Cyber Security and Awareness

Prologue

Information and communication technology has become an integral part of our day-to-day life. It has transformed the way we communicate, share updates, do shopping and the financial transactions, etc., Our new generation is getting exposed to cyber space at a very young age. Use of online games, social networking, online shopping, etc., has increased the use of cyber space. Cyber technology has transformed the way we do the financial transactions. All these developments paved way for rapid increase of the cybercrimes. With the increase in the usage of cyberspace, cybercrimes are also on the rise.

Cybercrime

Cybercrime is any criminal activity that involves a computer, networked device or a network. Most of the cybercrimes are carried out in order to generate profit for the cybercriminals, while others are carried out to damage or disable the devices. Cybercriminals may target an individual's private information or corporate data for theft and resale. Cybercrimes cover crimes like phishing, vishing, credit card frauds, bank frauds, information hacking, creation and distribution of viruses for a gain.

Cybercriminals use various attack vectors to carry out their cyber-attacks and are constantly seeking new methods and techniques for achieving their goals. Cybercriminals would advent an attack with a clear objective of using some of the most effective methods such as

• Email Spoofing: Sending out e-mails to you that look like genuine and from a trusted e-mail ID but actually, they are not.
• Social Engineering: It's a technique used by cybercriminals to gain your confidence to get sensitive information from you for their gain.
• Cyber Bullying; It's a form of harassment or bullying inflicted through the use of electronic or communication devices such as computer, mobile phones, etc.,
• Identity Theft: Deliberate use of somebody's identity to gain financial advantage or to obtain credit and other benefits in the other person's name
• Job Frauds: Fraudulent representation or a deceptive activity on the part of an employee toward an employer.
• Online transaction fraud: It means illegally withdrawing or transferring money from your account to another account by a cyber criminal. These frauds can happen when your login credentials or bank account details or credit card details are stolen by a cyber-criminal.
• Online games: this may end-up in downloading spam, viruses, malicious software and will adversely impact the computer or mobile devices. It's important to down load games from reputed sites only.
• Email account hacking: The criminals may use malware or other tricks to obtain your email ID and Password and subsequently use it to get access to your critical information like social media accounts, bank accounts, etc., They can also send offensive emails to all your contacts.

Importance of Cyber Security Awareness

Cyber security awareness is an ongoing process of educating and training employees about the threats that are happening in cyberspace, how to prevent them and what they must do in the event of a security incident. It also helps to inculcate a sense of proactive responsibility in them, for keeping the organization and its assets safe and secure.Cyber security awareness is knowing what security threats are and acting responsibly to avoid potential risks.

In spite of best-in-class defense systems and measures in place, many organizations still experience security breaches. Unfortunately, it is often human error that has been a major contributing factor behind many data breaches. Majority of the security breaches involved the human element, including social engineering attacks, errors and misuse of stolen credentials. Threat actors look to exploit this weakness to infiltrate an organization's networks and systems.

Cyber security awareness helps educate your employees about malicious methods used by cybercriminals, how they can be easy targets, how to spot potential threats and what they can do to avoid falling victim to these insidious threats. Ignoring the aspect of Cyber security awareness among the employees, has serious consequences on the business such as legal penalties, financial loss and cost of remediation, loss of intellectual property, damaged company reputation, loss of customer trust and so on. After all, a company's Cyber security strategy is only as strong as the weakest link - i.e. the employees.

Purpose of Cyber security awareness training

Cybercriminals are constantly evolving and devising new methods to exploit vulnerabilities to steal valuable data from businesses. Also, they look to exploit human behavior and emotions. Well-educated and trained employees can quickly identify these threats, which can significantly reduce the risk of Cyber security incidents and help prevent data breaches. Well-defined cyber security awareness training can help significantly reduce the cost and number of security incidents in the organization.

Elements of Cyber security awareness program

Email security

Itis one of the most important communications tools for any business entity. However, it is also the entry point for several types of cybercrime, including phishing, ransomware, malware and BEC. Therefore, email security training is crucial to protect the employees and the business from malicious email attacks.

Phishing and Social engineering

Social engineering attackers are aware of how humans think and work. They leverage this knowledge to exploit human behavior and emotions to influence their targets to take desired actions. For example, disclosing sensitive information, granting system access, sharing credentials, transferring funds and so on. Phishing and social engineering attacks are targeted and convincing, making them highly successful. However, with the right training and skills, theemployees can spot warning signs and greatly reduce the probability of falling victim to these scams.

Ransomware and Malware

Malware enters an organization via phishing emails. The ransomware attacks increased heavily in 2020. Ransomware awareness training will help employees understand how these attacks are executed, the tactics threat actors use and the actions they can take against rising ransomware attacks.

Browser security

Web browsers are hot targets for hackers since they are the gateways to the internet and hold large volumes of sensitive data, including personal information. Not all websites you visit online are safe. Therefore, browser/internet security training, including best practices, browser security tips, the different types of browser threats, internet and social media policies, can go a long way toward maintaining confidentiality and browsing the web safely.

Information security

An organization's information is the most prized asset. That's why protecting its confidentiality, integrity and availability should be everyone's responsibility. The training programs must include courses that emphasize the criticality of data security and responsibilities toward protecting the data. The employees have to be trained on how to handle, share, store and dispose of sensitive information safely. Having a clear understanding of the legal and regulatory obligations of a breach is critical. Employees should also be trained on incident reporting to remediate issues quickly and minimize risk.

Remote work protocol

Working remotely is the new norm, as is evident with most organizations globally implementing a hybrid work model. This poses greater challenges for organizations since they must now ensure safety and security both in the office and at home. This also means additional security risks. However, these risks can be significantly reduced with the right knowledge and tools for your employees. Your training programs must include the dangers of connecting to unsecured public Wi-Fi networks, the use of personal devices and unauthorized software, and the importance of VPNs for additional layers of security, to name a few.

Removable media security

Removable media, such as USB drives, CDs, portable hard drives, smartphones, SD cards, etc., offer convenient ways to copy, transfer and store data. However, there are risks of data exposure, virus or malware infection, data loss and theft. Educating the employees about the organization's removable media policy, the risks involved with using removable media, especially untrusted/unsanctioned removable media, the importance of the policy and the repercussions of not following procedure.

Password security

The importance of having a strong password is paramount in today's threat-laden environment. Security awareness programs must include password management and password best practices, including what constitutes a strong password and how to generate one. Your employees must also use multifactor authentication (MFA) whenever possible to prevent account compromises.

Incident response

Educating the employees about their roles and responsibilities in the event of a security incident is also very important. The harsh reality is that security incidents are inevitable. The organization's preparedness to deal with such incidents can be the difference maker between grappling with legal and regulatory issues and quickly recovering from crises and avoiding further damage.

Cyber awareness challenges

While Cyber security awareness cannot solve cybercrime, businesses today realize its importance in mitigating potential risks. Cyber security awareness is a must in the digital world. Cybercriminals constantly come up with new attack methods. Catching up with new trends and updating training programs is harder than it sounds. This also makes Cyber security training materials rapidly outdated since the knowledge and skills that worked today may not be sufficient for tomorrow's threats.

Developing Cyber security awareness programs has to be on an ongoing basis. It is a challenge to select the required security content, creating resources, testing training materials and tools that suit for the awareness programme.

Examples of some of the cyber frauds that are happening now-a-days and ways for avoiding them are mentioned below.

Online scams

• Phishing involves creating a fake website of a bank or a service provider and circulating it via SMS/email, etc., If the customers click on these fake links and enter their credentials, then their accounts get compromised
• Vishing involves fraudsters pretending to be bank officials. They call and ask you to share your sensitive account details, documents, or money for a service or account upgrade
• Fraudsters also create fake social media handles of banks and convince you to pay money or share account details over social media platforms.
• Officials from banking and other financial institutions will never urge you to share confidential details or ask for money for any services

Online shopping Frauds

• Fraudsters target consumers with SMS and emails that claim to earn them reward points. If you click on the link and fill out the details to claim the prize, your personal details may get compromised
• Common online shopping frauds also include selling fake products and services, wherein the seller accepts payment but never ship the products
• Always verify the identity of the sellers and the authenticity of the items that you buy on line
• Never click on suspicious links with unbelievable offers/rewards

Online banking Frauds

• Two common online banking frauds are messages that phish for sensitive account details by alerting consumers that they need to update their KYC to continue using online banking or that their previous payment has failed
• Unaware consumers may fall into this trap and click on suspicious links where they usually fill in their passwords and other details, which the fraudsters use
• Never click on a 3rd party link to complete a payment in the event of a failed transaction
• Banks never asks the customers to update the KYC details on a third party website.

ATM Frauds

• ATM skimming fraud is common wherein fraudsters install skimming devices, keypad trackers, or pinhole cameras in ATMs that can steal your card data.
• Always verify that no suspicious device is installed in your ATM unit.
• Always shield the ATM Keypad with your hand when entering the PIN.
• Ensure that no one is peeking or shoulder surfing while you are entering the PIN.
• Avoid using ATMs in isolated locations

SIM Swaping and SIM Cloning

• Fraudsters try to access your SIM card or duplicate it because all your accounts are linked to your registered number. They often call you pretending to be mobile operator staff and try to convince you with SIM upgrades or benefits
• Never share SIM card credentials with untrusted callers
• If you face constant network issues or have a problem in receiving OTPs, ensure that your SIM has not been duplicated

Loan KYC Frauds

• Do not click on any suspicious SMS links that may ask you to update your KYC
• Beware of any suspicious representatives reaching out to you to update your KYC on your loan account.
• Do not click on links in SMSes that ask you to update your loan-related KYC, as doing so may result in identity theft or loss of your sensitive data
• Bank and financial institutions will never ask for personal information via email, SMS, WhatsApp or phone call

Instant Personal Loan Apps

• Many fake apps and websites claim to provide instant loans, which may defraud you or charge very high interest rates.
• Never download any unauthorized or 3rd party instant loan apps.
• Never share personal details or make a transaction on such apps
• A genuine lender will never offer loans without verifying documents or asking for payment before processing the loan.

Online classified marketplace scams

• Fraudsters posing as sellers on online classified marketplaces set up fake accounts and listings to lure buyers and steal their money.
• Verify the authenticity of sellers online and insist on meeting them face-to-face.
• Never share any personal details online and pay only through secure payment methods.

Contactless Payments

• With the introduction of contactless Wi-fi debit/credit cards, customers can make up to Rs. 5,000 transactions without entering any PIN or swiping
• Keep an eye on your transaction history.
• If the contactless payment card is stolen or lost, it might be used to carry out unauthorized transactions
• Immediately report and block the lost or stolen contactless payment cards and report the fraudulent activity to the authorities concerned.

Point of Sale Frauds

• Point of Sale (POS) fraud is where an employee steals the money from their employer at a point in business where a sale is made
• These also involve malicious skimming devices attached to the Point of sale terminals at stores and shops
• These devices copy your card's data when it is swiped, which are then be used to carry out fraudulent transactions or sold on the black market
• Always inspect the POS terminal thoroughly for any suspicious devices attached to it before swiping your card.
• Reach out to your bank or NBFC if you notice a fraudulent transaction on your credit / debit / EMI cards

Broadband internet security

• If your internet security is not secure, hackers and other cyber criminals can target your device with malicious bugs and malware
• These threats can be used for phishing personal and sensitive information and stealing data
• Install recommended software for protecting your internet connection and switch on regular updates for real-time threat protection.
• A virtual Private Network helps keep your information secure by preventing others from accessing your connection.

Digital transactions, credit and debit cards

• Fraudsters use similar techniques to cheat the public when they pay through the cards. They send links to fill in details that claim reward points or trick a card upgrade
• Never open such suspicious links and messages
• Never share your card number, its expiry date, PIN, OTP, CVV with any one.
• In case of fraud, lost or stolen card incident, get it blocked immediately and report to the authorities concerned.

Mobile banking

• A common fraud is – verification links are sent through fraud numbers and messages claiming to be from your bank/NBFCs. These links are used to install malware to phish your financial details
• Beware of such messages or emails from unverified sources that ask you to enter personal or financial details on suspicious websites or ask you to download verification apps.
• Never click on such links or forward them to others.

Guidelines to report financial frauds in India

• Alert your bank or financial service provider through an email or call your customer care. Take an acknowledgment from them
• Call the 24x7 cybercrime helpline number 1930 to report any cyber fraud
• Report the crime at cybercrime.gov.in
• Also report the incident to RBIathttps://sachet.rbi.org.in/

Summary

The public have to exercise utmost caution while making online transactions and dealing with emails / social networks. Important Do's and Don'ts are as given below.

• Use strong IDs and Passwords and keep changing them periodically
• Ensure to keep the system locked physically and also through screen savers while not in use.
• Identify and avoid phishing and vishing scams in the form of fake emails, SMSes, links, websites, and social media handles. Report them to the authorities immediately
• Install anti-virus and anti-malware software on the devices
• Never share your bank and card details such as online account password, card number, CVV (card verification value), expiry date, PIN, OTP, PAN/Aadhar numbers, etc., with anyone. If shared, your account may be compromised that can lead to illegal online financial transactions.
• Don't click on suspicious links or install 3rd party apps under the guise of verification, KYC, or claiming rewards
• Don's make any payments to unsolicited individuals or requests on apps,social media or emails
• Don't entertain unsolicited calls from bank officials, customer care representatives, loan officers, etc., especially those that demand money, information, or documents of any kind.
• Check for the bank's security certificate details and various signs such as green address line, lock sign on the address bar and the website URL starting with https , to confirm that you are visiting a secure bank website.
• Always use a strong password to open your mobile phone and install a good antivirus software.
• Avoid making online transactions using a public wi-fi or a computer in a cyber café. The said computers might have been infected with malware which may compromise your bank details and other sensitive information such as card number, CVV, etc.,

Technological developments are the boon for the mankind and at the same time if it is not properly used, it becomes a bane for them. Hence, all of us should observe caution and use them properly to reap the benefits.