A few days ago, I came across news posts about reports with alarming headlines. Both reports talked about people who had lost money after receiving several missed calls on mobile phones but no one-time password (OTP). These headings are entirely misleading. The 'missed call' in both cases was just one of the instruments used in looting money from a person's account.
Unfortunately, they convey the impression that fraudsters can give you a missed call and zap money from your account—that is not possible. In both reported cases, the fraudsters already had the login IDs of the victims and then used SIM swap to gain access to the OTP for logging into their accounts. In almost every cyber fraud case, criminals operate on the basis of two factors: knowledge (something only the user knows, like login ID, which the fraudsters have access to) and possession (something the user has, such as a password). I will explain more about it later.
A senior citizen from Delhi was duped of Rs16 lakh through sextortion. To make the 'blackmailing' case more severe, the criminals told the person that the lady in the video was murdered, and he must pay money to have his name taken off the case.
Before we discuss the bad news, let me mention that Meta, which owns Facebook, has cracked down on a firm operating a network of fake accounts on Facebook and Instagram for social engineering and phishing. This is both good and bad.
Misleading News
Let's start with a news report about the man who lost Rs1.86 crore to ‘missed calls’. The heading is 'click-bait' to shock readers into reading it. At the same time, it causes unnecessary alarm among people, when the facts are quite different.
Let me make it clear that nobody can lose money 'only' through missed calls. It is like saying each Rs2,000 note contains a chip to transfer some information to tax authorities. Like the so-called 'chip' in currency notes would need a power source even to function, the cybercriminal would need more than just a number to give a missed call that allows him to dupe people.
Many seem to compare the 'missed call' cheating to a sophisticated hacking software like Pegasus. However, the Israeli company NSO Group developed the programme to infect user devices through 'zero-click' attacks that do not require any interaction or response from the victim (like the missed call). However, for this, Pegasus exploits 'zero-day' vulnerabilities, the newly discovered flaws or bugs which are not patched or fixed. WhatsApp accepted that, in 2019, Pegasus had been used to send malware to more than 1,400 phones by exploiting a zero-day vulnerability.
Pegasus is not only a highly sophisticated spyware but is sold only to governments and is out of reach of ordinary cybercriminals interested in siphoning money from people's accounts.
Coming back to the 'missed call', the report from GadgetsNow says, for the SIM swap too criminals would need to know the unique 20-digit SIM number printed on every SIM card. "SIM Swap is the part two of the fraud process. The scamster, in most cases, already has information about your banking ID and password. All they need is the OTP that you get on your registered mobile number to make financial transactions," it clarifies later.
Another report from Times of India a director of a south Delhi-based security services firm lost Rs50 lakh to cyber crooks, who diverted the money by repeatedly giving him blank and missed calls on his cellphone and interestingly, did not even ask for any OTP.
Police suspect the scammers may have used the SIM swap technique. "In this fraud, scammers also contact people's mobile phone carriers and trick them into activating a SIM card. Once this happens, they take control over the phone," an officer told the newspaper.
This brings us to the multiple factors used in digital payment transactions. To use your card for online payment, you must submit your card number and PIN (or card verification value—CVV). After submitting this information, you will receive the OTP on your registered mobile number and/or email ID. Once you submit the OTP, your transaction is cleared, and the opposite party will receive the payment.
In short, nobody will steal money from your bank account just by giving a missed call on your mobile.
Sexting, Murder & Extortion in Delhi
A 69-year-old was pleasantly surprised when he received a video call on WhatsApp one night. On the other side was a 'lonely, young woman' looking to make a friend. What followed was an intense exchange of 'video sexting', which involved them stripping over the calls. The woman then disappeared for a day or two, leaving the senior citizen anxious and waiting.
However, according to a report from Times of India, two days later, he received a call from someone claiming to be a relative of the woman and told him about her murder. Next, the senior citizen received calls from 'crime branch' and 'cyber cell'.
"To add to the victim's woes, one of the crooks posing as a policeman contacted him to inform that his name was being added to the 'murder first information report (FIR)'. The suspects then extorted more money through bank transfers into various bank accounts by putting the victim in fear of arrest," the report says.
Subsequently, they extorted about Rs16 lakh from him to clear his name from the murder case and to remove his 'videos' from social media.
Remember, cases of sextortion have become rampant and anyone who responds to messages or calls from unknown numbers on WhatsApp can quickly become a victim. Most importantly, without any fear, the victim must file an FIR at the nearest police station. Only this would ensure that proper action is taken against the criminals.
Meta Takes Down Phishing Network
Meta has taken down a network of fake accounts on Facebook and Instagram that were being operated by an Indian firm called CyberRoot Risk Advisory. This network, consisting of around 40 accounts, primarily engaged in social engineering and phishing, often intended to trick people into giving up their credentials to various online accounts across the Internet, says a report from Indian Express.
According to the report, CyberRoot Risk Advisory is the second Indian firm that Meta has cracked down on for allegedly operating fake accounts used in suspected efforts to hack people's phones, computers and online accounts such as their social media or emails.
"While Meta did not provide specific information about the expanse of CyberRoot's activities, it said that the firm used fake accounts to create fictitious personas tailored to gain trust with the people they targeted around the world," the report says.
The most crucial factor on social media is that not everyone you come across may be a real person, and therein lies the significant danger. A few days ago, an official transferred Rs29 lakh to someone who had used the profile photo of a company's managing director (MD) on WhatsApp.
A significant difference between the real world and the technology-enabled virtual world is that things are not what we expect or want them to be. So the next time, make sure that the social media profile belongs to a real person known to you. Needless to say, stay away from unknown persons on social media too.
How To Report Cyberfraud?
Do report cyber crimes to the national cybercrime reporting.
Comments