also be easily verifiable.

To know more about Phishing & Anti Phishing services & Anti Phishing solutions reach out to us.

55525735-min (4)

Your brochure as to why anti-phishing services are your best bet

One of the most infamous phishing techniques involves spawning of fake copies of any login page and then making the victims sign in through that page to trick the user for receiving the credentials.

This common technique of laying a phishing trap is very common and consists of about 7% of cybercrime all over the world. The newcomers in the world of the internet are more prone to fall victims to such technique, hence they require an expert methodology to help prevent such cases. This brings us to the concept of anti-phishing software.

Generally, anti-phishing software first checks the webpage which is being loaded on the web browser. If the page does not match with the database of that particular service, then the page is considered as safe and only then it is sent to the web browser to be rendered. However, the main question which arises is whether it is worth using and investing in such anti-phishing software? Just like every other thing in this world, every product, situation, etc. has two aspects: pros and cons. The important point is whether to consider it or not. Keeping a note of all the pro and cons of anti-phishing services will help you in deciding the answer to the aforementioned question. This article includes both positive and negative points and a comparison with a judgement suggestion about whether anti-phishing software is worth using or not.

People enter the world of the internet right from their teenage but nowadays children of age around 5-6 years are capable of making accounts on various websites. This initiates the risk of falling prey to phishing traps. Such users have no idea how to differentiate between fake and original pages, how this phishing work and hence they become easy victims. While loading a phishing page, the anti-phishing services, before loading the page checks whether or not the page actually belongs to the website of which it claims to be. Consider the example of Facebook. The anti-phishing software will first check if the Sign-in page actually belongs to Facebook. It also checks where the page is sending data after the user logs in. The anti-phishing software then evinces it on the screen if the page seems safe. Phishing links are also sent via emails, and such services work to check if the link in the email is actually a safe one or a phishing link.

Anti-phishing software has proved to be very effective against phishing attacks over the internet in the past couple of years. It has accounted as proof that these services actually work, but to what extent, that cannot be properly calculated. A lot of companies around the world provide anti-phishing services, and these services usually come in-built in Internet security. Companies, which manufacture anti-virus software, also manufacture internet security, which includes anti-phishing services. These internet security services work mainly by protecting users from entering into fake web pages that might steal their important information over the internet by any false means. This sure does include phishing pages.

PROS AND CONS

Since this software first checks the webpage, it makes loading each and every webpage slower. Sometimes it is also possible that these services mistakenly mark a safe page as a threat. If a user is doing internet banking, it might be possible that the user might get stuck in a mishap. The fund transfer procedure might be accidentally considered as an illegal operation carried out to steal money via internet banking. In such case the transaction may never complete, however, such incidents are almost none and hence it should not be a point to actually worry about.

However, many times other webpages can also be misunderstood as a phishing page. In such a case, if the user is sure that it is safe to proceed, then that page can be marked as safe. Many times if a user proceeds in an unsafe environment on the internet, then the anti-virus installed in the computer blocks any attempts to spread the virus incoming from the internet. Hence, it is suggested to have an anti-virus system along with an anti-phishing service (can be internet security).

FINAL INFERENCE

Since the advantages are really impressive and the disadvantages are something, which can be taken care of, it is advised to use anti-phishing services, as it provides great security throughout the internet session. The negative points of these services can be tackled easily. Investing a small amount of money in such services can save a lot more than you can think of as problems do not knock the door before coming, and these services can easily protect without any effort from the user’s side. The services are made in such a way that it works in the background and does not make the user feel disturbed during any transaction carried out on the internet.

CONCLUSION

Until now, these services have shown only positive results and not even a single case has come to light where such service has created problems to the user in the entire world. If a user is using a computer system, then it is not difficult for it to maintain an anti-phishing service, as it does not cost much and makes a user go tension free from almost all cyber-attacks with this effective service in hand.

55525735-min (4)

Online fraud : Bulwark Your Online Payments From Phishers

Development in the world of Internet has gained a lot of popularity, primarily due to the ease of use and widespread support of supporting technologies. There is no denying to the fact that to some extent the hassle-free living of the people these days is due to the most advanced technological era. Online payments have eased the lives of a common man, such as standing in long queues for money withdrawal is no longer required. But at the same time, the crimes associated with the advent of these technologies have also surged. With an increase in online opportunities, there is an increase in the online fraud types and various other fraudulent techniques done by the fraudsters.

What is online payment?

The Internet is quickly becoming the first stop for people for buying products and services which has further given rise to numerous payment systems over the internet.

Online payment is defined as a transfer of an electronic value of payment from payer to the payee through some kinds of electronic mechanism and generally, the content of this exchange is made through some form of digital financial instruments such as credit card numbers, electronic checks and digital cash. Transactions in remote payment cases in which the consumer and merchant are not interacting face-to-face are also defined as CNP transactions.

This list consists of top frauds that occured in 2018.

According to the USA Department of Justice (DOJ), e-fraud is defined as “a fraud scheme that uses one or more components of the Internet – such as chat rooms, e-mails, message boards, or web sites – to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to the financial institution or to other connected with the scheme”

Common assumptions and reality regarding online payments

Although many people believe that online payments are easy, past records state that many times online payments call for fraud. On one hand, the introduction of online payments or CNP transactions makes it much more attractive and useful for both consumers and businesses. On the other hand, since the authentication of card or cardholder is not possible physically, the possibility of frauds is higher.

In order to understand how online payments are more likely to make a person fall in a trap of fraudsters, let us understand one of the most common online fraud types that occur – Phishing. It won’t be wrong to say that online payment has become a new phishing scammer’s target.

It has been estimated that each year online payment fraud causes loss to billions of dollars. Payment fraud is a serious assault that causes billion dollars loss every year. Furthermore, fraudsters use recently developed techniques and methods for obtaining cardholder’s personal and financial information. Research states that Fraudsters often use stolen account information to reach other accounts.

Phishing is one of the most common techniques used by fraudsters to obtain confidential information of the user and they do this by posing themselves as a trusted authority.  It is a way to collect banking details and other sensitive information through emails that contain attachments or hyperlinks. Therefore it is important to understand what phishing emails are.

The fraudsters send an email in such a way that it appears to be a mail from an authorized organization. Whenever an individual click on an attachment or a hyperlink present in the email, it causes the system to get infected by malware. As a result, whenever a user makes an online transaction, the malware gets activated and steals all the personal information including credit card numbers and pin number. This makes it easy for the fraudsters to carry out any financial transaction. The spammers use professional-looking emails that include logos, graphics, and many other elements. On the other hand, the content of such emails is written in such a way that it confuses, upsets or excites the recipient. As the user many a time doesn’t have an idea about what is phishing emails, it gets easier for the phishers to trick the user.

A phishing attack is not only associated with authentic-looking emails, but it can also be associated with fraudulent web pages. Phishers design web pages visually similar to real web pages in order to spoof readers. These spoofed web pages also include a graphical user interface in order to lure the users to enter their personal information such as username, password, credit card details, and much other sensitive information.

The entire process of online transaction begins with the consumers providing their sensitive personal information which is transmitted over various unsecured networks. Many times, the payment systems are not secure enough to protect and prevent the personal information of an individual from attack or attempts from the fraudsters.

Conclusion

Therefore, it can be concluded that although online payments have made the lives of people much easier, it is not completely safe. A little lack of attention can make your online transactions unsecured and therefore it is important to understand various online fraud types.

TIKAJ’s Security services will help secure your online transactions.

Don’t let new tactics get you phished!

Modern phishing baits – upcoming genres

They say creativity is a great tool for problem-solving. They also say creativity makes you sell your stuff faster. These days, though, do you know, creativity is being used for creating problems ?

Phishing scammers these days are being far more creative than what has been expected for a long time. What were the most popular phishing tactics of this early decade ? Let me jot a few familiar phishing email subject lines 

  • A delivery attempt was made
  • Password check required immediately – reset request was made
  • XYZ Service: Change Your Password Immediately
  • Your XYZ Service account is suspended
  • Suspicious Account activity detected
  • Hello (Yes! And then propose some absurd investment deal in the mail content)

Quite familiar, and much courtesy to the awareness trainings and articles, most of us are at least aware of such scams. But then the other day, I happened to skim my spam box, (which is a ritual just out of boredom) and I came across the following 

modern-bait-example
Aware and attack !

Okay, interesting. The attacker himself is apparently spreading news or let us say the awareness against the rising rate of cyber attacks, against the malware that steal passwords. And what do you get when you click on the ‘read more’ hyperlink – the malware itself ! 

This interestingly explains how the attacker brains are coming up with tactics that will outwit your intelligence and intuitions, or at least make you wonder at them.

These scammers also have quite adapted their techniques now, which are now more towards content that possess personalised lures for the email readers. For example, as a target of Indian origin I recently received a spam informing me that my Kundali (a document containing ‘future prediction’ of an individual based on birth date primarily) was ready to be downloaded, which I had requested (wish I remembered when?), and they urged that I only needed to fill in some missing information – like my birth date. Convincing enough to click a bait link, is it?

Another set of subject lines below from my spam box targeting the tax-payers. 

And another trending forte of phishing mails are the ones, in which the attacker would claim that the victim email recipients have been caught watching porn content over the web via a malware that they have infected into the victim’s computer and to prevent them from spreading the videos to their contacts, they need to pay the attackers x value in bitcoins. 

They would top up this spiky content with lots of technical stuff, to make it appear convincing. And, for a person not familiar with phishing scams out there, such threats are enough to bring him to his toes! Read out an excerpt below 

Threat phishing techniques

No doubt the level of phishing awareness and detection techniques are improving, but so are the baits. 

Well, as unpredictable these mails are, watch out for one of these, or an even better luring idea that an attacker might devise, landing in your mailbox the other day.

dmarc-blog

What is DMARC? How it works? and Why it is essential?

DMARC that stands for (Domain-based Message Authentication, Reporting, and Conformance) is a type of email protocol that uses SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Emails). It controls the situation when email fails authentication tests. It is published at the side of domain.

The DMARC publishing includes the following:

  1. SPF
  2. A-record
  3. CNAME
  4. DKIM
what-is-dmarc

How it works?

As mentioned earlier DMARC uses SPF and DKIM, these all components work together to authenticate the message and decide what to do with it. If any email fails authentication then the below process happens:

  1. The DNS owner publishes a DMARC for himself
  2. When the email is sent by the sender the recipient mail server checks for the DMARC record
  3. The recipient mail server performs the SPF and DKIM authentication in order to test if the sender is really the domain.
  4. After performing the above mentioned tests the receiver mail server sends the DMARC Aggregate Reports on outcome of the message received to the email address specified in the domain’s DMARC records.

DMARC protocol is essential as email is the primary source of communication in any business. It fights the malicious email practices the can put your business in risk. DMARC is used to safeguard the email phishing and scam practices.

How TIKAJ can help ?

To ease up the implementation we offer DMARC+ solution, which provides easy implementation dashboard which can your journey easy.

phishing-scam

Five Anti-Phishing practices to be implemented in your organisation.

Implementation of a successful security strategy for business is an imperturbable engagement and you can’t ignore it, as data is a valuable asset it necessitates security.

Question: Where we should start building walls for ultimate security?
Answer: Simple, kick-start with your people.

Don’t ever underestimate the training of your people in the organization as they are the prime targets for the phishing attackers.

Employees can make or break the company in case of phishing attacks but if they are trained they can tackle the attacks to much extent.

While the software has it’s own place, but that will be of no use if the people will be tricked down.

Let’s consider a situation suppose you have a home with high-end security and there are kids and adults residing in the home, the security will be of no use if someone knocks on the door and pretends to be a police officer or a known person and someone opens the door. In that case, all that security will amount to nothing more than a lot of money down the drain.

So, keeping that in mind lets discuss the best practices that can be passed on to your people to ensure that they become a part of your defense strategy against these type of attacks. These tactics are useful and can be applied by private individuals too.

1. Educate them how threats look like

This is the necessary and central building block for implementing a security strategy for the company. Most of your people must have heard about the Phishing attacks but, how to identify those attacks is a completely different story.

So, constantly educating people about different types of phishing attacks should be the part of your security strategy, it will make easier for your employees to identify if they encountered any.

People become complacent and put their guards down which makes the attack successful.

2. Pay attention to sender details when asking for sensitive information

It is uncommon that organizations are asking to share sensitive data among employees and it’s unbelievable that they will ask to do this on email. This is the prime reason that companies keep their sensitive data in a secured folder with appropriate password protection.

Stay alert and check the sender details twice if the details seem to be authentic then also call your senior or co-worker to confirm whether they requested it or not. Phishing is often done to gain access to user and password details so that attackers can send more emails from that person email id in search of the data they want.

So, keep in mind that a simple phone call can prevent phishing plots and from more damage.

3. Keep an eye on the shared URL

People take URL for granted and assume that the URL is authentic because it seems to be familiar but there is a catch don’t forget about the hyperlink capabilities. The scam artist designs the URL and knows where it is leading you to extract information.

Simply hover the cursor over the link and try to see where it is leading you. But usually people don’t do that, they think what they are seeing is they will be taken to that particular website.

4. Act smart and stay calm

A simple psychological trick, attackers create a sense of extreme urgency that pushes people to take sudden actions. They pretend to be from the companies IT department and ask the people to change their passwords or user credentials urgently. At the time people will follow it blindly and do what’s asked. It will only take an extra second to confirm from your colleague or senior member.

To further protect your company from these attacks, establish processes and policies that can educate and help people in case they face a similar situation

5. Having a Protocol for reporting Phishing attacks will help

If your people receive a Phishing email (or they feel or think they do) they can report the incident to someone. Rest of the company will be notified and raised on a high alert.

It’s a great idea to keep an eye on the whole problem so that you can regularly send email examples to your people related to your industry sector.

6. Invest in Anti-Phishing solution

The best way to get a defend phishing threats is mitigation of external and internal phishing threats, TIKAJ offers Anti-Phishing Detection and Mitigation Solution which can help in keeping your organization safe from new threats and attacks.

Stay alert and stay safe!