It is no doubt that the Age of Digitalization has made access to businesses and organizations easier, it has made it possible for us to conduct transactions worth lakhs from the comfort of your home. But how does a person, who pays his hard earned money, confirm that the bank account given to him/her for making money transaction is legitimate, that it was given to him/her by legitimate source?
We all are aware about the 'surprise lottery schemes' that pops up in our SMSs and the junk folder of our email accounts, but this problem is closure to home than we realize.
The method of conducting cyber fraud that we are addressing in this article is impersonation and its effects on the organizations, which are being impersonated along with how a fraudster hides behind the web of phone numbers, email addresses and bank accounts to evade the authorities. We also try to highlight some basic due diligence which the members of the general public can refer to make sure that they don't fall prey to such unsocial activities.
What is a Business Email Compromise?
Business Email Compromise (BEC) is an exploit, in which an attacker obtains access to a business email account and imitates the owner's identity, in order to defraud the company and its employees, customers or partners or the attacker may create an account with an email address almost identical to one on the corporate network, relying on the assumed trust between the victim and their email account. BEC is sometimes described as a "man-in-the-email attack".
One of the examples in which a BEC situation may arise is when the impersonator who is using a domain name, which is deceptively similar to your domain name to register its email IDs to trick the members of the general public into believing that it has affiliation or any association with your business to dupe the general public in the garb of giving a job opportunity or fake franchise.
Another very classic example, wherein, the impersonator would create an email id on a deceptively similar domain name; hack all your data; send email to your clients asking them to make payment of your outstanding invoices in a new digital payment portal like PayPal, owned by the imposter.
In the recent times, a rise has been witnessed in occurrence of such frauds particularly in cities which are IT Hubs in India, like Hyderabad, Bangalore, Gurgaon also in cities with are demographically suitable for young job seekers.
According to the FBI's Internet Crime Complaint Center (IC3), "the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300% increase in identified exposed losses, now totaling over $3 billion."2
PM Cares Fund Fraud amid COVID-19: Deceptively similar UPI IDs
In the wake of Coronavirus outbreak in India, Hon'ble Prime Minister of India initiated a fund raiser scheme PM-CARES to help the country to fight the Coronavirus pandemic. The payment could be made by UPI transaction directly in the bank account of the scheme. However, within a day or two, a spurt in number of fake UPI IDs has been revealed. These fake UPI IDs are also being circulated on social media to seek funds under the PM-CARES scheme. Cyber criminals are trying to scam good Samaritans of the society by promoting dubious UPI accounts. According to Delhi Police, one such fake UPI ID was "pmcare@sbi" which was deceptively similar to the correct UPI ID "pmcares@sbi". The State Bank of India has acted promptly and blocked the fake UPI ID. The National Cyber Security Coordinator (NCSC) in Prime Minister's Office has issued a cautioning statement to cyber criminals not to take advantage of the present coronavirus crisis and commit financial frauds against unsuspecting citizens and enterprises3.
The modus operandi used by the imposters/fraudsters in such cases usually comprises of the following steps:
- Spotting the Target:
Generally, such information is gathered from job portals/ where there is an abundance of young job seekers, fresh college passed out.
- The Bait:
This is done by various means, one of the ways is registering a deceptively or confusingly similar domain name and sending mails to potential target. The offers are too good to refuse, in an attempt to bait the victim. This is a hit and run process as many of the potential victims are far sighted and don't pay heed to such spam messages.
- Trapping the Target:
If the victim replies, then comes the turn for telephonic conversation, where a trained member of the impersonators, posing as a Recruiter or a Human Resource Executive will make sure that the victim falls into the trap. The perpetrators use persuasion and pressure methods to groom and manipulate human nature. This is also known as grooming the victim. They use their impressionable skills and buy the confidence of the victim.
- The Minuscule Amount:
The impersonators then ask for a nominal fee from the victim posed as an Application Fee, which is in the bracket of INR 10,000-15,000. The victim is usually not bothered by this amount as they trap such victims who are desperate for the job and inveigle them with high salary packages.
- Milking the Cash Cow:
After receiving the application fee, it is just about how far they can take the victim. In pretense of further stages towards a successful job opportunity, they keep asking money from the victim and state that if the victim does not pay the amount in the prescribed time then the money initially given as application fee will be forfeited.The victim in an attempt to save his initial investment, has no other option but to pay the imposters.
- Cut the Golden Goose:
When the imposters have extracted the desired amount, then they are ready to vanish. Consequently, they cut all contacts from the victim and change their sim cards, switch their domain names and even close their bank accounts. This makes them untraceable by the members of the general public.
The perpetrators use a number of techniques to screen their true identity.
For instance, the bank account details as shared to the victims are shown as in the name of company/business as portrayed to the victims, but in fact, the bank accounts are in the names of impersonators or their allies. Once the amount is transferred, they are siphoned in various other bank accounts of the members of the organized group or withdrawn from the ATM.
Also, they are usually not from the same city/State as that of the victim. This multi-jurisdictional nature of the fraud is a fail-safe measure to make sure that it becomes increasingly difficult to report and/or investigate these crimes.
Also, the amounts being extorted are small, which helps the perpetrators evade the jurisdiction of Economic Offence Wing's scanner. Because of the multi-jurisdictional nature, the complaints by the victims are filed in individual police stations/cyber cells and are seen as cases of individual, small-scale frauds.
The perpetrators also change their mobile numbers frequently - often right after the initial payment is made.
Here is an example as given on the website of Haryana Police4:
- An Email received by the victim which posed to be from a homegrown automobile giant that his resume has been shortlisted from a Job Site Monster.com for engineer at their Manufacturing Unit offering him a salary of Rs. 2.0 lacs /month
- He has to deposit Rs. 8,200 in a State Bank of India Account Number and come for the interview with the pay slip and also that it was said in the email that this amount is refundable.
- The Emails traced were from all foreign countries, and the bank accounts were also fake to which the money was deposited, and the amount was immediately withdrawal from ATMs.
- The Criminal was also doing SMS and Phone Calls to the victim.
- The Criminal were traced with the help of Mobile Calls and were arrested.
How does it affect the Business, it is impersonating and how can they protect themselves?
A Business entity, which is being impersonated has to protect its name, reputation and goodwill in the marketas the imposters, most of the time, to make themselves look legitimate, use the name, logos, office address, similar websites and email ids of the organization they are impersonating.
In such a case, an organization has both, criminal and civil remedies at itsdisposal.
In Criminal remedy, a complaint can be filed with a Police Station, wherein the crime is said to be committed, under provisions of Indian Penal Code including fraud, impersonation, forgery etc. Police is required to record the statements of victims and register FIR. If Police fails to register FIR, a complaint can be filed with the concerned Magistrate under Section 156(3) Cr.PC for seeking proper investigation/registration of FIR in the complaint.
Then there is the civil remedy. In addition to the criminal complaint, the business, which is being impersonated can file a suit for permanent injunction infringement of its intellectual property rights against the unknown impersonators. The banks in which the imposters have their bank accounts, Domain Registrars, website developers can be impleaded as necessary parties to the suit.
Along with the suit, the Plaintiff can also file an application for an Interim Application for a Mareva injunction. In a Mareva injunction, the bank accounts as well as domain names which are used by the imposters are directed to be freeze by the Court. Banks and Domain Registrars are directed to disclose the identity of the imposters and file their identity related documents used at the time of registering to their services. This in turn will help in the criminal investigation mentioned above.
The Indian Judiciary has recognized such frauds and given judgements in the favor of businesses/companies. In the case of HCL Technologies Ltd. v Ajay Kumar & Ors.5, the High Court of Delhi ordered the Banks to place on record necessary documents including Aadhar Card details, PAN number etc., of the perpetrators on the basis of which the accounts were opened with the banks and to freeze the bank accounts. The Court directed Paytm, one of the Defendants to freeze the accounts too.
A similar order was passed by the High Court of Delhi in Colgate Palmolive Company v NIXI6 and Jasper Infotech Pvt. Ltd. v Aadi Sins & Ors.7
How to Spot a Fake Website/Scam
There are some easy steps you can take to check the authenticity of a website:
- HTTP = Bad, HTTPS = Good: The 'S' in https:// stands for 'secure'. It indicates that the website uses encryption to transfer data, protecting it from hackers.
- Check for easy markers such as spelling mistakes, typos and broken links. It is highly improbable for a legitimate business to have such mistakes on their website.
- Domain age: The imposters usually register a domain name just for a few days/months before changing the name of the domain and registering a new one. You can us search engines such as Whois.com to look up the information such as the date of registration of the Domain name.
- Look for reliable contact information: Try to do background check. There is no harm in double checking with the company itself through alternate contact modes such as emails, contact us/query options given on websites etc. .
- Be vigilant of suspicious or unexpected 'urgent' payment requests.
What if you have made the payment?
- Gather all documentation regarding the transaction and emails/invoices received.
- DO report the incident as soon as possible to your local police.
- DO immediately alert your bank to the fraudulent transaction. The bank should immediately try to re-call the funds.
- DO consider consulting a lawyer in the country where the money was deposited into the beneficiary bank account. This might be of help to address the bank in trying to recover the money and/or launch a civil complaint regarding the account holder.
The emergence of such frauds has exposed companies/organizations to the perils of phishing attacks and hacking. A Delhi- based research-oriented security group also suggests every second an Indian organization, be it big or small is victim of email phishing attacks8. The impact of such attacks can be substantial from businesses losing their goodwill and reputation to an apprehension of a complaint being filed against them by any of the victims. Hence, proper security measures and prompt action by businesses is recommended in the event of commission of such frauds.
At the same time, it is advisable that general public conducts proper due diligence before transferring any amount to a faceless voice behind the email sent to them. If it is too good to be true, then just walk away.
5 CS (COMM) 466/2017, Order dated 18.07.2017
6 CS(COMM) 193/2019, Order dated 12.04.2019
7 CS(COMM) 1214/2018, Order dated 01.11.2018
Originally published May 08, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.