Today, I received an email that I have got a refund from my tax paid in 2017. The email look really genuine and asked me to click a link which will help me to claim my refunds directly to my bank account.As I looked at the email, the email seemed to have come from noreply @ income tax india efiling . com (without spaces) via a website www 87 . world 4 you . com (without spaces). Since I teach cyber security, I thought this would be a good case to showcase in class as an example.
The link opened into a website that actually resembles the IT Department’s website in multiple ways, albeit not an exact replica. The hyperlinks were encoded and led to a phishing website soltierra . com . ar (without spaces) which again routed the link to a encoded link.
The process is called phishing. Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
The website allowed me to choose among multiple banks (SBI, AXIS, HDFC, ICICI, CANARA, etc) with which I should log in and claim my taxation refund. Depending on the choice, the users would be routed to the landing page and log-in page replica of the specific bank.
After choosing the bank (I chose SBI), I was routed to an exact page replica of SBI (with encoded hyperlinks) to provide my log in credentials. Knowing that this is a phishing website, I provided dummy information. Then I was logged into SBI like page where the personal information including phone number, Adhaar number, Debit Card number, PIN, CSV number and related information was asked. I managed to take few screenshots of the page.
After I submitted the dummy data, I got a very nice fraudulent confirmation page.
Along with this, an email confirmation, how my details need to be verified over a phone call was sent to my email ID.
Now obviously this is a fraudulent attempt towards phishing, and I am certain the team would have met some success due to the nice workflow and design and the level of maturity in their planning. However users of online services need to be aware of such practices and be careful before submitting sensitive information to such cyber criminals.
With the advent of the era of digital payments, information risk becomes a critical area to explore. In current times, emerging economies are providing digital services to its citizen through public or private organization. Research indicates that digital services are facing major challenges with respect to its adoption among relevant users groups, largely due to the perceived risks surrounding digital services, including online banking or tax payment. The results of our study indicates that dimensions like privacy risk, performance risk and financial risk are the most important risk across digital services models. However physical risk, social risk, psychological risk and time risk are comparatively less important risk across digital services. This research also finds out that the end users are reluctant to provide their personal information. The research outcome can help managers in deciding which dimensions of risk are more important for digital service delivery. This study focuses on the different facets of risk perceived by consumers towards the digital services. Perceived risk dimensions like privacy risk, performance risk, financial risk, physical risk, social risk, psychological risk and time risk, have shown that there is a need to prioritize these risk to the digital services which is offered to the users.
You may want to read the full article, authored by my scholar.