Cybercrooks use AI, launch bot-based attacks – ET CISO
https://etimg.etb2bimg.com/thumb/msid-111049538,imgsize-561945,width-1200,height=765,overlay-etciso/cybercrime-fraud/cybercrooks-use-ai-launch-bot-based-attacks.jpg
A Pune-based real estate firm was recently duped out of ₹4 crore when cybercriminals, masquerading as its chairman, tricked an accounts officer into transferring company funds into fraudulent bank accounts. At the local unit of a multinational company, the finance controller fell prey to a similar scam running into crores of rupees when the chief financial officer was on a holiday.
Phishing attacks have become more sophisticated and cybercrooks are increasingly setting their sights on big targets for bigger payoffs.
In the past one year, experts said, they have seen a minimum two to three times increase in incidents of the so-called whaling attacks, or CEO fraud, with scammers using social engineering to impersonate top corporate executives and tricking employees into sending money, providing sensitive data, purchasing gift cards or allowing network access. These incidents often lead to financial losses, data breaches and, in some cases, damage to organisational reputation for companies.
“It’s a big nexus; there are organised criminal gangs at play,” said Ranjeeth Bellary, partner at EY India’s Forensic & Integrity Services. “We’ve been investigating social engineering frauds for the last seven-eight years, but those targeting CEO/CXO-level officials have exploded of late.”
Fraudsters are using artificial intelligence, launching bot-based attacks; studying the social media profiles of the executives and other available content to craft very convincing mails that come across as legitimate.
These attacks are effective partly due to low awareness and also because fraudsters have realised that it is easier to get employees to act on emails received from senior executives, said Bellary. “You should not trust a person blindly – that’s the first line of defence. Companies are now also making employees go through awareness sessions. But in most cases, it’s reactive rather than proactive.”
Most Attacks may go Unreported
In many cases, companies and individuals try to hide the fact that they’ve been scammed, which means the actual number of cases is likely to be many times those reported.
Not just corporate employees, even faculty of educational institutes like IIMs have received emails or WhatsApp messages from hackers impersonating as directors or top officials.
An IIM director told ET that mails, purportedly from him, had gone out to several faculty members, asking to buy gift cards and send the details. “It’s happened not once but multiple times. We’ve now put more stringent systems in place,” said the director who did not want to be named, apprehensive about being targeted again.
Several of his peers at other institutes have also faced the same issue, he said.
According to Akshay Garkel, partner and leader-Cyber at Grant Thornton Bharat, sometimes for a large corporate (with annual revenue of Rs 50,000-100,000 crore), the thinking is that it is better to write off small amounts, for instance up to Rs 3-4 crore, that have been siphoned off than take a hit to the employer brand. Having said so, law enforcement agencies must be informed about all the cases, he added.
There is a pureplay financial motive behind these incidents, Garkel said. “In the cases we come across, security awareness levels need improvement. There needs to be a lot more sophistication in monitoring and blocking such incidents.”
High Vulnerability
Almost everyone is vulnerable to cyberattacks as personal details collected by apps and web sites may get leaked, giving the scamsters access to confidential information.
Ashok Hariharan, chief executive of fraud detection company IDfy, said even his company had been targeted.
Just a month ago, 50-60 of the company’s 650 employees received an email pretending to be from Hariharan. Being in the business of fraud detection, no one rose to the bait, but such incidents have happened in the past as well, he said.
“Personal details are easily available. It could be from apps or data brokers who are selling it; malicious mobile apps downloaded; it’s even available on the dark web for just Rs 100-200,” sad Hariharan. “Also, the fact that the transfer of money has become extremely easy through UPI, has made it the base of most frauds. It’s much easier to run at a mass scale.”
Controls need to be put in at multiple stages, including at the KYC level (to stop fraudsters from entering the system). Also, there should be better transaction monitoring — for instance, huge activity to a particular number/account should trigger the system), Hariharan said. “Big organisations are seeing more of these frauds. At a basic minimum, awareness sessions should be conducted for finance teams, those dealing with vendors, etc, as they are among the more vulnerable targets,” he added.