A few days ago, Bhuvaneswari, a retired banker and counsellor at Moneylife Foundation, told us about a message she received on WhatsApp. The message file received from an unknown sender was named as a wedding invitation. However, it was neither a portable document format (PDF) file nor an image file like JPEG or PNG. The ever-alert Ms Bhuvaneswari found that the file she received was an Android package kit (.apk) used for installing apps on most mobile devices. She immediately deleted the file and blocked and reported the unknown user. Smart move, indeed!
But I am not surprised. In an age where digital communication is at the centre of our personal and professional lives, cybercriminals are constantly devising new ways to exploit unsuspecting users. One of the most common and effective tactics is using malicious attachments, leading to data theft, financial loss and even complete device compromise.
Last month, I wrote about emails containing an SVG (scalable vector graphics) format files (https://moneylife.in/article/fraud-alert-the-svg-image-file-scam-you-need-to-watch-out-for/76388.html). You open it, and it redirects you to a website that looks just like DocuSign, Dropbox, or SharePoint, asking for your login details. Without realising, you enter your credentials—only to find out later that your account has been hacked.
Over the years, cybercriminals have been using file attachments as a tool to exploit or loot gullible users. It is the same reason why all security experts warn against clicking on a link or opening any file attachments received on messaging apps like WhatsApp and Telegram, SMS or emails.
Let us first understand what malicious attachments are and how cybercriminals are using these attachments.
Malicious attachments are files containing harmful software, often called malware, which can infect a device once opened. Cybercriminals use different types of file formats and social engineering tactics to trick victims into downloading and installing these files.
Here are some common types of malicious attachments:
apk files: These are installation files for Android applications. Attackers disguise them as legitimate apps, such as wedding invitations, job offers, or banking apps, to lure victims into installing malware on their devices.
pdf and .doc files: Cybercriminals embed malicious code in PDF documents or Word files that exploit vulnerabilities in software to install malware on opening.
zip and .rar archives: Compressed files can be used to hide malware. When the attachment is extracted, the malware is installed on the device, mostly without the knowledge of the user.
exe files: These executable (.exe) files can install viruses, keyloggers, or ransomware on a Windows system.
Image and audio files: Though less common, attackers sometimes embed malicious code in images (JPEG, PNG) and audio files to exploit system vulnerabilities.
Anyone who uses a digital communication device, like, a mobile is susceptible to dangerous attachments. It is common knowledge that cybercriminals often target senior citizens and less tech-savvy individuals because they may lack awareness of cybersecurity threats. However, we have seen even highly educated and wise people become cyberfraud victims in several cases. So there is no limit.
However, senior citizens and people with limited technical knowledge may not recognise phishing attempts or suspicious file extensions which makes them more vulnerable to scams. Further, criminals are often found using emotional manipulation, urgency and impersonation tactics to create a sense of trust and urgency.
Here are some common tricks used by fraudsters...
Fake wedding invitations: Cybercriminals send APK or .apk files disguised as wedding invitations, which, when installed, steal banking credentials and personal data or remotely control the device.
Fake job offers: Fraudsters send job application forms or links for the 'dream' job that installs malware when clicked.
Lottery scams: Messages claiming a user has won a lottery prize prompt them to download a form or install an application to claim it.
Bank fraud messages: Fake emails and SMS messages claiming to be from banks request users to install an app for security verification which turns out to be credential-stealing malware or spyware.
Opening a malicious attachment can have devastating consequences, including financial loss, identity theft and takeover of the device.
As I mentioned above, malware can steal banking credentials, credit card information and payment details, leading to unauthorised transactions. Cybercriminals can also access personal information, such as ID proofs, phone numbers and addresses, to commit fraud in the user's name.
Some malware grants cybercriminals remote access to a user's phone or computer, allowing them to control files, record keystrokes, and even use the camera and microphone. Some malware automatically forwards itself to users' contacts, perpetuating the attack.
Ransomware can lock all files on the device, demanding payment to restore access. However, ransomware attacks are primarily used on corporations and not many cases have been reported of individuals becoming victims.
It brings us to the most important question: How can you protect yourself from malicious attachments sent by fraudsters and cybercriminals?
Remember, while cybercriminals continue to develop sophisticated scams, users also can take proactive measures to protect themselves from falling victim to such fraud.
Here are a few suggestions...
1. Never open unknown attachments
If you receive an attachment from an unknown sender, do not open it.
Even if the sender is someone you know, verify with them before opening any unexpected file attachments.
2. Be wary of .apk files and other executable attachments
Never install APK files from unofficial sources. Only download apps from the Google Play Store or Apple App Store.
If someone sends you an APK file, be highly suspicious and avoid installing it, unless verified from a trusted source.
3. Enable security features on your device
Keep your operating system and apps updated to patch security vulnerabilities.
Enable Google Play Protect on Android devices to scan for harmful apps.
Use an updated antivirus and anti-malware solution for additional protection.
4. Double-check email and message authenticity
Look for misspellings, grammatical errors and unusual sender addresses in emails.
If an email claims to be from your bank or another institution, contact them directly instead of clicking any links or opening attachments.
5. Use multi-factor authentication (MFA)
Enable MFA on all accounts to add an extra layer of security, reducing the risk of account takeovers.
6. Educate yourself and your family
Regularly educate yourself and your family members, especially senior citizens, about cyber threats and how to recognise suspicious messages.
Teach them how to verify information before taking any action online.
7. Report suspicious messages
If you receive a suspicious message, report it to the platform (WhatsApp, Telegram, email-provider) to help prevent others from being targeted.
Report any financial fraud attempts to your nearest police station or the National Cyber Crime Reporting Portal (NCCRP) http://cybercrime.gov.in or call the toll-free national helpline number, 1930.
With cybercriminals constantly innovating their attack methods, users must stay vigilant and practice caution while handling attachments on WhatsApp, Telegram, emails and SMS messages. Scams like the recent .apk wedding invitation highlight the dangers of unquestioningly trusting digital messages.
By staying informed, verifying sources and implementing security measures, individuals can protect themselves and their loved ones from falling victim to these fraudulent tactics.
Remember, scepticism and awareness are your best defences in the digital world.
Stay Alert, Stay Safe!
How To Report Cyber Fraud?
Do report cyber crimes to the NCCRP http://cybercrime.gov.in or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c).
If the fraud is related to your bank account, you need to immediately send an email to the official email ID of your branch (you can find it on the bank's website or your passbook) with a copy to the bank's customer care. Even if you have called the official number for customer care, you must still send an email describing your conversation with the bank executive, along with the time, date, and duration of the call. This will be helpful if you face a liability issue with the bank.
Report suspects
You can quickly report attempts made to commit cybercrime using suspicious website URLs, WhatsApp numbers, Telegram handles, phone numbers, email IDs, SMS headers or mobile numbers and social media URLs to NCRRP (https://cybercrime.gov.in/Webform/cyber_suspect.aspx). This information is used to build up a repository for the analysis and monitoring of cybercrime.
I love watching some interesting web series and films. While Bollywood produces a large number of films, the majority stick to stereotyped love stories and a few like to dig into the past. I skip most of these and prefer to watch...
In today's digital age, the convenience of online shopping has revolutionised the way we purchase goods and services. However, this convenience has also opened the door to a surge in fraudulent activities, particularly fake or bogus...
Earlier this week, Saumitra, a former colleague, sent messages to everyone alerting them of the hacking of his wife, Asmita's WhatsApp account. He also requested everyone not to respond to any message from her 'hacked' WhatsApp...
Earlier this week, one of my old friends Chaitanya sent me a video on WhatsApp. Before I could even watch it, he bombarded me with calls full of panic and questions. He was worried that fraudsters could drain his bank account just by...
Fiercely independent and pro-consumer information on personal finance.
1-year online access to the magazine articles published during the subscription period.
Access is given for all articles published during the week (starting Monday) your subscription starts. For example, if you subscribe on Wednesday, you will have access to articles uploaded from Monday of that week.
This means access to other articles (outside the subscription period) are not included.
Articles outside the subscription period can be bought separately for a small price per article.
Fiercely independent and pro-consumer information on personal finance.
30-day online access to the magazine articles published during the subscription period.
Access is given for all articles published during the week (starting Monday) your subscription starts. For example, if you subscribe on Wednesday, you will have access to articles uploaded from Monday of that week.
This means access to other articles (outside the subscription period) are not included.
Articles outside the subscription period can be bought separately for a small price per article.
Fiercely independent and pro-consumer information on personal finance.
Complete access to Moneylife archives since inception ( till the date of your subscription )
The ever-alert Ms Bhuvaneswari found that the file she received was an Android package kit (.apk) used for installing apps on most mobile devices. She immediately deleted the file and blocked and reported the unknown user. Smart move, indeed!
