In a time when the world is in turmoil and people are panic buying, it should come as no surprise that cybercriminals are capitalizing on the current scenario. The spread of novel Coronavirus pandemic across the globe has created panic not only concerning health risks but also in the spread of misinformation and cyber-attacks.
The scammers are taking advantage of people’s fear and their search for information related to the pandemic. They are mimicking COVID- 19 content through malicious emails, fake apps, websites, etc. to steal money and personal information of a person. Moreover, an increase in ‘work from home’ via the online medium has led to an increase in cyber-attacks as the systems at home may not have the same level of firewall and security as an in-office setup.
This coronavirus outbreak has made people vulnerable and turned them to believe in each & every information that surfaced online without any verification. This has facilitated the violation of privacy with apps about the pandemic being retooled to track a person’s every move. Hackers are now floating applications on the internet that claims to be a live tracker of coronavirus infected cases.
One such application was “corona 1.1”, a trojan version of the genuine “corona live” app, which invaded the privacy of people by getting access to device’s photos, videos, location and camera.[i] Since the outbreak, there has been an increase in phishing, malicious websites and malware activities. Many suspicious new domain names were registered associated with current events to evade detection. The keywords used were mostly connected to coronavirus[ii].
The World Health Organization has seen a surge of cyber-attacks directed at its staff and the general public. Hackers are impersonating and using WHO as a smokescreen to channel the donations to a fraud fund rather than the authentic.[iii]
According to the recent Reuter’s report, there has been 86% rise in cyber-attacks ranging from free mobile recharges to the selling of the world’s largest statute for $4 billion to fund the fight against coronavirus.[iv] Scammers have even created fake versions of PM Care Fund payments interface that look deceptively similar to the original and many Indians and Non-Residents Indians (NRIs) have fallen prey to it.[v]
Some State cyber actors are taking advantage of the COVID emergency to launch attacks on some of India’s key sectors, especially defence and national security. A series of ransomware attacks aimed at stealing highly sensitive data and diplomatic information were observed disguised as coronavirus health advisories.[vi] Indian officials have reported the “coronavirus malware” which steals the bank account details, passwords and other sensitive information from users.[vii]
There is no dedicated legal framework for cybersecurity in India. The Information Technology Act 2000 (the IT Act) deals with cybersecurity and the cybercrimes associated therewith. This Act provides legal recognition and protection for any type of online transactions. It also safeguards electronic data or records and prevents unlawful or unauthorised use of a computer system. Crimes such as hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft are punishable under the IT Act.
The Computer Emergency Response Team (CERT) has been established as the nodal agency accountable for the collection, analysis and dissemination on cyber-crimes. Other relevant rules in the context of cybersecurity include, The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011, which prescribe reasonable security procedures to be executed for the processing of personal or sensitive personal data.
The Information Technology (Information Security Practices and Procedures for Protected System) Rules 2018, requires specific information security measures to be implemented by organisations, as explained under the IT Act. The Information Technology (Intermediaries Guidelines) Rules, 2011 requires intermediaries to implement security practices and procedures for securing their computer resources and information contained therein.
The Indian Penal Code 1860 (IPC) punishes offences committed in cyberspace (such as defamation, cheating, criminal intimation and obscenity), and the Companies (Management and Administration) Rules 2014 (the CAM Rules) framed under the Companies Act 2013, requires companies to ensure that electronic records and security systems are secure from unauthorised access and tampering.
In addition to the above, there are sector-specific regulations issued by regulators such as the Reserve Bank of India (RBI), the Insurance Regulatory and Development Authority of India Act 1999 (IRDA), the Department of Telecommunication (DOT) and the Securities Exchange Board of India (SEBI), which mandate cybersecurity standards to be maintained by their regulated entities, such as banks, insurance companies, telecoms service providers and listed entities.[viii]
Countermeasures that can be taken by organizations to protect themselves
Amidst this changing environment, businesses, organizations and micro, small and medium enterprises (MSMEs) need to take radically different approaches to go online and operate smoothly. They need to strike a balance between digitizing their work and managing fraud risk. First and foremost, the step includes the usage of a secured network to protect the data of the organisation as well as the consumer.
To avoid data breaches, organizations should invest in IT infrastructure and keep an eye on the phishing attacks. The threats can be managed by proper firewalls ensuring access from known IP addresses only. Regular checks for unauthorised access and suspicious activities can help in eradicating potential threats.
Businesses should review their procedures and set up data protection policy summarising the duties of the employer and the employees on how to deal with personal data of individuals and their confidentiality. Every person of the organization must be aware of the General Data Protection Regulation (GDPR) obligation. In the case of a data breach due to cyber-attack which affects other individuals, the concerned authority should be informed as soon as possible
How to keep yourself safe
One can follow few steps in order to prevent cyber-crimes
- Before downloading any app, check its detail including the information of developer, its website, reviews and the ratings.
- A person should avoid downloading apps from third-party stores and websites. Use of an effective anti-virus can prevent malicious apps from being installed.
- The authenticity of the website should be checked before accessing it. For instance, HTTPS should be accessed instead of HTTP. The ‘S’ denotes security and indicates that the website uses encryption to transfer data.
- Check for spelling mistakes, typos and broken links. It is highly unusual for a legitimate business to have such mistakes on their website.
- Look for reliable contact information and double-check it through alternate contact numbers.
- If a person wants to donate and help the needy then they should donate only to the websites/apps whose authenticity is supported by the Government.
In this uncertain time, many organizations are not ready for a structured online work due to the lack of robust IT infrastructure because of which the security standards have deteriorated and a rise in cyber-crimes has been witnessed. With due diligence and a little vigilance, we can protect our data and privacy.
Even after taking all the precautions, if a person falls into a trap then a quick action can mitigate the loss. A complaint can be lodged as soon as possible with the appropriate authority. Cybercrime is inevitable but becoming a victim of it is not.
- A person should not open email attachments which he has not asked for. Many emails pretending to be COVID-19 advisories are enticing the user to open the attachments which are malicious in nature. The moment they are opened, the malware author gets access to track the system.
- Nobody should share the password under any circumstances. A person should refrain from sharing his or her private information without verifying the source properly.
- Do not believe in lottery emails or cash prizes offer sent to you. No authentic website or organization promotes this.
- Two- factor authentication should be used to avoid hacking.
- Report lost or stolen devices immediately to prevent its misuse.
[i] Priyanka Sangani & Anandi Chandrashekhar, Fake Covid-19 apps fish in the troubled waters, The E. T(Mar 23, 2020),https://economictimes.indiatimes.com/tech/internet/fake-covid-19-apps-fish-in-the-troubled-waters/articleshow/74766216.cms
[ii] Deepen Desai, 30,000 Percent Increase in COVID-19- Themed Attacks, Zscaler(April 23, 2020), https://www.zscaler.com/blogs/research/30000-percent-increase-covid-19-themed-attacks
[iii] World Health Organization, WHO reports fivefold increase in cyber-attacks, urges vigilance, (23 April 2020), https://www.who.int/news-room/detail/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance
[iv] Abhirup Roy, Nupur Anand, Scammers try selling world’s tallest statue as pandemic boosts India’s cyber-crime, Reuters(Apr 7, 2020), https://www.reuters.com/article/us-health-coronavirus-india-fraud/scammers-try-selling-worlds-tallest-statue-as-pandemic-boosts-indias-cyber-crime-idUSKBN21P0KH
[v] Sandhya Sharma, Cyber chief’s warning as hackers target PM’s COVID fund, The E.T(Mar 31, 2020), https://economictimes.indiatimes.com/tech/internet/cyber-chiefs-warning-as-hackers-target-pms-covid-fund/articleshow/74877953.cms
[vi] Zak Doffman, Hackers Attacks Microsoft Windows Users: Dangerous Threat Group Exploits ‘COVID-19 Fear’, Forbes(Mar 16, 2020), https://www.forbes.com/sites/zakdoffman/2020/03/16/this-dangerous-microsoft-windows-attack-exploits-covid-19-fear-governments-now-on-alert/#168b0ef742de
[vii] PTI, Hackers using coronavirus malware to steal data: Cyber cops, The E.T(Mar 27, 2020), https://economictimes.indiatimes.com/tech/internet/hackers-using-coronavirus-malware-to-steal-data-cyber-cops/articleshow/74842435.cms
[viii] Aprajita Rana and Rohan Bagai, Cybersecurity in India, Lexology(Feb 24, 2020), https://www.lexology.com/library/detail.aspx?g=4cd0bdb1-da7d-4a04-bd9c-30881dd3eadf#:~:text=India%20does%20not%20have%20a,and%20the%20cybercrimes%20associated%20therewith.