Coronavirus (COVID-19): The COVID-19 outbreak presents a global challenge not just for the medical fraternity and society, but for law enforcement agencies also. Cyber crime, like a pandemic, knows no state borders. A few people are attempting novel ways of defrauding innocents using information and technology. Money is being siphoned off using fake accounts and exploiting vulnerabilities of various applications.
On March 29, the DCP Cyber Crime, Delhi’s official Twitter account alerted citizens about a fake UPI (Unified Payments Interface) ID of the PM CARES Fund, pmcare@sbi – the correct UPI ID to donate for coronavirus victims is pmcares@sbi. The Delhi police took suo motu cognisance of the fraud, registered an offence of cheating under sections 419 and 420 of IPC, and blocked this and a number of other similar accounts. The number of persons cheated and amount defrauded can only be known when the investigation is over.
Coronavirus pandemic: UPI and related frauds
UPI is a real-time payment system developed by National Payments Corporation of India for inter-bank transactions. The interface is regulated by the Reserve Bank of India and instantly transfers funds between two bank accounts on a mobile platform. The NPCI keeps record of all the accounts and transactions.
It is very easy to create an account using the UPI platform. One just needs an ID that could be even one’s mobile number or name, and a four-digit PIN. The offence highlighted by the DCP, in fact, has nothing to do with the security of UPI as such. It is phishing, in which the offender creates a similar-looking ID to deceive users.
📢 Express Explained is now on Telegram. Click here to join our channel (@ieexplained) and stay updated with the latest
Within the limits set by each bank, any amount can be exchanged instantly using such apps, and the defrauded amount could be huge. Second, the imposter can immediately withdraw the amount and flee, as there is no caveat on withdrawal. Also, if the bank has not done the Know Your Customer (KYC) process thoroughly, nabbing the culprit may become difficult.
It is important to verify the destination UPI ID from authentic sources before making any transaction. If a mobile phone with a UPI-enabled app is stolen, it must be blocked and the bank intimated before it could be misused. Banks also must adhere to the KYC guidelines issued by the RBI, so that the address of each customer is checked physically.
Facebook is often used for fraud. If the privacy settings are not consciously set to protect an account, it is always susceptible to hacking. Most users don’t change the default settings and keep them ‘public’. This makes it very easy for a cyber criminal to download a profile photo and create a fake account. Sometimes, people also exchange their bank account details, mobile number and other sensitive information on Facebook. Further, if the password on Facebook is weak, it can easily be cracked and the account hacked.
Cases of fake Facebook accounts are being reported where money has been fraudulently asked for the treatment of alleged patients by hacking their accounts. It is therefore, best, to keep the privacy settings at ‘Only me’ or ‘Friends’ and not to share sensitive information on social media. Privacy settings can also be changed for every post and photo.
Loss of confidentiality
The lockdown has forced many to work from home. Unless the organisation has its own infrastructure and uses VPN (virtual private network) for accessing its resources, the use of public platforms may result in loss of confidential data. Recently, the popular videoconferencing app Zoom, which can add up to 100 participants in a call, has come across as vulnerable. As the meeting ID can be shared through a link, on screen and other mediums; uninvited guests can also join a meeting and gain access to sensitive information.
The chief executive of Zoom apologised for “falling short” on security issues including sharing user data to Facebook and wrongly claiming end-to-end encryption etc, and promised to address concerns.
When one uses Zoom, it seeks permission for accessing the user’s microphone, web-cam and data storage. This can result in hijacking and loss of private data. Users may also experience ‘Zoomraiding’ or ‘Zoombombing’ in which hate speech, pornography or other content is suddenly flashed by disrupting a video call on Zoom.
Don’t miss from Explained | Can an unborn baby be infected with coronavirus?
The Computer Emergency Response Team-India (CERT-In) circulated a ‘vulnerability note’ on February 6, giving Zoom a ‘medium’ security rating.
Therefore, it is important to be cautious while using such free apps for confidential meetings, or to use organisational infrastructure for such meetings. The public network can still be used for accessing critical applications, provided authentication, access control and integrity of data are ensured through VPN or other options.
In guidelines for law-enforcement agencies on March 26, Interpol warned about the emerging trend of false or misleading advertisements about medical products, setting up of fraudulent e-commerce platforms, phishing etc during the pandemic.
It has recommended, inter alia, that people avoid opening suspicious emails and clicking links in unrecognised emails and attachments; back up files regularly; use strong passwords; keep software updated; and manage social media settings and review privacy/security settings. Cyber experts also recommend the use of ‘https’ protocol for secure financial transactions.
In case you become a victim, report it to the police immediately. These are computer-related wrongs covered under the IT Act, 2000, liable for penalty and compensation, and criminal liability in appropriate cases.
R K Vij is a senior IPS officer in Chhattisgarh. Views are personal.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines