This article sheds light on three prominent types of online fraud commonly prevalent in India: International Domain Name Holograph Attack (Punycode) Fraud, Classified Marketplace Fraud, and Social Engineering Fraud.
International Domain Name Holograph Attack (Punycode) Fraud:
The International Domain Name Holograph Attack, also known as the Punycode Fraud, is a sophisticated cybercrime technique that manipulates the domain name system (DNS) to deceive users. It involves the registration of domain names using similar-looking characters from different language scripts, primarily exploiting the similarities between certain Latin and non-Latin characters. Characters (letters and numbers) that look alike are called homographs, thus the name of the attack. Fraudsters create domain names that almost resemble a legitimate domain. A common way of doing this is replacing the Latin letters such as “e” and “a” with Cyrillic letters “e” and “a”. Unsuspecting users, mistaking them for legitimate websites, inadvertently provide their personal information, including login credentials and financial details.
Don’ts: Do not download attachments received in unsolicited mails or from unknown senders.
Dos: Type out the URL instead of clicking on a link. When visiting the desired site, check the URL carefully. Look out for minor differences in the characters. Fake websites may contain spelling errors. These errors may exist not only in the text of the website, but also in the URL. l Make sure that the connection to the website is secure. The best way to know it is by checking if there is a padlock symbol. Click on the lock icon in the browser. This will tell you if the website’s certificate is valid and authentic.
Classified Marketplace Fraud: Classified marketplaces have revolutionised the way we buy and sell goods and services online. Classified marketplace fraud involves criminals posing as genuine sellers, enticing buyers with attractive offers, only to defraud them of their money or personal information. Common tactics employed by fraudsters include listing counterfeit or non-existent products, creating fake profiles and testimonials, and engaging in phishing activities to steal sensitive data.
Step 1: Scammers create a fake account on popular classified websites (such as OLX). They also create social media profiles using the same fake details to appear trustworthy.
Step 2: They lookout for people posting their requirements for products/services. They reach out to these customers via email or SMS, to avoid meeting in person.
Step 3: Fraudsters then coax customers to pay in advance using non secure, alternate payment options, such as prepaid cards, UPI payments, net banking, cryptocurrencies, money-transfer services, etc. They then simply disappear, deleting all traces of on the classified site.
Don’ts: Do not pay for any goods and services in advance unless you have received the goods and services.
Dos: Conduct background checks — verify sellers’ profiles by contacting the customer care department of the classified company to verify the authenticity of the seller. Use secure payment gateways for payments to be made ONLY after delivery of the goods
Social Engineering Fraud: Social engineering fraud typically involves impersonating trusted entities, such as banks (KYC updation, loan), government agencies (LIC/PF) or customer support, to trick victims into revealing confidential information or performing fraudulent transactions.
Fake customer service calls are some common tactics employed by social engineering fraudsters. Fraudsters use new ways to update fake contact numbers similar to the bank’s toll-free number on online platforms and caller identification apps in order to dupe people. Suppose a bank is called SmartBank and its toll-free number is 1800 123 1234. A fraudster obtains a number, 800 123 1234, similar to the toll-free number of SmartBank and registers it successfully on the Truecaller app (or any caller identification application) as the toll-free number of SmartBank. An unsuspecting customer looking to contact SmartBank contacts the fraudster’s number registered on the caller identification app (800 123 1234) instead of the genuine toll-free number of the bank (1800 123 1234).
The fraudster attending this call then lures the victim into providing sensitive details such as debit/ card credentials, username, OTP, etc. to access the victim’s account and carry out fraudulent transactions.
True caller and similar apps are not reliable when it comes to official entity numbers since they rely on crowdsourcing for their data records. For example when a person downloads the application, the contact information gets stored in the Truecaller database. Truecaller creates its huge database of users as well as the information on the contacts stored in the phonebook. So if X number of users save the same number with ‘XYZ’ as a name then that number is tagged to XYZ. That is how the fake number can also come to be recognised as SmartBank’s number.
Don’ts: Avoid using caller identification apps when you want to call any entity such as a Bank, or be careful when you receive a call that appears to come from the Bank.
Dos: Always visit the official website for any entity’s number.
Look for https or the lock icon in the status bar of your web browser. The lock indicates that the site is using an encryption technology to protect your sensitive data.
(Salil Datar has over three decades (including CXO level) in banking, neobanking and cross border financial services)