Singapore-based cybersecurity company CYFIRMA recently reported that a hacker group backed by North Korea is planning a large-scale phishing campaign in six countries, including India.
The hackers plan to target countries where the governments have announced financial support to individuals and businesses to stabilize their pandemic-ravaged economies. According to CYFIRMA, the Lazarus Group's phishing campaign is designed to impersonate government agencies, departments and trade associations who are tasked to oversee the disbursement of the fiscal aid.
Hackers claimed to have two million Indian email IDs. "The plan is to send emails about free covid-19 testing for all residence of Delhi, Mumbai, Hyderabad, Chennai and Ahmedabad, inciting them to provide personal information," according to a note from CYFIRMA.
Following the warning, Indian Computer Emergency Response Team (CERT-In) warned that there could be a large-scale phishing attack campaign against individuals as well as companies. On 22 June, the Reserve Bank of India (RBI) too issued an advisory on how to conduct digital transactions safely. Even banks have started warning customers about possible cyberattacks.
According to CERT-In, the emails that hackers are planning to send are designed to drive recipients towards fake websites where they are deceived into downloading malicious files or entering personal and financial information. The email ID expected to be used for the phishing campaign in India is expected to be from email such as email@example.com.
The only way to fight such cyberattacks is to stay alert. "Mostly, these are phishing frauds. Criminals are using human vulnerabilities to dupe people. There is no technical solution to this. We need to be more aware and conscious," said Amit Dubey, a cybersecurity expert. Here are a few things that you can do.
Don't fall prey to scammers
Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known. Don't open attachments in unsolicited emails, even if they come from people in your contact list. Never click on a link contained in an unsolicited email.
"If you are unsure of the attached files or links received, you can use online services such as virustotal.com, abuseipdb.com, sandbox.pikker.ee and exodus-privacy.eu.org to verify them," suggested Dubey.
Be careful with money transfers and online purchases. Ensure you are transferring money to the right account and buy only from established entities.
Never share your password or any other confidential details over the phone with executives of any company or on any website. "In these testing times, avoid any unknown calls from bank or insurance staff claiming to be working from home. Avoid recharging on unknown websites. Don't make purchases on little known online stores," said Prashant Mali, a lawyer and cybersecurity expert.
Don't fall for an offer that looks too good to be true. You can report anything suspicious at cybercrime.gov.in. When you are downloading apps on your mobile phone, look at the publisher or developer, read the comments and download it only if it's popular. Small measures can go a long way in protecting yourself.