Financial cybercrime rides the Covid-19 wave

The world may be at a standstill but online predators are on the prowl. They have shifted to corona-based messaging themes to defraud and loot unsuspecting prey

Amidst worldwide lockdown across the world, physical and cash transactions have been virtually ruled out. Even when the economy is going down, digital transactions have been on the rise. This is overstraining the banking and financial systems. It is presenting opportunistic cybercriminals a chance to defraud and loot unsuspecting prey. The world is at a standstill, but these smart predators are on the prowl; they have shifted to Covid-based messaging themes to grab your attention. As we talk there are a million attacks a minute targeting your home computers, banking credentials, apps on your phones, cloud services, financial services portals and payment gateway infrastructures. Amongst all other cybercriminals, the financial cybercrime groups are the most technically sophisticated, well-resourced and proficient; they can only be compared to Nation State APT groups which exhibit highly evolved modular and dynamically collaborative structures. The most interesting development after the emergence of hacking as a service is the evolution of Malware as a service. Sophisticated malwares complete with hosting, cyberattack tools and even customer care are available to attackers. These services are accessible on the monthly, half-yearly and yearly rental basis. A monthly service may cost $2,000 while yearly and half-yearly subscription models come at a discounted price. This enterprise model of cybercrime where Malware is offered as a product comes inclusive of spamming, hosting services, command and control infrastructure and botnets. For the digital to physical conversion a huge, on ground network of innocent or criminal money mules is used. These ‘account loaners’ allow large sums of money to be withdrawn in a distributed manner for a very small ‘fee’. Banking and financial cybercrime attacks mainly rely on social engineering as the initial method of compromise to achieve unauthorised sharing of victim credentials, access tokens or OTPs, installing a backdoor or Trojan, or tricking her to download and use a fake app, among other things. Essentially, the attack surface area consists of the device hardware, operating system, softwares, apps, the network and the Internet. Protecting everything is beyond the ability and prowess of the general users, but some simple steps can substantially reduce the chances of one falling victim to cybercrime.

Important steps to protect against financial cybercrimes:

1. Use secure configurations for all sites, if it is a social media platform, limit sharing of personal information which can lead to guessing of password recovery questions, also lockdown your profiles so that your photos cannot be misused by malicious strangers to create fake avatars. 2. Multi-factor authentication should be immediately enabled on all financial and personal accounts, preferably use a non-SMS based second factor. 3. Any telephone caller requesting for personal information, card CVV or onetime passwords should be immediately reported to authorities and the bank/service concerned. Keep your PINs and passwords absolutely secret and don’t share them with anyone. To receive the money, you do not need to do anything on your part, like clicking a link or sharing PIN. 4. Follow basic principles of cyber hygiene; patch and upgrade your systems, softwares and apps to the latest version, apply fixes whenever available from authentic sources. Purchase and use an antivirus solution, even on a mobile device. Charge your devices with your original charger, avoiding charger jacks at popular public places and airports. 5. Public WiFis to be avoided while making financial transactions or sensitive communications, use phone hotspot as WiFi for critical work. 6. Any email or urgent message from a friend or acquaintance which includes demand for money should be crosschecked through secondary means before making any payments. 7. If you generally do not visit a particular site, it is better avoided, as watering hole attacks depend on compromised or dangerous sites dispensing malware by inviting people to visit them. Similarly, drive-by attacks can compromise your system even if you accidentally visit malicious sites. Also, do not share your screen via remote desktop connection with any stranger on call, or install an app at their request. Similarly, do not fill online forms that are sent to you by these callers. 8. Be extremely careful about clicking links sent on SMS or mail, do not open attachments unless and until you are very sure of their source and authenticity. Payment wallets and other services which send links for withdrawal of money should be carefully scrutinised. 9. Contact your bank or wallet provider immediately in case of any discrepancies and regularly check your financial statements for any unusual withdrawals and expenses. 10. Share these tips with more vulnerable members of family and society and keep them forewarned. In case of any unauthorised transaction occurring due to the contributory fraud or negligence or any deficiency on the part of the bank, the customer has zero liability and this is irrespective of whether such transaction is reported by the customer. In case of any unauthorised transaction occurring due to a third-party breach and the customer notifies the bank within three working days of receiving the communication from the bank regarding the transaction, in such case also the customer has zero liability. In case the transaction occurs due to the negligence by the customer (sharing payment credentials), the entire liability is with customer till he reports to the bank and any loss occurring after such reporting of transaction shall be borne by the bank. Upon being notified of such unauthorised transactions, the banks are obligated to credit (shadow reversal) the amount to the customer’s account within 10 working days. Banks are further obligated to resolve such complaints within the time approved by the bank’s board which shall not exceed 90 days from the receipt of such complaint. In all scenarios, the burden to proof lies with the bank only. Nonetheless, as a vigilant customer, keeping/ collecting documents may help in speedy resolution of the complaint.

Legal remedies available in case of financial cybercrimes

1. Immediately call the customer care number of the bank and register a complaint. Report the incident to the nearest police station/ cybercrime cell and lodge a complaint/FIR providing relevant transaction details. One can also report it on www.cybercrime.gov.in and the service provider/platform. 2. If the bank fails to reply or act within 30 days or if you are not satisfied with your bank’s response, then escalate the incident (with your complaint) to the banking ombudsman (your billing address will determine the jurisdiction of the ombudsman). 3. In case of being aggrieved with the award passed by the ombudsman, one has an option to appeal to the appellate authority under the ombudsman scheme within 30 days of the order. There is also an option to challenge the same in the consumer court. 4. The banks, payment aggregators, e-commerce companies and financial institutions need a different model and design to improve the security and privacy of their sharing of data or credentials with third party or third party’s financial tools. Most financial cybercrime/banking fraud are due to data breach or unauthorised sharing of customer data. While the pandemic has seen a multifold increase in cybercrimes, especially of a financial nature, the security posture of users and institutions hasn’t commensurately improved. While it is the responsibility of these organisations to protect their businesses and customers, it has become imperative for the average user to be ever vigilant and take steps to prevent harm. The RBI has been issuing guidelines to reduce liability of the customer and protect her from scams, frauds and crimes. This effort has been increasing the liability on the banks and institutions; it is time that technology balances convenience with security and takes responsibility for the innocent and artless customer. Brijesh Singh is Inspector General of Police, Maharashtra, and Khushbu Jain is a practising Advocate in Supreme Court of India.