Cybercriminals do not discriminate

While there has been a drastic uptick in cybercrimes in India, especially during the Covid-19-led lockdown, there hasn’t been much debate about it. A recent high profile phishing case has turned the tide on the topic.

The case of Nidhi Razdan is particularly important. The former ex-executive editor of a broadcast channel announced on Twitter in June 2020 that she was moving on from NDTV after nearly 21 years to join Harvard University as an Associate Professor. She came to realise later that she had been the victim of an elaborate and sophisticated phishing attack.

Razdan’s case is a perfect example of a phishing attack carried out by a seasoned cyber-criminal. A phishing attack is a scam, which involves criminals sending messages that masquerade as legitimate institutions, targeting millions of businesses and individuals every day. Phishing attacks can further be classified into different types: Email Phishing, Spear Phishing, Whaling, and Vishing. Razdan, in particular, was an unfortunate victim of ‘spear phishing’, a sophisticated type of phishing attack involving email. In this scenario, the criminal already has secure information about her name, place of employment, job title and specific information about her personal life. The criminal targeted her by creating realistic situations and documents like the appointment letter, terms and conditions among other technicalities on Harvard’s official letterhead which led her to her current predicament. Criticism on her gullibility is unwarranted, as this can happen to anyone. But how can a normal individual identify a phishing attack?

We can start with the most basic principle, by visiting the official website to check if the company is hiring and whether or not they are hiring for that particular role. It is advisable to also cross verify once by reaching out to the company through the official email address mentioned on the website. In case, the website isn’t up to date or the required information is missing, one can use tools such as scamadvisor.com or other reliable free tools to check the status of the domain. If the domain is new whereas the company from where the job came through is old, chances of that domain being planted for the purpose of conducting a mass phishing attack is extremely high.

To avoid a scenario similar to Razdan’s incident, we should first check if the email has been sent from an official email address. The most common trick criminals use is to ever so slightly manipulate the domain name which the recipients do not notice.

Another trick is the of use of free accounts such as Gmail or Yahoo to send emails, which also goes unnoticed. Should there still be any lingering doubt about the authenticity of the email address and domain, its best to use free websites like MX Toolbox to analyse the email. There are also lots of email analyzing tools wherein users can analyze the headers to know from which IP address the email has been sent from. The Google play store has apps such as IP logger which can uncover the original IP address and compare it with the IP address mentioned in email header. Furthermore, it can also identify from which country or city the email originated and through which internet service provider the email is being sent. Using tools such as IP2location.com can help you identify whether the fetched IP Address is a proxy address, which means one should steer clear from email and not respond to it under any circumstances.

The first step in avoiding falling into a phishing trap is vigilance. To protect our digital privacy and private data, it’s important that we take some time to cross-check, verify the authenticity of the emails we receive and exert utmost caution in replying to such malicious emails. High profile individuals and businesses who are susceptible to cyber-attacks should not rely only on free solutions but instead adopt more robust cybersecurity solutions, which are usually paid. Uur inherent reluctance to pay for privacy is part of this problem.

We must start inculcating a culture where we safeguard private data as a preventive step and not as a cure. This is the only way we can live fearlessly in an age of enhanced digital activity.

(The writer is a cybersecurity expert and Digital Forensics Investigator)