The person claimed to be from the doctor’s office and asked him to download a mobile application (app) and fill his personal details to complete the appointment process. Before Nitin realised that something was amiss, he had lost ₹47,000 from his savings bank account. He had been ‘phished’.
Such online attacks – called ‘phishing‘- that rely on human interaction, are on the rise. They are easy to execute and are getting increasingly sophisticated because of the use of artificial intelligence (AI). Also called ‘social engineering attacks‘, these practices don’t require complex hacking and rely on psychological manipulation of human emotions.
Phishing is the most common form of cyberattack in India, accounting for more than 84% of the total cyber threats received every year, according to Acronis, a leader in cyber protection. The attacks grew 464% YoY in 2023, said Acronis.
“There is no one fix that will help us in this case. Educated people fall for it and constant education is the only way, but unfortunately it is not reaching every one,” said R Subramaniakumar, chief executive of RBL Bank. “They (scamsters) are coming up with innovative methods again and again.”
IT teams in Indian organisations on average receive reports of 15 suspicious emails on any given workday.According to a report on cyber security trends in 2023 by Nasscom, social engineering attacks in India led to ₹19.1 crore in losses on an average every year.Spending on cyber security in the BFSI (banking, financial services and insurance) sector in India grew 35% to $1,738 million in 2023 from $518 million in 2019, according to Nasscom. However, there are no regulatory guidelines on the minimum amount that must be spent on cyber security.
Most Indian banks spend 9-10% of their IT budget on cyber security. However, Dilip Asbe, chief executive and managing director of National Payments Corporation of India (NPCI) said spending needs to be increased, and a common threshold on minimum budget for cyber security needs to be implemented.
“What many countries have adopted is, they have a certain amount of budget to be spent, at least for the financial services. Something like 25% of your IT spend should be allocated to information security”, said Asbe. “I think in India that awareness and reality has not stuck, unless the incident happens.”
The goal of these attacks is to gain sensitive information like credit card numbers, one-time passwords and personal details. Most of the time, users are the weak link in the chain, as these are direct forms of communication with them.
“Most phishing scams that happen to the general public are not because a security application fell short, but because there is lack of cyber hygiene and awareness”, said a security officer of a top private bank. “I don’t think we will fall short on buying technologies that will protect; the issue will come in with people’s awareness.”
Most banks have invested fairly well, and the backend system is secure. But one never knows, said the CEO of RBL Bank. “You are secure till you are breached.”
The Reserve Bank of India (RBI) notified a master direction on ‘IT Governance, Risk, Controls and Assurance Practices’, which will take effect from April 1 this year. The central bank had to rethink its strategy after Indian banks reported 248 data breaches in 2022, a fifth of the world’s total.