Industrial Development Company of Puerto Rico was hit by a phishing scam which cost the government agency more than $2.6 million.
According to this report the phishing scam started targeting the company in January and the government-owned organization performed the transaction on January 17th.
The organization allegedly received an email alleging a shift to a bank account linked to remittance payments, which is a transfer of money to a person in their home country.
The agency lodged a police complaint about the scam, but further concerns about how the scam was discovered, whether the activities of the agency have been compromised are still unprecedented.
Phishing attacks have evolved to such an extent that the statistics relating to this subject are quite disconcerting. According to the FBI, in 2019 alone IC3 received a total of 467,361 complaints with reported losses exceeding $3.5 billion. Phishing and Data Breach were among the most prevalent crimes reported last year.
Tips to avoid Phishing scam
Any organization is only as strong as its weakest employee, so it is necessary to train and educate staff regarding phishing. This training really needs to be delivered on an ongoing basis as well, and they should be educated with different methods for maximum reach. Use Phishing Simulation services like PhishGrid to train and educate users regarding phishing attacks and attempts.
Avoid Shortened Links
Everyone has seen great offers/links on different social media platforms and some of them are useful. Avoid these types of links unless you’re sure about its authenticity.
Verify Site Security
Whenever you’re entering sensitive financial information or any form of private data, it is essential to verify the security of the site to which you are submitting it.
When dealing with phishing attacks the key is simply to be sensible and vigilant at all times. Never click on the links, download files, or open any email attachments without confirming their authenticity.
Use Anti Phishing Solutions
TIKAJ provides an end-to-end Anti-Phishing Solutions, from monitoring & detection of phishing incidents, through to the site take-down incident response and take-down of an incident. Using in-house developed machine learning algorithms we detect, analyze and proactively dismantling the systems and illicit services cybercriminals depend upon to carry out phishing attacks.
When we hear the word Phishing, what image do we visualize exactly? Don’t we see a fisherman, sitting with a fishing stick to trap fishes? Yes, we do.
Oh! I think I’ve made a small mistake. I wrote “Phishing” instead of “Fishing”. But was it really a mistake that was made? No. I’ve written it deliberately. But why?
Phishing is a thing which is actually the same as fishing, though not literally. In “Fishing”, a fisherman makes TRAPs for fishes to get trapped and here Dodgers prepare TRAPs for users to get trapped. The only difference is in the techniques. Formally phishing is mainly a cybercrime. It is a fraudulent attempt of getting personal and sensitive information like passwords, pin codes, debit and credit card details by cloning oneself as a trustable entity in electronic communication like Gmail, telephone or text messages.
As mentioned above, we are also trapped by the TRAPs. If you think that it was a sarcastic comment, then let us get you a clear picture as to what we meant by it.
Let us be aware of the TRAP:
T – Tab nabbing
It is a kind of phishing attack and computer exploitation that persuades users to submit their login details along with passwords to renowned websites by impersonating those sites along with convincing the user that the site is authentic.
R – Redirection (Covert Redirection)
Redirection refers to Covert Redirection. It is a subtle procedure to perform phishing attacks that make links appear legitimate but actually redirecting it to a forger’s or attacker’s account.
A – Adulteration (Website Forgery)
P – Pageant (Clone Phishing)
The pageant is the synonym to clone or disguise. It is a type of phishing attack where phishing takes place through emails. It is a type where a legitimate and pre-delivered email containing an attachment or link which has its content and recipient address(es) taken and used to prepare an almost identical or cloned email.
As you are quite aware of the TRAP, now we can easily get into its consequences.
We are quite aware of the term OTP, right? We are also aware of its full form and what OTP means. It’s a One-Time Password. But presently, it defines something else. Its present abbreviation is Officially Trapping People. Maybe it sounds ridiculous but this is the actual fact.
OTP (One-Time Password) is considered an effective deterrent against cybercriminals trying to extort money from the bank through online transactions.
There are many such cases where criminals fooled customers and forced them to reveal their OTP, accessed it by android hacking or learned how to hack OTP of other mobile numbers. But now, they found another way of looting. They request your bank to change your phone number linked with a bank account. A cybercriminal can smartly walk into the bank, impersonate you, request a change in the registered number and use the connection to receive the OTP. Impersonation is a quick and simple process to carry out an OTP theft.
A resident of Janakpuri in Delhi has been duped by a criminal, who was victimized by losing Rs11.5 lakh from his current account recently by impersonation, according to a TOI report.
Police informed on August 31, that two persons arrived at the bank and one of them impersonated the account holder. They requested alteration in the registered number and fill in the prescribed form. After registering the new one, they carried out online transfers from the victim’s account using the OTPs sent to the new mobile number. They withdrew Rs11.5 lakh and transferred to six different accounts held in a bank in Dwarka and then further withdrawn through ATMs and cheques. After the crime was committed, they just switched their number off.
There is another way of OTP theft. Criminals can dupe a bank customer by contacting the mobile operator with fake identity proof and get a mimicked SIM card. When the operator deactivates the original SIM, the criminal generates OTP on the new number and conducts online transactions and this is how to hack OTP of other mobile numbers.
It is becoming impossible day by day for banks and the government to take preventive measures and make the customers aware of such transactions. If you’re now aware of what OTP means (Officially Trapping People), kindly take precautionary measures. Don’t give your personal and sensitive details to anyone. Don’t fall for a better opportunity and don’t get trapped into the TRAP of the fraudsters.
“Success is how high you bounce when you hit bottom.” – General George Patton
Well it seems like the youths of India are hitting the “bottom” so hard these days that their desires of bouncing back to the top, has blinded them from scrutinizing whether the opportunities they are getting are genuine or not.
The phishing attacks percentage has increased in recent years, for example, In January, 2019, CEO of an Award Winning Recruitment Firm, Wisdom Jobs, was arrested with 13 staffers. Working since the year 2009, they’ve duped a whopping 1.04 lakh jobless people scamming nearly Rs70 crores in return of promising fake jobs inside and outside India.
In September, 2018, 7 fraudsters were held in custody in Delhi for defrauding 20 jobless youths, by taking 2 lakh for each instead of providing fake jobs at ONGC. So, if you’re living in India, looking for a job inside India or abroad, you need to know first who are you going to deal with before even getting your appointment letter.
Although, India has secured the seventh place in the rankings of international nominal GDP in 2018, the unemployment rate has gone up to more than 7.5% in 2019. The scammers are taking advantage of this situation by providing non-existent jobs and thereby, increasing the phishing attacks percentage.
Freshers passing out of colleges are easily getting trapped for being unable to handle the peer pressure from their families, and the fake consultants are using every opportunity that they are getting because of the easy accessibility of the internet. Families of these youths are now blinded by their desires of seeing their kids working into MNCs in the Gulf or abroad, since they’ve invested lakhs of money for 3 – 4 years.
The embassies and companies are putting advisories to warn the new applicants on their official websites. Renowned groups like TCS, Shell, and Monster.com have also put warnings to save the youths from being duped.
However, here are the steps that you need to be aware about these fraudsters use to hunt:
Getting access of applicant profiles from job recruitment sites.
Sending mass emails to potential candidates they search for.
Posing as job consultants, setting up fake offices, fake websites to convince those candidates.
Candidates are asked to deposit a particular amount through wallet or bank transfer.
Fake appointment letters are provided after conducting online or telephonic interview.
How to save yourself from getting duped by phishers
People who are mainly from tier 2, or sometimes tier 3 cities, passing out from lesser known colleges, having linguistic barriers along with less interpersonal skills, lack of education and charisma for not having real world interactions, are most likely to become the victims. Most of them are in their early 20’s with 0 – 5 years of job experience in the corporate world; they are falling in the traps before even starting their job career. These setbacks are putting some of them into long depressive phases that are hard to overcome.
Phishingis probably the easiest way that these deceivers use to trick their candidates and they do this by using different phishing attack types. By just posing as a job consultant, they scour multiple job portals like Naukri.com, Times jobs, Shineetc. Mails are then sent to the job applicants en masse. Even if the job seekers get duped by 5%, it turns out to be a lot of money.
The mails typically ask for a security deposit, interview fee or any other charges, a comfortable schedule for an interview. While some tricksters would just disappear as soon as they get the money, others go so far as to conduct a quick online or telephonic interview before giving a fake appointment letter.
So, how to avoid being duped? To avoid getting trapped into one of many phishing attack types, here are some of the ways that you should go for:
Feel free to use this image on your website, use the codebelow :
<figure><img src="https://tikaj.com/blog/wp-content/uploads/2019/12/Not-get-duped-1.jpg" alt="Infographic By - TIKAJ" width="580" height="1463"/></figure>
<a alt="Infographic By - TIKAJ" href="https://tikaj.com">Infographic by www.tikaj.com</a>
Browse Official Websites
Companies put advertisements about vacancies on their official websites. Instead of replying to unrecognizable mails, go to the career pages of the companies and apply on their official sites. Even with online job portals, make sure that you route your resumes through the original sites, not by responding to a mail link. For jobs in foreign land, you should either go to government portals, or local job consultancy websites of the country you are applying for a job. Do not approach agentsliving in India for securing your foreign job positions.
Paying For Securing The Post
“No employer seeks any fee from a job-seeker at any stage of the hiring process.” says Abhijeet Mukherjee, CEO, Monster.com (APAC & Gulf). The awareness needs to be spread among the youths about the companies or individuals, who seek any kind of fees or charges as security deposit, registration or document verification. This can be done through bank transfer, cash or through a wire transfer. They can even ask for sensitive information of the user like card details, online banking
Red Flags in Mail/Letter
Youths can ward off scammers who approach through mails by scrutinizing the letter minutely. “Beware if the mail is from a free email address, not the company email,” says Mukherjee. Also proofreading the letter i.e. thorough reading of the format of the letter, spelling mistakes, poor syntax or wrong spacing. Even the name and sign of the person who is sending you the mail, as well as the company address and contact details can be indications of it is being sent from the fraudsters.
Confirming By Calling Firms
If you have any doubts about the offer or appointment letter, call the company on its registered contact numbers immediately. Check whether or not the person who mailed you exists and whether the organization has a vacancy for the post or position you’ve applied for. Conduct gradually a proper research about the company before applying for the job.
Maturity is In Being Cautious
Youth needs to handle approaches very maturely when the company is portraying itself too good to be trusted, if the company claims to provide 70% – 80% increment in salary after couple of months of joining, or a position development that’s beyond your capabilities and experience, then the company’s foundation lies on scamming. Youths have to remain alert about getting appointment letters without even conducting formal interview. Make sure that you are called to have a personal or a face-to-face interview, ideally at the registered address of the company. Be on the lookout if you are called to a residential area or place that has no signage related to the company. The interviewer’s background should also be easily verifiable.
They say creativity is a great tool for problem-solving. They also say creativity makes you sell your stuff faster. These days, though, do you know, creativity is being used for creating problems ?
Phishing scammers these days are being far more creative than what has been expected for a long time. What were the most popular phishing tactics of this early decade ? Let me jot a few familiar phishing email subject lines
A delivery attempt was made
Password check required immediately – reset request was made
XYZ Service: Change Your Password Immediately
Your XYZ Service account is suspended
Suspicious Account activity detected
Hello (Yes! And then propose some absurd investment deal in the mail content)
Quite familiar, and much courtesy to the awareness trainings and articles, most of us are at least aware of such scams. But then the other day, I happened to skim my spam box, (which is a ritual just out of boredom) and I came across the following
Okay, interesting. The attacker himself is apparently spreading news or let us say the awareness against the rising rate of cyber attacks, against the malware that steal passwords. And what do you get when you click on the ‘read more’ hyperlink – the malware itself !
This interestingly explains how the attacker brains are coming up with tactics that will outwit your intelligence and intuitions, or at least make you wonder at them.
These scammers also have quite adapted their techniques now, which are now more towards content that possess personalised lures for the email readers. For example, as a target of Indian origin I recently received a spam informing me that my Kundali (a document containing ‘future prediction’ of an individual based on birth date primarily) was ready to be downloaded, which I had requested (wish I remembered when?), and they urged that I only needed to fill in some missing information – like my birth date. Convincing enough to click a bait link, is it?
Another set of subject lines below from my spam box targeting the tax-payers.
And another trending forte of phishing mails are the ones, in which the attacker would claim that the victim email recipients have been caught watching porn content over the web via a malware that they have infected into the victim’s computer and to prevent them from spreading the videos to their contacts, they need to pay the attackers x value in bitcoins.
They would top up this spiky content with lots of technical stuff, to make it appear convincing. And, for a person not familiar with phishing scams out there, such threats are enough to bring him to his toes! Read out an excerpt below
No doubt the level of phishing awareness and detection techniques are improving, but so are the baits.
Well, as unpredictable these mails are, watch out for one of these, or an even better luring idea that an attacker might devise, landing in your mailbox the other day.
DMARC that stands for (Domain-based Message Authentication, Reporting, and Conformance) is a type of email protocol that uses SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Emails). It controls the situation when email fails authentication tests. It is published at the side of domain.
The DMARC publishing includes the following:
How it works?
As mentioned earlier DMARC uses SPF and DKIM, these all components work together to authenticate the message and decide what to do with it. If any email fails authentication then the below process happens:
The DNS owner publishes a DMARC for himself
When the email is sent by the sender the recipient mail server checks for the DMARC record
The recipient mail server performs the SPF and DKIM authentication in order to test if the sender is really the domain.
After performing the above mentioned tests the receiver mail server sends the DMARC Aggregate Reports on outcome of the message received to the email address specified in the domain’s DMARC records.
DMARC protocol is essential as email is the primary source of communication in any business. It fights the malicious email practices the can put your business in risk. DMARC is used to safeguard the email phishing and scam practices.
How TIKAJ can help ?
To ease up the implementation we offer DMARC+ solution, which provides easy implementation dashboard which can your journey easy.
Implementation of a successful security strategy for business is an imperturbable engagement and you can’t ignore it, as data is a valuable asset it necessitates security.
Question: Where we should start building walls for ultimate security? Answer: Simple, kick-start with your people.
Don’t ever underestimate the training of your people in the organization as they are the prime targets for the phishing attackers.
Employees can make or break the company in case of phishing attacks but if they are trained they can tackle the attacks to much extent.
While the software has it’s own place, but that will be of no use if the people will be tricked down.
Let’s consider a situation suppose you have a home with high-end security and there are kids and adults residing in the home, the security will be of no use if someone knocks on the door and pretends to be a police officer or a known person and someone opens the door. In that case, all that security will amount to nothing more than a lot of money down the drain.
So, keeping that in mind lets discuss the best practices that can be passed on to your people to ensure that they become a part of your defense strategy against these type of attacks. These tactics are useful and can be applied by private individuals too.
1. Educate them how threats look like
This is the necessary and central building block for implementing a security strategy for the company. Most of your people must have heard about the Phishing attacks but, how to identify those attacks is a completely different story.
So, constantly educating people about different types of phishing attacks should be the part of your security strategy, it will make easier for your employees to identify if they encountered any.
People become complacent and put their guards down which makes the attack successful.
2. Pay attention to sender details when asking for sensitive information
It is uncommon that organizations are asking to share sensitive data among employees and it’s unbelievable that they will ask to do this on email. This is the prime reason that companies keep their sensitive data in a secured folder with appropriate password protection.
Stay alert and check the sender details twice if the details seem to be authentic then also call your senior or co-worker to confirm whether they requested it or not. Phishing is often done to gain access to user and password details so that attackers can send more emails from that person email id in search of the data they want.
So, keep in mind that a simple phone call can prevent phishing plots and from more damage.
3. Keep an eye on the shared URL
People take URL for granted and assume that the URL is authentic because it seems to be familiar but there is a catch don’t forget about the hyperlink capabilities. The scam artist designs the URL and knows where it is leading you to extract information.
Simply hover the cursor over the link and try to see where it is leading you. But usually people don’t do that, they think what they are seeing is they will be taken to that particular website.
4. Act smart and stay calm
A simple psychological trick, attackers create a sense of extreme urgency that pushes people to take sudden actions. They pretend to be from the companies IT department and ask the people to change their passwords or user credentials urgently. At the time people will follow it blindly and do what’s asked. It will only take an extra second to confirm from your colleague or senior member.
To further protect your company from these attacks, establish processes and policies that can educate and help people in case they face a similar situation
5. Having a Protocol for reporting Phishing attacks will help
If your people receive a Phishing email (or they feel or think they do) they can report the incident to someone. Rest of the company will be notified and raised on a high alert.
It’s a great idea to keep an eye on the whole problem so that you can regularly send email examples to your people related to your industry sector.
6. Invest in Anti-Phishing solution
The best way to get a defend phishing threats is mitigation of external and internal phishing threats, TIKAJ offers Anti-Phishing Detection and Mitigation Solution which can help in keeping your organization safe from new threats and attacks.
Phishing is the malicious way to deceive and take advantage of users using different mediums. Phishing attacks are targeted at stealing important, confidential information such as usernames, passwords, credit card information, network token, and more.
Both individuals and organizations are at risk. Virtually any kind of private or corporate information can be targeted, whether for company secrets or access an organization’s network. According to Verizon’s 2019 Data Breach Report, 32% of all cyber attacks involved phishing.
Also, Intel Security in a survey found that 97% of people can’t identify phishing email.
Don’t worry though, there are ways and means to protect yourself. You just need to know what you’re browsing and be vigilant. Below are the things you should examine:
Phishing Emails tend to have the following attributes
Unofficial “From” address: Look out for a sender’s email address that is similar to, but not the same as, a company’s official email address. Fraudsters often sign up for free email accounts with company names.
Urgent action required: Fraudsters often include urgent “calls to action” to try to get you to react immediately. Be wary of emails containing phrases like “Your account subscription is about to expire,” “your account has been compromised,” or “urgent action required.”
The fraudster is taking advantage of your concern to trick you into providing confidential information.
Generic greeting: Fraudsters often send thousands of phishing emails at one time. They may have your email address, but they seldom have your name. Be skeptical of an email sent with a generic greeting such as “Dear Customer” or “Dear Member”.
Fake links: Often, the URL link within a Phishing email will not be displayed. The Link will be displayed with a “Click Here” or similar text, which does not display the URL link.
Typo URL’s: Some Phishing Web Sites contain Domain Names which have been registered specifically for the purpose of tricking users into believing they are at the legitimate Internet Banking Web Site. The domain name and URL will look very similar to the genuine URL, but will contain subtle differences such as they deliberately miss a letter within the URL which users would not notice without careful examination.
Extra letters or dashes may also be added to the URL to make it appear genuine. If a URL appears as though it may be genuine, it must be carefully compared to the legitimate URL.
DMARC+ can be used to prevent such type of events in an organization. Check out our blog on DMARC to know more about it.
Phishing Attacks via phishing emails and bogus domains impersonate companies or enterprises. Hackers are constantly evolving their tactics and developing their methods of assault to retain an advantage, rendering their actions more difficult to detect.
Several of the phishing trends are:
Attacks Targeting your Saas Credentials
Some attacks also targeted financial accounts until this year, searching for credit card numbers or banking information. The biggest phishing target of financial institutions was email and online services such as Office 365 and G Suite.
Attacks sent through messaging apps
In 2019, there is an increase in email-free attacks. Slack, Teams, Messenger Facebook and other communications apps have become popular phishing vectors.
Phishing inside of shared files
Because most email systems are searching for email for a malicious link, hackers are now embedding it into shared documents and publishing it on trusted sites such as Box, G Suite, and Dropbox.
Geographically Accessible Phishing
In a geographic location, reaching a specific audience is on the rise. Many phishing attempts, for instance, can only be accessed on an India mobile device and only on other networks.
Interactive threats by the BEC Phishing
There is a trend in so-called Business Email Compromise attacks where nothing can be opened in the email. These are different from traditional assaults because they contribute to immersive dialogs with the intruder in real-time.
In addition to targeting users in familiar territory, attackers launch safety signposts from the internet to create their victims ‘ confidence. Cybercriminals, in particular, manipulate HTTPS, to trick users into a false sense of security. 58% of all phishing operations are projected to use HTTPS.
Hackers create sub-domains that make real websites impersonate. Not too long ago, attackers used a fake mobile-only subdomain to manipulate the homepage of a major airline. Since the subdomain could only be accessed through mobile devices. As a result, consumers are tricked into believing that they were using the official mobile site of the airline.
India is progressing fast towards digitization and a cashless economy. Every person now owns a smartphone and is equipped with an internet connection. More and more people are indulging in online transactions and youngsters are hooked to online apps. There is a surge in the growth of e-commerce websites. They are catering to all our needs from food to clothing. It would not be wrong to say that a whole new digital infrastructure has been set up. The whole ‘technology’ thing has become an inseparable part of our lives. While we all are too busy in ushering to the benefits of the technology, we have overlooked its potential threats. Yes, with the increase in the use of technology, the risk of cyber fraud has also gone up. We all are exposed to cyber fraud-related risks like never before. While there is a range of cyber threats, phishing has come out to be one of the most devious threats.
The Oxford Dictionary defines “Phishing” as: “The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal information, such as passwords and credit card numbers online”. It is basically tricking people to reveal sensitive information about them over the internet. A typical phishing attack involves the following stages:
It starts by sending a large number of spoofed emails to random internet users.
The mails seem to be from a legitimate source urges users to perform some action.
As the users click on the link provided in the email, they are directed to a clone website created by the phishing attackers.
Now, the users are tricked to reveal sensitive information about them. This information can easily be accessed by the attacker to be exploited in the future.
There has been a steady increase in Phishing scams all over the world. The situation is no different in India. The trend of going digital has made it quite attractive to phishers. It ranks among the top five nations targeted by phishing. Not just a favorite of phishing attackers, but India is also a top phishing hosting country as well. A recent report of an IT security firm Sophos says that every one in two organizations in India has been hit by phishing emails. This speaks volumes of the growing threat of phishing into our digital infrastructure.
Financial institutions are always the main targets of phishers in India. Incidents of phishing attempts have been reported from ICICI Bank, UTI Bank, HDFC Bank and State Bank of India. The modus operandi of attack was similar in all these cases. The customer received legitimate seeming emails with fraudulent links which tricked them to divulge important information. This information was later used for various illegal transactions. Air India, the only government-owned airline of India also became a prey to a sophisticated phishing scam in 2017. The attack was carried out by Nigerian hackers and Air India lost $ 300,000 to them. These are examples of some major incidents. However, there are several small incidents of phishing that take place every day around the various parts of the country. From top officials to common people, no one has been spared from the phishing attackers. This also speaks about the lack of awareness of cybersecurity in India. People are neither aware of the possible cyber threats, nor do they know about the policies and procedures to be followed in case of a possible attack. However, it would be incorrect to say that only a lack of awareness is responsible for the growing phishing scams in India. The people who are aware of phishing are also being attacked by means of advanced phishing techniques like URL obfuscation.
Thus, we can see how phishing is a major concern in the contemporary digital environment of India. The major reason behind all the phishing scams is the lack of awareness among the users, who are relatively new to the internet realm. Measures should be taken to spread awareness and educate customers about the menace of phishing and use of anti-phishing techniques. They must be taught to stay vigilant and should avoid following any links blindly. Secondly, the businesses that are continuously onto the radar of phishing attackers, need to actively research and adopt the best security protocols and procedures of the industry. They should continuously strive to find the security gaps in their system and how to bridge them because it is better to stay safe than be sorry.
To conclude, customers and organizations need to stay aware and equip themselves with the latest technology in anti-phishing techniques. Proper monitoring, analysis, detection, and a little proactiveness can go a long way in safeguarding against phishing scams.
Shopping has never been so much fun until online services invaded our lives. Of course, shopping seems so easy and convenient when we can do it online from anywhere, anytime. Moreover, the generation today is so dynamically growing that they demand comfort at every step of their lives, and so, online shopping services have been the best means to shop saving a lot of time and effort. Rendering online services is certainly a great way to deal with a number of things. Moreover, it simplifies a number of tasks in day to day life. You needn’t run out from place to place searching for the right goods or services, which you can simply look for online while sitting comfortably at your home. But have you ever wondered there might be certain corners of these online services which you aren’t aware of? They might seem to be convenient and highly efficient but are you sure that each site you visit follows a safe and secure payment procedure? Of course not. These days, there is a pool of online marketers who initially look forward to benefiting themselves by pulling you in fake deals or trapping their customers into unethical payment procedures. This is where the concern centers in. Let’s get into this matter to know more about its consequences.
Certainly, many of those individuals who prefer shopping online or rendering any online service uses online payment facilities to make their payments smoother. Many of the sites available today offer a highly secure payment gateway. Did you know how phishing scammers target these online payment securities to break into your privacy or to steal your sensitive information? Moreover, such scammers, these days target the online payment facilitators as their best means to benefit their unethical needs. Online payments scam is a bitter reality of the internet age we live in today and the rates are only set to increase with the increased digital adoption in India. An ACI Worldwide conducted 2016 consumers study places India at the fifth position regarding the bank card fraud rates standing behind Mexico, Brazil, United States and Australia. This is how such frauds are gradually rising with the increasing use of online payment facilities as the phishing scammers target them to fetch out the utmost benefits unethically.
As they say, the foremost weapon against any problem is education and awareness. So, it’s important to understand the payment frauds and online fraud prevention that take place and their consequences. The most common types of online fraud occur via phishing, data theft and chargeback or friendly fraud. When we come across phishing, it is the process of accessing one’s personal information through fraudulent e-mails or websites that claim to be legitimate. The information gathered this way can include usernames, passwords, credit card number or bank account numbers. The most commonly used method for phishing is to redirect an online user through an email or SMS to an official website where they are asked to update their personal information. You are thereby tricked into revealing personal information that you would ideally not reveal to anyone else. Phishing can also occur via other electronic means such as SMS, instant messaging and on email. You can be redirected to make a payment on a website that looks legitimate, but initially is created with an aim to capture your card details so that they can be used later. According to this reports, India is the third-most targeted country for phishing scams. This is how gradually the online payment facilities are turning out to be the ultimate target of phishing scammers benefiting themselves by scamming online shoppers through fraudulent payment techniques or capturing the operating payment gateways and linking them unethically to their own payment gateways to commit fraud.
With the rising number of e-commerce users and online transactions, it is important that we are all aware of the mandatory security protocols for e-commerce websites so that we can avoid fraudulent situations. Data security on an online payment system begins the moment a user visits the site. The TLS Certificate indicates the users that the data transmitted between the web server and their browser is safe or not. An easy way to check if the e-commerce websites you frequently visit are SSL certified is to look at the URL and see if it uses ‘Http://’ or ‘https://’ protocols. The additional‘s’ signifies a secure e-payment system. You can also look for the padlock icon at the beginning of the URL. The modern web browsers are now following the opposite paradigm to make their web surfing safe by marking HTTP sites as “insecure”. The PCI Security Standards Council is a worldwide organization that promotes systematic rules for managing cardholder’s confidential data for all e-commerce websites and online payment gateways. The Payment Card Industry Data Security Standards (PCI-DSS) is in effect with a set of policies that govern how cardholder’s sensitive data should be handled and it also promotes online fraud prevention. For an e-commerce website or an online payment system to be PCI-DSS compliant, they have to follow certain directives such as maintaining a secure network to process transactions, ensuring all data is encrypted during transmission, keeping the infrastructure secure, restricting information access and so on. Also, credit card tokenization helps e-commerce websites improve security, as it eliminates the need for storing credit card data and reduces security breaches. Apart from these crucial protocols, most of the e-commerce websites and payment gateways have their own fraud and risk prevention systems assisting you in securing your transactions.
Obviously, online payment facilitators have eased a lot of tasks in life, though it’s necessary to sustain a secure gateway to enjoy the ultimate security benefits of such online transactions. It’s good for a customer to execute an online payment saving a lot of time and efforts along with enjoying other online benefits, though one needs to be aware of these suspicious corners of online payments to secure their transactions and prevent falling in traps of scamming online.