The Russians have a commonly used phrase: ‘Doveryai no Proveryai’, meaning ‘Trust, but verify’! When dealing with an unknown person or stranger, you should take their talk on face value, but at the same time, verify what they are saying. Don’t blindly trust them, else they’d be able to manipulate and coerce you. The same truth applies to Cyber Security and using your mobile phones and computers. Never blindly trust anything that you see or hear using any of these devices. Always verify the antecedents of the caller, the email sender, the user, the seller and various other persons whom you may need to interact with.
In this article, we will explore some typical phishing scams and understand how they work and more importantly, how you can avoid being a victim. The following are three real-life examples (names changed to protect identity:
Scam No. 1: THE FUNERAL SCAM
38-year-old Arnavaz works as a Senior Associate in a Law Firm. She used to reside in a Parsi Colony with her mother, who was suffering from a long-term illness. On the day her mother passed away, she was very upset and emotional. She wanted to arrange for the last rites of her mother but was confused on how to go about it. Being tech-savvy, she looked up Google for an Agiary and made a call. A young man picked up the phone and informed her that they have a new professional service where she has to pay just Rs. 10 for registration and the Agiary staff will handle A to Z of the funeral. Arnavaz was extremely relieved and immediately agreed to pay the amount of Rs. 10 (which sounded too good to be true). However, to collect the payment of Rs. 10, the man on the other side sent her an online form to fill. She was asked to fill in details like Name of the Deceased, Place of Death, Payment Mode and some other payment details like UPI PIN, Internet Banking username and password, etc.
The man told her that within some time, she will receive a One Time Password (OTP) which she should share with him to complete the transaction. She complied and shared the OTP with him. He also made her forward some other SMS messages to his phone number which he said, were required for registration. Within a few minutes her entire bank account, which contained Rs. 4 lakhs, was emptied!
Modus Operandi – How Did It Happen?
For starters, the phone number listed on Google for that Agiary was fake. It was not the Agiary’s real number but instead, the mobile number of some scammer sitting in Jharkhand! Even the Google Form sent by the caller for registration was fake. The data being collected through that form was being sent to the scammer and not to the Agiary or to any service provider. The scammer engineered Arnavaz to reveal her OTP and internet banking password by offering services at a very low cost.
How Did A Person So Tech-Savvy Fall Victim To Such A Scam?
- Arnavaz did not consider the safety aspects of her transaction, as she was overcome by grief and was distracted.
- She shared her OTP, shared her Internet Banking login details through that form and virtually gift-wrapped her money and gave it to the scammer.
- She blindly trusted the person on the phone as she was overwhelmed by the task of performing the last rites and ceremonies and the scammer on the call pretended to ease her burden of performing the last rites for her mother.
Trust, But Verify:
- Arnavaz should not have blindly trusted the Google listing for that Agiary. She should have looked up trusted websites or calendars or searched her old records. She could also have cross-checked with her friends / relatives and asked them for the correct number.
- When the scammer made an offer to perform all the last rites only for Rs. 10, Arnavaz should have become alert as it was something which was too good to be true.
- Arnavaz should have concentrated on the SMS alerts she was getting and not shared the OTP with that unknown person.
Scam No. 2: STRAY DOGS HELP SCAM
Behram, an avid animal lover, was passing by the Fort area when he noticed a severely injured and bleeding stray puppy. He desperately wanted to help the injured pup as it looked like it was in a lot of pain. He frantically did a Google Search for a particular Animal NGO. He did not see any phone number there, but instead saw an Instagram page which had some photographs of dogs and cats. On each image, there was a Helpline number mentioning an Animal Ambulance. He called up that number in that Instagram photo and spoke to the executive to send an ambulance and provide urgent help. The executive asked Behram to download an App on his phone so that they could track his exact location through their ‘Ambulance Call Centre’. Behram complied and once again requested them to send the Ambulance in haste. The NGO executive him to keep his phone unlocked and whenever, required to use his fingerprint to unlock the phone. As Behram was waiting at Fort, he noticed that his bank balance had suddenly dropped and his entire bank account was emptied. He swore that he had not received any One Time Password SMS or even an SMS Alert from his bank!
Modus Operandi – How Did It Happen?
The phone number listed on Google for that animal NGO was fake. It was not the NGO’s real number but instead the mobile number of some scammer sitting in Rajasthan! The mobile App that Behram was asked to download, was an App that controls the functionality of your phone. Apps like TeamViewer, AnyDesk, Remote Tech Support etc. allow any person to remotely use your mobile phone if you authorize them. It’s as if they are using your phone in person!
The scammer used this App to gain full control of the phone and install another App called SMS Forwarder. The SMS Forwarder App silently forwards all SMS from your phone to any other phone number set in the App. The scammer set his own phone number and was silently receiving all the OTP messages and Banking SMS Alerts which were being sent to Behram! As the scammer had full remote control of the phone, he simply attacked the net banking apps on the phone and used them to initiate transactions.
How Did A Person So Tech-Savvy Fall Victim To Such A Scam?
- Behram did not concentrate on the safety aspect of his phone as he was overcome by the concern of the suffering of the injured pup. He was distracted and overwhelmed by emotion.
- Behram virtually gift-wrapped his money and gave it to the scammer – he was so emotionally involved with the pups injury that he forgot to verify the caller of phone functions.
Scam No. 3: ALCOHOL DELIVERY SCAM
Kaizad was quite a drinker and loved buying exotic wines. Feeling lazy to visit a wine shop, he wanted them to deliver to his house, despite the fact that delivery was prohibited in Mumbai. He did a Google Search for his favourite wine shop and requested them to quietly deliver a long list of wines and liquor to his place. To his surprise, they obliged and agreed to deliver the booze on the condition that he pays for it in advance online. Kaizad was the CEO of a multi-national company and was well-versed with online transactions. He immediately whipped out his HDCC Debit Card and dictated the number over the phone. He also shared the CVV number at the back of the card and its Expiry Date.
Although his bill was only Rs. 10,000 he suddenly received an SMS that Rs. 1 Lakh was deducted from his account. He was furious and screamed at the executive on the phone. The executive apologized and said that they would like to refund the money to him, but as there was some technical issue, they could only refund the money to any non-HDCC bank account. Kaizad provided them his salary account details at ICIFI and the executive then apologized and asked him to share an OTP from ICIFI Bank so that they could initiate the refund to him. Kaizad received an SMS OTP for Rs. 90,000 from ICIFI, which he provided to the executive. To his shock he lost Rs. 90,000 from his ICIFI account!! He was very upset and disconnected the phone. He had lost Rs. 1,90,000 in total.
Modus Operandi – How Did It Happen?
The phone number listed on Google for that Wine Shop was fake. It was not the Wine Shop’s real number but instead the mobile number of some scammer sitting in Gurgaon. Kaizad revealed critical information about his Debit Card i.e. the CVV number and expiry date, which is used to authenticate the transaction. (See previous article of this series “Phish and Chips”)
Kaizad was overconfident about transacting online. He was so focused on buying the liquor and immersed in the thought of relishing it, that he was not alert and didn’t pay attention to what was being asked of him.
It is possible that under normal circumstances, Kaizad would not have revealed his confidential financial information. But his overconfidence about transacting online and his anger at the scammer distracted him and made him skip the verification process. After the first scam was pulled off, he once again fell for the same scam by getting angry and instead of disconnecting the phone, revealed more information about his other bank account!!
SIMPLE STEPS TO AVOID SUCH SCAMS:
Do Not Conduct Any Financial Transaction In A Haste Or When Under Pressure: Scammers usually try to threaten you to do the transaction fast or to give information fast so that you don’t have time to rationalize your actions. They threaten you with dire consequences like disconnection of your electricity or losing out on some prize or closure of your bank account or blocking of your debit card or blocking of your email account.
Be Alert – Pay Attention If you have to transfer money, pay attention to what you are doing and with whom you are sharing your bank account or payment details. Stop all distractive activities like watching TV or playing a game or eating food when doing the transaction. Stay focused on your transaction, the amount, the OTP, the SMS alerts, the steps being done and also the instructions of the caller.
If It’s Too Good To Be True – It Probably Isn’t Real: If you are being offered a deal which is too good to be true, it may NOT be true. It is most likely a scam to lure you in!
DOVERYAI, NO PROVERYAI! = TRUST, BUT VERIFY!
In the next part of this series on Cyber Security Awareness, we will deal with Chinese Loan App cams, disinformation and fact checking online.
- પટેલ અગિયારીએ179મી સાલગ્રેહની ઉજવણી કરી - 5 October2024
- ભીખા બહેરામ કુવાના 15માં વર્ષની પરંપરાગત ઉજવણી – આવા રોજ પર 180મું જશન અને હમબંદગી – - 5 October2024
- Dadysett Atash Behram Celebrates Salgreh - 5 October2024