Cyber Scams: Staying Safe as Importers/Exporters

On January 4, the Directorate General of Foreign Trade (DGFT) – India’s import-export regulator – issued an advisory warning importers and exporters of rising instances of cyber fraud in payments and advising them to implement certain “security protocols” for their email communication. This is not the first time a government authority has issued a cybercrime warning to India’s import-export community, the majority of which is made up of micro, small and medium enterprises (MSMEs).

As more and more importers/exporters transact online, they must realise that this transition comes with conveniences and risks. It is important that they learn to detect, resist and respond to cyber threats. In today’s blog, you will learn:

• What is a cybercrime?
• Who are cyber criminals?
• What are the cybercrimes targeting importers, exporters and MSMEs?
• What can they do to protect themselves?
• What should they do when under attack?
• Case studies                       

What is a cybercrime?

The Home Ministry defines a cybercrime as “any unlawful act where [a] computer or communication device or computer network is used to commit or facilitate the commission of [a] crime”. A cybercrime can be launched for various reasons – to steal money or intellectual property, access sensitive data, disrupt the operations of a company/individual, defame a company/individual. Cybercrimes come in many forms, the most common examples being:

• Cyber fraud, such as phishing scams
• Malware attacks such as viruses, worms and trojans
• Ransomware attacks

Cybercrimes harm businesses by:

• Stopping trade and transactions temporarily
• Causing financial losses
• Forcing existing customers out and turning new ones away
• Damaging a company’s reputation, sometimes permanently

Cyber criminals: Who are they?

Anonymous and hard to trace, cyber criminals or hackers, as they are generally called, fall in the following categories, according to this academic paper by Norwich University:

1. Identity thieves: They gain access to their victim’s personal information and use it to impersonate the victim and make financial transactions.      
2. Internet stalkers: They monitor their victims’ online activity on social media or through a  malware attack. Usually, their objective is to access personal information and use this to defame the victim or blackmail them into paying a bribe.      
3. Phishing scammers: They mimic business and government websites and trick their victims into revealing sensitive information, which they use to commit identity theft or sell on the dark web.       
4. Cyber terrorists: They are criminals who target governments and businesses purely to cause them harm. Their main motive is not financial.            

Hackers can be individuals or organised groups. Often, they are insiders – employees, business partners, contractors and vendors who are either negligent or act maliciously. In 2018, a McKinsey study found an insider threat in 50% of cyber security breaches reported between 2012 and 2017.                

MSMEs: A soft target

Unlike large companies, small businesses have basic cyber security measures in place, if at all. This makes them a soft target.

• 43% of cyber attacks worldwide are aimed at small businesses, says a 2019 Accenture study.
• Two-thirds of small businesses (10-49 employees) in the UK suffered cyber attacks in 2018, says another survey. The attacks cost each targeted business £65,000.
• A 280% increase in cyber attacks targeting small businesses was recorded in the 10 months of 2020 when Covid-19 forced companies to transact online and work from home, says cyber security firm Cyfima.
• Indian MSMEs are especially vulnerable, according to a 2016 survey in the Asia-Pacific region by cyber security firm ESET.    

Cyber scams targeting importers, exporters and MSMEs

The top online crimes against MSMEs, especially those in the import-export business, are:

1. Phishing: The attacker poses as a legitimate entity, contacts the victim via email, telephone, text or social media and lures them into revealing sensitive information (log-in and banking details, etc). With this information, they access important accounts and steal money. A phishing scam can have multiple targets or just one, in which case it is called spear-phishing. It’s probably phishing if the communication you receive comes with a) a limited-period offer that’s too good to be true, b) a mysterious hyperlink or attachment, c) spelling and grammatical errors.                 
2. Ransomware: The attacker demands payment to release their victim’s computer system from a virus installed by them. The mode of attack is usually a phishing email. In 2020, Australian logistics firm Toll Group was hit by two ransomware attacks in three months. Payouts can cost hundreds of thousands of dollars, sometimes even a million dollars. Even if you don’t pay, the cost of recovering from an attack is enormous. It’s probably a ransomware attack if a) you can’t access your desktop or files, b) your file name has a strange extension attached to it, c) software tools you didn’t install appear on your system, d) there is increased CPU and disk activity.             
3. Malware: Apart from ransomware, criminals use other types of malware – short for malicious software – to hold small businesses hostage:

• Trojans – They imitate safe software but contain malicious instructions, which must be executed by the victim to take effect. A common trojan is the anti-virus pop-up that claims your computer is infected and instructs you to run a programme to clean it up.
• Worms – They spread copies of themselves from device to device, without the victim taking any action.
• Viruses – The only malware capable of duplicating itself and spreading to multiple files, making them dangerous and hard to clean.
• Spyware – As the name suggests, this malware spies on you to gain sensitive data.
• Botnet – Short for “robot network”, a botnet is a network of devices infected by malware and controlled by the attacker, who is called a bot-herder.

4. DDoS attack: A distributed denial-of-service (DDoS) attack shuts down a web server or system by flooding it with fake traffic. If the crash is severe and the downtime long, it can cause considerable loss of business. 

How to protect yourself

The DGFT advisory recommends these email safety protocols for importers/exporters:

• Sender Policy Framework (SPF), which verifies that a message coming from a particular domain was actually sent from that domain
• Domain Keys Identified Mail (DKIM), which adds a digital signature to each message, verifying that it wasn’t forged  
• Domain-based Message Authentication, Reporting and Conformance (DMARC), which enforces SPF and DKIM authentication  

The Delhi Police Cyber Cell also has some useful tips for MSMEs engaged in the import-export trade: 

Then, there are a few other easy steps you can take yourself to protect your business:

• Use security software (anti-virus, anti-spyware) and set it to update automatically
• Update your operating system, browsers, plug-ins regularly
• Use strong, unique passwords. Have different passwords for different websites
• Back up your data, but don’t leave the back-up external hard drive connected to your computer
• Don’t click on unverified emails, hyperlinks and attachments. Hover over a suspicious hyperlink to see the actual address, which might be different
• Try not to use public WiFi, or use it only with a secure VPN
• Download software only after reviewing it. Remove software you no longer use
• Encrypt sensitive information (customer data, etc). Encryption works by converting data into secret code that cannot be read by unauthorised persons
• Detect and block high-risk sites to prevent your employees from viewing them
• Watch out for tell-tale signs. A phishing email, for example, looks like it’s from a sender you know (say, a bank), has a generic greeting (Hi!) that a genuine business partner probably wouldn’t use, urges you to click on a link, etc  
• Uninstall/disable Java and Flash Player when not in use. Both programmes have recently been associated with ransomware attacks  

It is vital to take your employees on board while implementing cyber security measures:

• Train your employees to read the warning signs, to not click on unverified links and email, to know when a breach has occurred and to report it
• Set specific guidelines for the company’s online activity, including social media
• Hold regular training sessions and briefings to ensure your workers are aware of the cyber security measures in place
• Ensure strict controls on access to information. Access should be given only to employees who need it         
• Have a work-from-home policy in place. Ask employees to encrypt their home WiFi, reset their router’s default password, back up their data. Discourage them from using personal devices for work and from downloading their own apps on work devices. Ask them to keep their devices in a safe location. Train them to turn off their bluetooth when not in use.         

What to do when under cyber attack

• Disconnect your device/devices from the Internet and all linked networks
• Use your security software to perform a complete scan
• Restore files from back-up
• Reinstall your operating system
• Reset your passwords and personal details
• Alert your bank if you suspect a threat to your financial data
• Close your accounts to prevent fraud/theft
• Investigate the breach to find out how it happened, who was responsible and who was affected, what weakness in your system was exploited, etc
• In case of a ransomware attack, don’t pay the ransom.

Know your cybercrime authority‍

In India, most state police forces have a cyber cell that deals with online crimes. You can lodge a complaint with them directly or submit one online on the Home Ministry’s National Cyber Crime Reporting Portal, which will then be dealt with by the police or appropriate law enforcement agency (such as the National Cybercrime Forensic Laboratory and National Cybercrime Threat Analytics Unit). Read the steps to filing an online complaint here. The laws covering cybercrimes in India are the Information Technology Act, 2000, the IT Amendment Act, 2008, and relevant sections of the Indian Penal Code.       

Case studies 2020‍

The DGFT and Delhi Police advisories are an indication of the growing number, frequency and threat of cyber attacks on small businesses:

• Rebate licence theft: In July 2020, the Delhi Police Cyber Cell busted a gang that targeted garment exporters by stealing their duty rebate licences (a government incentive) worth Rs 3.4 crore. The rebate can only be claimed on the DGFT website with the help of a digital signature certificate (DSC) key. The attackers reportedly accessed information about the companies and fraudulently obtained the DSC keys and licences by exploiting weaknesses in the DGFT’s document verification process.
• Malspam targets manufacturers, exporters: The same month, IT firm Quick Heal’s enterprise security brand Seqrite warned of a malicious spam campaign against India’s manufacturing and export sector. The attack reportedly began with a phishing email containing infected MS Office PowerPoint files.        
• Duty scrip theft: The Madhya Pradesh Police Cyber Cell arrested six persons in October 2020 for transfering the duty credit scrips (DCS) – an export promotion benefit – of a pharma firm and an automobile company to fake beneficiaries by fraudulently using their digital signatures.
• Pharma majors attacked: In 2020, Hyderabad-headquartered Dr Reddy's Laboratories and Mumbai-based Lupin came under cyber attack. At the time, Dr Reddy’s was conducting clinical trials for a Covid-19 vaccine while Lupin had just launched a Covid-19 drug. Both companies are multinationals and not small businesses. But the attacks reinforce the fact that pharmateutical companies are a top target of hackers.                         

Given the growing menace of cyber attacks, cyber security now accounts for 30%-40% of the IT budgets of Indian companies. India’s cyber security industry is expected to be worth $35 billion by 2025. This shows that businesses, big and small, are waking up to the threat of cyber attacks, as they rightfully should.