Delhi Police on November 15, 2022 arrested 20 people in connection with an online cyber security scam about Ola electric scooty. The accused were held on the basis of a complaint and subsequent FIR about a scam being run from Patna, Bengaluru, Gurugram, and others.
The scammers had created a fake Ola Electric Scooty booking website and put in place a booking amount button for a token amount of Rs 499. People wanting to book the scooty would pay Rs 499 through this button and then give their contact and other details.
After this, the scammers would call the person while impersonating as Ola employees. Here on, the main part of the scam would unfold, i.e., collection of payments under different heads, such as delivery charges, down payment, insurance, and others.
Delhi Police said that the gang was operating a call centre, too, and they have recovered 114 SIM cards, more than 60 mobiles, and seven laptops from the accused. Besides these, Delhi Police also found 25 bank accounts in their name with over Rs 5 crore balance, according to media sources.
Incidentally, this is not the first time that a cybersecurity incident like this has happened in India.
Pinakin Dave, country manager, India and SAARC, OneSpan Inc, a Chicago based cyber security company, said that the fraud website asked users for their personal information and then requested them to deposit a certain amount. The fraudsters even created a call centre to entertain the users’ queries. Now this may seem like a very sophisticated scam, but there are still ways how users can detect it and avoid falling prey to it
"There are multiple ways to detect the authenticity of the website. For instance, a secured and authentic website will always have ‘https’ in their address, while a fake one will only have ‘http’. If a website does not show as being secured, it’s a big red flag," added Dave.
According to a report by Nordpass, a password management solution from German cybersecurity company, Nord Security, ‘password’, ‘123456’, ‘12345678’, ‘bigbasket’ were the top 4 passwords used by Indians from 2019 till 2021. Most of these passwords were cracked by criminals in less than 1 seconds, with the exception being ‘bigbasket’, which took about five minutes to crack.
According to a report by Microsoft, 31 per cent Indians lost money in various cyberattacks. About 22 per cent of people who were victims of a cyber scam had lost money in the range of Rs 7,500-37,500.
Satnam Narang, senior staff research engineer, Tenable, a US-based cyber security company, says that one thing which consumers need to be mindful while booking a reservation or purchasing a product is to conduct the transaction through the website itself. Most companies will never try to reach consumers directly via SMS or WhatsApp. Customer service representatives are only accessible when users seek out customer service, not the other way around.
"If you’re asked to make a payment through an alternative payment service that’s different from the vendor’s website, you should not proceed and block the user requesting payment, Narang further added.
Karmesh Gupta, co-founder & CEO - WiJungle, a Haryana based cyber security company, said that It is difficult to remember strong passwords if created differently for all the websites. Creating a random password that contains special characters, numbers, alphabets and lengthy password is advised through Google. Tools like Google manager and many others that help to remember the passwords are way more secure allowing comfort and ease for one to save all their passwords.
"Although these password management tools can also be breached but its a rare event. So rather than keeping the password simple and in the open, I would suggest people use a password manager and use a 16 to 20 digit random password for all their apps and website accounts," added Gupta.
The cyber incident which happened in Ola’s case is called phishing. Here, the cybercriminals created a replica of Ola’s original website and duped people.
While dealing with websites and smartphone apps, it’s necessary to check the required security certifications and domain names of the website. This is because no two websites can have the same domain name.
For instance https://olaectric.com is the official website of Ola electric. It is a .com website, not .in, .org, or anything else. So if you come across a different domain extension of the same brand, try to confirm if the service provider has changed domains, or else do not transact on it.
Dave advised people to thoroughly check the website address. A missing letter or wrong grammar are signs of a fake website.
In this case, users also had the option of accessing this offer on the Ola app, and when they did not find the offer to their liking, they tried to find offline buying options for the electric scooty and got defrauded. Ola electric scooty intially was only available for booking online.
Dave said that users need to know that if the offer is not on the official app, there is a very slim chance they will find it offline. In case of fake apps, always check the owner of the app on the App store or Play Store. If the owner is trustworthy, chances are the app is safe. If there is no owner information, or the information is dubious, "do not download the app".
Follow all the social media handles of the respective company. Sometimes, hackers might be able to hack one or two handles of a company’s Twitter or other social media account, but hacking all of them is a difficult task since each social media platform has their own separate security protocols.
So, one should follow all the handles and scout for updates regarding products and services of the company and how to buy them online and what website to use. It is best not to click on links forwarded to you by your friend or in any group.
Download apps only from verified stores like Android Google Play, or iOS- App Store. Also, while downloading, check the developer’s terms and authenticity. One can also check the permission requirements for an app before downloading it.
“Google Play Protect removes apps that have been flagged as potentially harmful, because the app does contain malicious behaviour not because we are simply unsure if the app is harmful or not,” says Google in a security note.
Do not root (Android ) or jailbreak (iOS) devices. Google has warned users that there are some apps that can “weaken or disable Android security features that aren't categorised as potentially harmful apps.”
“These apps provide functionality that users want, such as rooting the device and other development features. Even though these apps are potentially harmful, users instal them intentionally,” said Google.
So what Google does is manage these instances in a different way. What happens is when a user begins to instal an app that Google classified as ‘user-wanted’, Google Play Protect will first give a warning about the app’s potential hazards. If the user still chooses to instal the app anyway, Google will not send further warnings.
“After installation, the user-wanted classifications prevents Google Play Protect from sending additional warnings, so there’s no disruption to the user experience,” Google said in its security note
