Rakesh Chandra, a recently retired officer from the Indian Forest Service (IFS), received a call from someone claiming to be an officer from the treasury department. During the call, Mr Chandra shared all his banking details with the caller. When he eventually realised it was a fraud call, Mr Chandra had lost nearly Rs29 lakh that he had received as pension settlement.
In another incident, Curative Survey Agency, a fraudulent investment company, allegedly duped depositors of over Rs59 crore in Jammu & Kashmir (J&K) on the promise of doubling their investment in 15 days.
The above incidents highlight the human weakness of being very trusting and willing to share bank details over the phone with a stranger who represents an official figure or person of authority or being gullible enough to hand over their hard-earned money to fraudsters on the promise of doubling their 'investment'. So fraudsters gain trust by pretending to be army officers, or frighten people posing as officers from the police or investigation agency and in the latter case, ensnare people with the promise of high returns, or pretending to be courier agents trying to deliver a valuable parcel.
Mr Chandra, who shared his banking details with the caller, would haggle with his vegetable vendor and think twice before parting with Rs10 for a needy stranger. Similarly, the J&K investors, lured by greed, failed to see the risk. Cybercriminals exploit these precise behavioural traits with their smooth-talk and manage to dupe people into parting with their money without pausing to examine the risks involved.
According to
Avast Threat Labs' latest findings, online fraudsters are not focusing as much on breaking through software-based security. Instead, they are opting to hack through human defences to procure personal data, financial information, and cash.
"The autumn season usually marks a slowdown in online traffic and, thus, a decrease in cybercrime. That is not the case this year. Instead, Threat Labs detected a 50% uptick in blocked intrusion attempts, setting a new record at over one billion unique malware attacks for the quarter. The surge was driven by a substantial rise in web-based threats, particularly social engineering and malvertising, which are at an all-time high," Avast says.
According to the report, information stealers recorded a substantial increase in risk ratio, with Ukraine (44%), the US (21%), and India (16%) experiencing the most significant spikes. "The common belief that I have nothing to hide, I do not need to protect my data is fundamentally flawed. Even individuals who believe their data lacks value may find out that, at scale, everything may become valuable. This kind of data can be monetised via sales on underground forums, used for further attacks including more targeted scams and phishing (so-called spear-phishing), leveraged for blackmailing, and more."
In today's interconnected digital landscape, the prevalence of cybercrime has reached unprecedented levels, posing significant threats to everyone, including individuals, businesses, and nations. Add to this new technologies and tools, such as artificial intelligence (AI), machine learning (ML) and large language models (LLMs) like OpenAI's ChatGPT and Google's Bard that allow fraudsters and cybercriminals to incorporate hyper-realistic digital falsification.
I am not even talking about deepfakes here. Using basic or simple techniques, cybercriminals often succeed in breaking the weakest link to achieve their desired goal.
In the case of Mr Chandra, it is quite possible that the caller may have been using AI translation tools to auto-feed the text using information shared by the retired IFS officer and the caller or his other partner may have used it to siphon money from the bank account.
Let us see why human behaviour is often the weakest link in cybersecurity:
Social engineering
Phishing: Attackers often use emails, messages, or phone calls to impersonate trusted entities, tricking individuals into revealing sensitive information like passwords or clicking malicious links.
Pre-texting: This involves creating a fabricated scenario to manipulate individuals into providing confidential information. (Remember the case of Mr Chandra, mentioned above?)
Lack of awareness
Security education: Many people lack a basic understanding of cybersecurity threats and preventive measures. They may not be aware of the potential risks associated with certain online activities or the importance of keeping software updated.
Current threats: Without awareness of the evolving threats, individuals may not recognise new types of attacks or be able to distinguish between legitimate and malicious activities.
Weak passwords and authentication practices
Password practices: Humans often use weak passwords, reuse them across multiple accounts, or share them with others. This can make it easier for attackers to gain unauthorised access to sensitive information.
Lack of multi-factor authentication (MFA): Failure to enable MFA increases the risk of unauthorised access even if passwords are compromised.
Overreliance on technology
Misconfigurations: Humans are responsible for configuring and managing security systems. Misconfigurations, such as leaving default settings unchanged or improperly configuring firewalls, can create vulnerabilities.
Negligence: In some cases, individuals may neglect security best practices, such as failing to install security patches promptly or turning off security features for convenience.
Human nature and psychological factors
Curiosity and trust: Humans may be curious and trusting by nature, making them susceptible to clicking on links or opening attachments in seemingly innocuous emails.
Complacency: Individuals may become complacent over time, especially if they have not experienced security incidents personally. This complacency can lead to a lack of vigilance in following security protocols.
Inability to keep pace with evolving threats
Adaptability: The rapid evolution of cyber threats requires constant adaptation. Humans, mostly common people, struggle to keep up with new attack methods, leaving them vulnerable to emerging risks.
Education gaps: Lack of awareness about the latest cybersecurity trends and attack methods can hinder individuals from recognising and responding effectively to new threats.
The most alarming is the lack of adequate training in handling newer threats. While some organisations may be providing initial cybersecurity training, there simply is no way for common people to learn all this. It is like throwing them in deep water without even allowing them to learn the basics of swimming!
And remember, this is a continuous process. You cannot say I underwent cybersecurity training which is sufficient for my entire life. While you may stop learning, cybercriminals continue to learn and adopt newer technologies and tools to remain in business. It means that for common people to survive in the rapidly changing nature of cyber threats, there is no alternative to continuous education and learning to adopt newer security practices.
Many security breaches and incidents can be traced to human error or manipulation, making humans the weakest and most vulnerable link in cyberspace.
Stay Educated, Stay Safe!
How To Report Cyber Fraud?
Do report cyber crimes to the National Cyber Crime Reporting Portal
http://cybercrime.gov.in or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c).
If the fraud is related to your bank account, you need to immediately send an email to the official email ID of your branch (you can find it on the bank's website or your passbook) with a copy to the bank's customer care. Even if you have called the official number for customer care, you must still send an email describing your conversation with the bank executive, along with the time, date, and duration of the call. This will be helpful if you face a liability issue with the bank.