‘Hi, I needed something to be done urgently’, a text message like this from your boss on a busy day can only mean an incoming on-priority work. Few persons would be alert enough to identify at one glance that such texts can also be scam-worthy and that this could be a new technique for duping employees through WhatsApp. After the mayor of Chandigarh, Mumbai police and Adar Poonawalla, founders of WebEngage, CleverTap and MediaNama have appeared on the radar of impersonators on WhatsApp and mails.
Recently, employees of WebEngage and CleverTap were nearly scammed into spending a good amount of money in compliance of their fake boss’ WhatsApp command. In the latest case, a WebEngage employee almost ended up sending Apple gift card vouchers to a fraudster posing as the co-founder of the company, Avlesh Singh, on WhatsApp.
What exactly is impersonation?
Abhinav Sekhri, advocate practising in New Delhi, explains that impersonation is a smaller subset of a broader category of phishing attacks, which do not necessarily rely upon the relationship factor between the impersonated person and the target person.
“Impersonation relies upon some degree of familiarity with the identity of the impersonated person. It is impersonation where, because of you telling me you are ‘X’, I am doing this. Here, the key is an inducement of you pretending to be someone else. Without that pretense, the person will not be duped into acting the way that they acted. Whereas, phishing does not really require any inducement of that nature. It can just be about ‘click to win’ calls.”
What happened with WebEngage?
“Hey, are you busy? I am at an event and trying to reach out to the marketing guys, but unable to connect. I immediately need your help to get me two Apple gift card vouchers, each of Rs 5000,” read a message received by the employee, who wished to remain anonymous, on the afternoon of January 10.
In order to complete the said task quickly, the employee ended up buying the gift card voucher and sent a screenshot of the card details to the person on the other side. Something didn’t seem right when the message was not delivered. Turned out the scammer’s battery had died out and, in the meantime, the employee decided to cross-check with Singh. Reality struck and the employee quickly deleted the undelivered message.
“I had Avlesh’s number and a chat history too, which I should have checked. But, the scammer was smart enough to use the same profile picture and I was replying to the notifications itself initially,” the employee adds. The chat between the two then led them to identify what was wrong and the team of 350 members across multiple locations was informed and sensitised about the fake-boss profiles making rounds on their WhatsApp.
The WhatsApp message was sent under Singh’s name. On January 26, Singh tweeted out a series of other screenshots. Speaking with MediaNama, Singh said that the scamsters used pictures from his LinkedIn account and the website page to impersonate him on WhatsApp; the easiest way to steal pictures of potential targets.
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
Me & my team are getting tired of these @WhatsApp fraudsters for the last 4 weeks.
My team members (350+ across multiple locations) keep getting phishing messages like these from random numbers. They carry my photo.
Anyone else suffering this menace?
Whatsapp team – plz advise pic.twitter.com/0qNSqg3LEZ
— Avlesh Singh (@avlesh) January 26, 2023
It’s not just on WhatsApp
Speaking to MediaNama, Singh confirms that this is the first time they have been receiving such texts on WhatsApp. Several other Twitter users, who took note of Singh’s tweet pointed out their employees have been facing the same issue on emails.
Anand Jain, co-founder of CleverTap, informed MediaNama about the company employees receiving similar mails in the name of their CEO Sunil Thomas during the Covid-19 lockdown. One of the employees ended up losing $500 (Rs 40, 757), but was reimbursed by the company later. According to Jain, the employee had never even interacted with Thomas and that he “could not think any better” in the moment. The email also had the profile picture, which Jain adds, can trick someone into believing that it’s the real profile of the impersonated person.
“Since it was during the lockdown, there was no way to verify by meeting people in-person. It was not even in the line of reporting. We recorded almost 7-8 such incidents spanning across seven months. Since then, we have informed the team about such emails,” says Jain.
On January 27, the author of this report received an email in her work inbox from a sender who impersonated MediaNama’s founder and Editor Nikhil Pahwa. The subject of the email was a call to assign work, which was unspecified and the sender enquired about the author’s availability during the day. Initially the author sent a quick reply mail, but found that email address mismatched Pahwa’s original ID. By that time, the sender had already replied asking to transfer Rs 31,200 to a vendor.
“I have exceeded my daily limits however I will personally reimburse you tomorrow morning. Let me know if you can handle this payment so I can forward the details to you,” the mail read. As someone who was already working on the WhatsApp scam story, this was no less than a funny coincidence for the author, who then alerted Pahwa about the fake mail.
These incidents are not new
Phishing attacks on WhatsApp and emails for extraction of money or for extracting details through dubious means is not new. Cases of impersonation of top bosses or high-profile individuals to target employees were reported extensively since the pandemic. According to a 2022 report by Deep Strat and The Dialogue, “social engineering” or phishing attacks emerged as one of the most common methods of committing payment frauds in India since the pandemic.
Essentially, social engineering is referred to gathering enough information about the person to be tricked or targeted through social media platforms or other means in order to extract money. It refers to “psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality”.
Experts that MediaNama spoke to for this story say that, it has become easier for fraudsters to operate through WhatsApp and other social media platforms. “In the last two years, we have seen dealt with such cases on Facebook, WhatsApp and Instagram,” says Mukesh Choudhary, Cyber Crime consultant, Jaipur police.
In September 2022, a report Newslaundry covered how the director of Pune’s Serum Institute of India was duped into sending Rs. 1.01 Crore to unknown bank accounts by a WhatsApp fraudster communicating him as his CEO, Adar Poonawala.
It’s not just about private company employees; such perpetrators have tried their tricks on government employees too. In June 2022, a Times of India report showed an executive engineer from Gurugram Municipal Corporation was nearly tricked into sending Google Play recharge cards worth Rs 5000 to someone posing as his boss, municipal commissioner Mukesh Kumar Ahuja.
In May 2022, Arvind Kumar, an IAS officer from Telangana tweeted about his photo being used by an unknown WhatsApp user, who was reportedly sending messages to his staff asking for money. Similarly, several Mumbai police officers also encountered similar impersonation scams on WhatsApp.
How are these crimes dealt with under Indian law?
Choudhary explains that cybercrimes pertaining to impersonation are dealt under following sections of the Information Technology Act 2000: Section 66D, which penalizes cheating by personation using any communication device or computer resource; Section 66C under which “fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person” is an offence. He adds that Section 420 of the Indian Penal Code, which deals with cybercrimes involving cheating and dishonestly inducing delivery of property, is also taken into account under such cases.
According to the latest National Crime Records Bureau (NCRB) reports, cybercrime recorded under section 66D of the IT Act rose from 11172 in 2020 to 11339 in 2021. Additionally, cybercrimes under section 420 of the Indian Penal Code increased from 10364 in 2020 to 13980 in 2021.
Siddharth Chandrashekhar, advocate at Bombay High Court, says that while online scams have become much popular, “fraudsters and scamsters also thrive on/play with the emotions of fear usually expressed by employees towards their higher-ups as such employees end up following orders without verifying the source of such of orders. There is a loophole in some sense here”.
Though these cybercrimes are fairly common now, not many are being reported. “We did not know that there is a recourse available. This did not happen within India as such. The employee was not located here. Moreover, it was during the lockdown and there was no way to know the whereabouts of your colleagues. We should have filed a cyber complaint. To be honest, it did not occur to us to file a complaint,” says Jain, when asked if CleverTap would seek a legal remedy. WebEngage also hasn’t turned to legal recourse for tackling the recurring problem.
Chandrashekhar says, “The legal remedy is to immediately file a complaint with the Cyber Crime Cell of the Police which deals with…crime perpetrated through the internet in general. They can also seek damages against such persons via the relevant court of law, however most people don’t seek these remedies as they are unaware or find this redressal modes cumbersome.”
Choudhary informs he has recently investigated a case of impersonation of a company founder in which nearly one crore was sent to multiple accounts of the fraudster. According to him, since the sections under the IT Act are bailable, the perpetrators are not really afraid of the consequences and the investigation of such crimes involving financial frauds is generally lengthy, extending to as long as three months in some cases.
What hampers the investigation process?
Lack of resources: When asked about why such scamsters are able to continue with impunity, Choudhary says there are various unaddressed problems in the operations of the police department, telecom sector and the banking sector. “Dedicated cyber cells and police stations are less. Even they have criteria like only 1 lakh or 5 lakh above financial frauds would be investigated, so what about those who are getting duped for Rs 15000 and Rs 20000. The scamsters are very well aware of the police’s modus operandi and their ways of functioning and they are taking advantage of that,” says Choudhary.
Choudhary also highlights the coordinated nature of these scams. “The scamsters have understood that it’s easier to dupe someone from 1500-1800 kms away and evade tracking, as the police won’t reach there on time due to limited resources and funds. Even if caught, they hire advocates, who exclusively fight their case. They have proper groups of SIM cards, PhonePay, UPI, Paytm and banking groups to activate these tools and pay and use the service.”
Restrictions from other sectors: Further, he explains that there are issues with the ways banking and telecom sectors operate. When SIM cards are sold just to achieve targets, then protocols related to authentication and verification are not met and many times the telecom companies are often not made party to the investigation.
The Deep Strat and Dialogue report cited above explains that there are a number of authorities who retain data related to financial transactions in parts and telecom companies are one among them. The telcos are bound by “rules and regulations” issued the Department of Telecom (DoT) and Telecom Regulatory Authority of India (TRAI). Investigators trying to get a mobile number—being used for carrying out multiple frauds—blocked are often advised by telecom companies to come through DoT.
“While this may protect a mobile phone user from getting a number blocked suddenly, this leaves the investigators in a difficult situation where the same numbers are used for repeated cyber-crimes while telecoms dither on blocking the numbers,” the report adds.
Secondly, Choudhary highlights that, “Under the banking system, the small finance banks are largely used for such cybercrimes, because KYC (Know Your Customer) protocols are not followed strictly. But, that goes unchecked too,” he says.
The above-mentioned report on tracking financial cybercrimes points out that KYC details produced during financial transactions and while applying for mobile phone connections are “integral” to cybercrime investigations. Problems such as inadequate or fraudulent data provided by the scamsters, errors in details that go unnoticed by the bank employees and a lack of standardisation of KYC data across platforms are some of the major problems that obstruct police’s operations.
Compoundable offence: According to the Deep Strat report, “A major hurdle to investigating cyber-crimes is the fact that the cases are compoundable”. This means the matter can be settled if an agreement is sought with the victim of an offence. Choudhary reiterates this issue adding that it is always an easy option for the perpetrator to pay off one person who has reported the case and continue to profit from other targets.
“For investigators, this also leads to a major loss of motivation to see meticulously built cases coming apart as soon as the offence is compounded. Once the offender is let off, he/she is free to continue targeting fresh victims,” the report adds.
What are the possible ways to tackle these crimes?
The researchers at Deep Strat and The Dialogue make the following recommendations in their report:
- There is a need to collect empirical data on “cyber payment frauds” country-wide to make better assess the magnitude of the problem.
- The Reserve Bank of India needs to “standardize safety features and processes of all stakeholders in the digital payments’ ecosystem for greater harmonization and safety of users”.
- In order to increase the number of investigators in the state, there is a need to review the provision under Section 78 of the IT Act, which mandates that “only an Inspector or above rank of police can investigate cases registered under section 66 of the law”.
- There is a need to strengthen and review the KYC mechanism as the current KYC norms are not working for law enforcement agencies due to “inadequate or fraudulent credentials”. “Regular checks of sample KYCs to be carried out at regular intervals as an oversight mechanism with penalties on Telecom/Bank officials for irregular entries,” the report adds.
- Due to the complexities pertaining to investigations, the report recommends a review of provisions making cybercrimes compoundable.
- “Regular and specialized training capsules” led by information security researchers and academics must be conducted for law enforcement agencies so that they can keep up with evolving techniques of financial cyber frauds.
The TRAI released a consultation paper introducing the Calling Name Presentation (CNAP) feature in telecommunication networks in November 2022. With CNAP, people receiving a call will get to know the name of the person calling them, thereby restricting anonymous calls for the user.
While the Telecom department is aiming to curb spam calls through CNAP, privacy experts have questioned how will this protect the callers’ personal information if a blanket rule is imposed. They say this will in fact expose their data to vulnerabilities such as their identity can be used to further target them via social media for malicious activities, including cybercrimes. Hinting at regulation of OTT communication services such as WhatsApp, Telegram and Messenger among others, Union Telecom Minister Ashwini Vaishnav had said that KYC for callers on other platforms also must also be mandatory to tackle cyber frauds. While the emphasis on verification processes may help investigating officers in tracking down the accounts, numbers and profiles used for hacking and scamming, it is unclear how these proposed measures will specifically address the issue of impersonation.
In matters like these, it also largely depends on an individual’s presence of mind at that moment. Experts MediaNama spoke to believe that the only easiest way to prevent such scams is to stay alert and refrain from acting in a gullible manner when it comes to sharing personal details online. Choudhary informs that these groups change the modus operandi every quarter or six months, a trend he has witnessed in the last 13 years, and that “there should be a basic understanding among people, employees about how identities can be used for causing harms”.
“Corporates must incorporate routine training modules to inform the team about such cyber threats. Every employee of the company should know what to share, whom to share [with] and how much to share,” he adds.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- KYC, OTP And PIN Theft, The Biggest Trends In Financial Cyber-Crime: Report
- WhatsApp Users Beware: 3 From Hyderabad Have Fallen Prey To This Simple Hack In A Week
- Snapdeal Warns Customers About Scams On Fake Websites, WhatsApp Messages, Facebook Posts And Pages
- Truecaller Claims Its Government Digital Directory May Tackle Phone Call Scams In India
- Exclusive: Mumbai Police Looks To Tackle Cyber Crimes By Profiling Social Media Users And Keeping Tabs On Their “Thoughts”