In July, the Australian police warned the country’s universities as well as Chinese officials about a new scam. Seemingly taking advantage of tensions between the two nations on issues of trade and human rights, scammers were coercing “foreign students to fake their own abductions and trick families overseas into paying ransoms”, a Reuters report quoted the police as saying.
Such “virtual kidnappings” are just one among a series of online threats that have emerged in 2020, driven by the covid-19 blow to economies around the world. According to research by the global risk and strategic consulting firm Control Risks, isolation and anxiety have only made people more vulnerable to cyber extortionists.
In a virtual kidnapping, for instance, the victim’s relatives are made to believe that their loved one is in danger, though no one has been abducted. Using synthetic audio and fake background noises that mimic the victim, relatives are arm-twisted into paying a ransom. Usually, the scammers force family members or relatives to stay on the line, limiting their ability to contact the victim or anyone else. It is obviously easier if the supposed victim is living away from family. According to a report in The Guardian last month, nine such cases had been reported to the Sydney police, with ransom amounts totalling $3.5 million (around ₹25 crore) paid to cybercriminals.
Apart from virtual kidnappings, the McAfee Labs COVID-19 Threat Report, released in July, notes that phishing and other themed attacks saw a big jump in March and April. So did medical hoaxes, riding on the back of the pandemic. Everything from “covid-19 testing” to “covid-19 urgent precaution measures” was used to put out phishing email campaigns. Clicking on any of these emails or opening any attached document meant information-stealing malware like TrickBot would be downloaded on the user’s system.
Overall, the report states, McAfee Labs observed 375 threats per minute in the first quarter of 2020.
This is also the year when phishing—one of the oldest forms of cybercrime, where victims are deceived into sharing sensitive data such as passwords and other financial information—began targeting niche sectors. Perhaps the most sophisticated example was HR (human resources) dismissal emails that were used to install Trojan software on a victim’s device.
Multinational cybercrime and antivirus company Kaspersky Lab’s Spam And Phishing In Q2 2020 report explains how these work. “The weakening of the economy during the pandemic in a number of countries caused a wave of unemployment…. Kaspersky experts encountered various mailings that announced, for example, some amendments to the medical leave procedure, or surprised the recipient with the news about their dismissal,” the report adds.
Any attachments that accompanied such emails carried the Trojan-Downloader.MSOffice.SLoad.gen file. This is often used to download and install encryptors, which can lock important files on a system.
Ritesh Chopra, director, sales and field marketing, India and SAARC countries, for NortonLifeLock, the US cyber- safety and software company, says such threats continue to grow because most users still believe a cybercrime is defined by financial loss. “When we speak about cybercrime, I would say it has not happened to me because I have never lost money. We call it spam and just leave it at that,” says Chopra during a Zoom call. “Today, we are overlooking PII, or personally identifiable information—your email address, social media accounts, your Aadhaar, PAN card details and so on. Can you remember where all you left all such information over the last three months?” he asks.
“It starts with phishing, then becomes spear phishing. It then moves to (the creation of) synthetic identities and that’s how it leads to becoming a virtual kidnapping... The more (personal) information that goes out, the more a cybercriminal has to target you. That is why attacks are becoming more precise,” Chopra adds.
The numbers support his argument. Around 60% of Indian consumers have never thought about the possibility of identity theft, according to the 2019 NortonLifeLock Cyber Safety Insights Report, released in March. It’s also true, however, that 70% of users in India wish they had more information on how to tackle identity theft. The report was based on survey findings from over 10,000 adult consumers in 10 countries, including India, who are constantly active in the digital space.
Going forward, Chopra says, the threats will become more sophisticated and precise. As technologies like 5G and telemedicine become part of daily life, one can only imagine what shape the next big cyberattack could take. “We are seeing some emerging trends that have never been seen before—AI-powered cyberattacks, for instance. There are fake oximeter apps (in the healthcare sector) that can take your fingerprint,” he adds. “Audio deep fakes that imitate a person’s voice—I could be calling your bank tomorrow and asking them to send your new debit card to another address.”
Like a virus that keeps mutating, cybercrime is a business that is adapting to the changing times. And we need to be alert.