Data PrivacySecuring Your Online Presence: Tips for Protecting Personal Data from Cyber Frauds

INTRODUCTION

Over the last few decades, technological advancements, particularly in the realm of the Internet, have been nothing short of extraordinary. However, as these technologies have evolved, there has been an increase in the methods of illicit activities. The digital era has ushered in a new wave of scams and fraudulent practices, exploiting the vast opportunities provided by the Internet.

It is a common practice where individuals do not hesitate to give out their  personal and banking information on a daily basis, not realising how easy it is to use this information in order to obtain sensitive personal data. One click on “allow” button, and one wrong link can lead to all of the data being used for unintended purposes.

India has been on the radar of massive information leaks and internet frauds. According to the recent surveys, India is the third most targeted country in Asia in terms of data breach. The nation recently saw a massive dark web leak that exposed the Aadhar information of more than 80 crore citizens. This highlighted the issue of the easy exposure of digital identity and financial scams. This was data secured with the Government, yet it got leaked at this big scale.

This brings up the important question of how safe is the  sensitive personal information of the citizens when they  regularly engage in online transactions. What are the ways in which they are exposed in front of the Internet, and how can an individual protect themselves from these financial insecurities?

MODUS OPERANDI

The ever-growing technology in the digital era has not only generated new ways to commit fraud but also given birth to new techniques for conventional ways of obtaining and leaking information.

While the fraudsters were a call or an SMS away from obtaining sensitive personal data, this is now being done through point-of-sale (hereinafter referred to as “POS”) machines, e-commerce intermediaries, everyday social media sites, and applications. The advent of online banking, shopping, mobile payment apps, and UPI has opened up a vast landscape for potential exploitation. Cybercriminals are continually developing techniques to compromise user credentials to gain access to sensitive personal information through these new methods.

1. E-commerce Intermediaries

The increase in contactless payment during the COVID-19 period has contributed to e-commerce, social media, and FinTech platform frauds. Platform frauds accounted for 57% of all frauds in India in the year 2022 as per reports.

This is done in the following ways:

i. Impersonating legitimate organizations, such as banks and Government services, hackers trick users into installing fraudulent apps via phishing messages on platforms like WhatsApp and Instagram. Once installed, these apps covertly harvest private data for personal information. The offenders put efforts into making realistic-looking clones of reputable organizations. One may be tricked into believing it is the real website or application and instantly give sensitive information without any further work.

ii. Application Programming Interface (hereinafter referred to as “APIs”) plays a pivotal role in integrating diverse systems and fostering e-commerce growth by connecting businesses and third-party vendors. Information leaks in e-commerce and logistics APIs pose serious risks, often stemming from inadequate authentication practices. Using unencrypted data and passing authentication keys in URL parameters exposes personally identifiable information to possible sniffers.

iii. Concerns are also raised about the careless use of cookies and sessions that don’t expire. It may seem like a simple “allow all cookies” option, but it allows accessibility to Personally Identifiable Information (hereinafter referred to as “PII”) that fraudsters may use to identify user patterns and establish fraudulent schemes, SMS fraud, phishing attacks, etc.

iv. There have been substantial retail attacks on a global level that caught major attention, including the 2013 Target breach, which compromised the payment details of 40 million customers. In 2014, 56 million payment cards were exposed through Home Depot.

v. In 2022, around 500 e-commerce websites fell victim to hackers deploying credit card skimmers and stealing sensitive data during online customer transactions. By fabricating a fraudulent payment pop-up, the skimmer compromised the security of hosted payment forms.

vi. These are not simply foreign events, India has seen similar breaches over the years. Multiple brands, including BigBasket and JusPay, have seen data breaches in recent years where sensitive data of over 100 million credit and debit cardholders was leaked on the dark web. The organizations emphasized that no sensitive information was exposed, although partially visible card numbers, including expiry dates and customer IDs, were found on the illicit sites.

2. UPI and QR Code

QR codes also pose a significant risk of being used by cybercriminals as a technique of transforming barcodes into website connections through the use of smartphone cameras. Cybercriminals have the ability to modify QR codes in order to direct consumers to malicious websites, which could result into fraud and identity theft.

Cybercriminals also disseminate QR codes through emails and communications. It is to be noted that when curiosity takes over, an individual opens the link, which leads visitors to an authentic lookalike of online account login pages when scanned. Threat actors gather the credentials provided on these pages, which the fraudsters then either sell on the dark web or use to carry out additional attacks, such as ransomware attacks, account takeovers, and other such cybercrimes which results into increasing the number of victims.

Another popular scam is where payment links are sent via text messages. These contain URLs that resemble the real ones. When clicked, it directs the individual to their phone’s UPI payment app to obtain consent. When the consent is granted, the funds would promptly be taken out of the UPI account and the malware that could steal the financial information is saved and would infect the user’s phone.

Scammers pretended to be customer service representatives and encouraged the victims to finish their KYC. Being fooled into downloading remote help apps, hackers attain access to their phones and virtual wallets.

In 2023, there were over 30,000 complaints of fraud associated with UPI, compared to an average of 15,000 in 2022. Nearly half of the cases, according to sources, involved scams employing QR codes, which were primarily communicated via text messages or WhatsApp. Many scammers were found replacing fake QR codes in place of the official ones at public parking, malls, etc. Even sticking QR codes at random places around the city, where the curiosity took the better of people left their personal information exposed.

SAFETY TIPS

Due to these escalating cyber threats, safeguarding personal information becomes paramount. By adopting the following practices, individuals can fortify their defences against potential scams and data breaches.

• Be mindful of the e-commerce platforms you decide to give your data to and the kind of data you are providing. As seen in the past, the seemingly harmless data, in the wrong hands is capable of emptying your bank accounts. Make sure to give out data only to trusted websites.
• It is also important to scrutinize URLs and OR codes and obtain them from proper channels and sources to make sure they are not lookalikes. Avoid opening QR codes from dubious places.
• Avoid downloading applications from unverified sources or through links sent via social media sites, including WhatsApp, Instagram, etc. When downloading any unknown application, examine the permissions required and promptly report if found suspicious.
• Using a security solution that does malware scans on a regular basis can be helpful in case the device regularly comes in contact with several links or applications for transaction purposes or otherwise.
• Many platforms give an option to save your card details for future use. This saves all of the information in their servers, which may be misused in case of a cyber stack by a third party. You can protect your data by not choosing to save card details with the platform.
• Avoid pressing the “allow” button on every new website or application you open, including ones that save data in the form of cookies or sessions. Understand the need for the data access requested and then decide.
• Be cautious and confide in official helpline numbers only. Make sure to obtain the contact information from a trusted source, and even then, do not give out unnecessary information in the form of personal communication or Google forms.

AMLEGALS REMARKS

In the digital landscape of India, safeguarding data privacy is crucial amidst the evolving realm of cyber perils. Data Privacy and Cyber security are big challenges not just for individuals but also for big companies. Recognizing the diverse threats, from data breaches to phishing attacks, is fundamental for making informed decisions in the cyberspace.

To fortify data privacy, individuals should adopt proactive security practices, including robust passwords, two-factor authentication, and regular software updates. Staying informed about emerging threats and engaging in cyber security awareness programs enhances one’s ability to navigate the ever-changing cyber environment.

As digital transactions surge in India, particularly in areas like online banking and shopping, individuals must exercise caution when sharing personal information. Choosing secure platforms and being mindful of privacy settings contribute to a resilient defence against potential cyber threats. By embracing these measures, individuals can strike a balance between enjoying the benefits of the digital era and minimizing the associated risks to their data privacy.

– Team AMLEGALS assisted by Mr. Nandini Tripathi

For any queries or feedback feel free to reach out to mridusha.guha@amlegals.com or jason.james@amlegals.com