Phishing attacks, a prevalent cyber threat in India, are on the rise, growing 464% YoY in 2023. These attacks, often using social engineering, target human interaction and rely on psychological manipulation. Despite increased cybersecurity spending, there’s a need for greater awareness and education. Most attacks aim to steal sensitive information like credit card numbers and passwords. The RBI has issued new guidelines to enhance IT governance and risk management in response to the rising number of data breaches in Indian banks.
By Rozebud Gonsalves, ET Bureau
Nitin’s attempts to schedule an appointment with a doctor he had found online had proved fruitless. He had almost given up on the phone numbers that had popped up in the online search when he received a call.
The person claimed to be from the doctor’s office and asked him to download a mobile application (app) and fill his personal details to complete the appointment process. Before Nitin realized that something was amiss, he had lost ₹47,000 from his savings bank account. He had been ‘phished’.
Such online attacks – called ‘phishing’ – that rely on human interaction are on the rise. They are easy to execute and are getting increasingly sophisticated because of the use of artificial intelligence (AI). Also called ‘social engineering attacks’, these practices don’t require complex hacking and rely on the psychological manipulation of human emotions.
Phishing is the most common form of cyberattack in India, accounting for more than 84% of the total cyber threats received every year, according to Acronis, a leader in cyber protection. The attacks grew 464% YoY in 2023, said Acronis.
“There is no one fix that will help us in this case. Educated people fall for it, and constant education is the only way, but unfortunately, it is not reaching everyone,” said R Subramaniakumar, chief executive of RBL Bank. “They (scamsters) are coming up with innovative methods again and again.”
IT teams in Indian organizations on average receive reports of 15 suspicious emails on any given workday.
According to a report on cybersecurity trends in 2023 by Nasscom, social engineering attacks in India led to ₹19.1 crore in losses on average every year.
Spending on cybersecurity in the BFSI (banking, financial services, and insurance) sector in India grew 35% to $1,738 million in 2023 from $518 million in 2019, according to Nasscom. However, there are no regulatory guidelines on the minimum amount that must be spent on cybersecurity.
Most Indian banks spend 9-10% of their IT budget on cybersecurity. However, Dilip Asbe, chief executive and managing director of National Payments Corporation of India (NPCI), said spending needs to be increased, and a common threshold on the minimum budget for cybersecurity needs to be implemented.
“What many countries have adopted is, they have a certain amount of budget to be spent, at least for the financial services. Something like 25% of your IT spend should be allocated to information security,” said Asbe. “I think in India that awareness and reality have not stuck, unless the incident happens.”
The goal of these attacks is to gain sensitive information like credit card numbers, one-time passwords, and personal details. Most of the time, users are the weak link in the chain, as these are direct forms of communication with them.
“Most phishing scams that happen to the general public are not because a security application fell short, but because there is a lack of cyber hygiene and awareness,” said a security officer of a top private bank. “I don’t think we will fall short on buying technologies that will protect; the issue will come in with people’s awareness.”
Most banks have invested fairly well, and the backend system is secure. But one never knows, said the CEO of RBL Bank. “You are secure till you are breached.”
The Reserve Bank of India (RBI) notified a master direction on ‘IT Governance, Risk, Controls, and Assurance Practices’, which will take effect from April 1 this year. The central bank had to rethink its strategy after Indian banks reported 248 data breaches in 2022, a fifth of the world’s total.
Leave a Reply