Export/Import Updates!
August 2, 2021

Cyber Scams Target Importers, Exporters: What To Do To Stay Safe Online

On January 4, the Directorate General of Foreign Trade (DGFT) – India’s import-export regulator – issued an advisory warning importers and exporters of rising instances of cyber fraud in payments and advising them to implement certain “security protocols” for their email communication. This is not the first time a government authority has issued a cybercrime warning to India’s import-export community, the majority of which is made up of micro, small and medium enterprises (MSMEs).

As more and more importers/exporters transact online, they must realise that this transition comes with conveniences and risks. It is important that they learn to detect, resist and respond to cyber threats. In today’s blog, you will learn:

  • What is a cybercrime?
  • Who are cyber criminals?
  • What are the cybercrimes targeting importers, exporters and MSMEs?
  • What can they do to protect themselves?
  • What should they do when under attack?
  • Case studies                       


What is a cybercrime?

The Home Ministry defines a cybercrime as “any unlawful act where [a] computer or communication device or computer network is used to commit or facilitate the commission of [a] crime”. A cybercrime can be launched for various reasons – to steal money or intellectual property, access sensitive data, disrupt the operations of a company/individual, defame a company/individual. Cybercrimes come in many forms, the most common examples being:

  • Cyber fraud, such as phishing scams
  • Malware attacks such as viruses, worms and trojans
  • Ransomware attacks

Cybercrimes harm businesses by:

  • Stopping trade and transactions temporarily
  • Causing financial losses
  • Forcing existing customers out and turning new ones away
  • Damaging a company’s reputation, sometimes permanently


Cyber criminals: Who are they?

Anonymous and hard to trace, cyber criminals or hackers, as they are generally called, fall in the following categories, according to this academic paper by Norwich University:

  1. Identity thieves: They gain access to their victim’s personal information and use it to impersonate the victim and make financial transactions.      
  2. Internet stalkers: They monitor their victims’ online activity on social media or through a  malware attack. Usually, their objective is to access personal information and use this to defame the victim or blackmail them into paying a bribe.      
  3. Phishing scammers: They mimic business and government websites and trick their victims into revealing sensitive information, which they use to commit identity theft or sell on the dark web.       
  4. Cyber terrorists: They are criminals who target governments and businesses purely to cause them harm. Their main motive is not financial.            

Hackers can be individuals or organised groups. Often, they are insiders – employees, business partners, contractors and vendors who are either negligent or act maliciously. In 2018, a McKinsey study found an insider threat in 50% of cyber security breaches reported between 2012 and 2017.                


MSMEs: A soft target

Unlike large companies, small businesses have basic cyber security measures in place, if at all. This makes them a soft target.

  • 43% of cyber attacks worldwide are aimed at small businesses, says a 2019 Accenture study.
  • Two-thirds of small businesses (10-49 employees) in the UK suffered cyber attacks in 2018, says another survey. The attacks cost each targeted business £65,000.
  • A 280% increase in cyber attacks targeting small businesses was recorded in the 10 months of 2020 when Covid-19 forced companies to transact online and work from home, says cyber security firm Cyfima.
  • Indian MSMEs are especially vulnerable, according to a 2016 survey in the Asia-Pacific region by cyber security firm ESET.    


Cyber scams targeting importers, exporters and MSMEs

The top online crimes against MSMEs, especially those in the import-export business, are:

  1. Phishing: The attacker poses as a legitimate entity, contacts the victim via email, telephone, text or social media and lures them into revealing sensitive information (log-in and banking details, etc). With this information, they access important accounts and steal money. A phishing scam can have multiple targets or just one, in which case it is called spear-phishing. It’s probably phishing if the communication you receive comes with a) a limited-period offer that’s too good to be true, b) a mysterious hyperlink or attachment, c) spelling and grammatical errors.                 
  2. Ransomware: The attacker demands payment to release their victim’s computer system from a virus installed by them. The mode of attack is usually a phishing email. In 2020, Australian logistics firm Toll Group was hit by two ransomware attacks in three months. Payouts can cost hundreds of thousands of dollars, sometimes even a million dollars. Even if you don’t pay, the cost of recovering from an attack is enormous. It’s probably a ransomware attack if a) you can’t access your desktop or files, b) your file name has a strange extension attached to it, c) software tools you didn’t install appear on your system, d) there is increased CPU and disk activity.             
  3. Malware: Apart from ransomware, criminals use other types of malware – short for malicious software – to hold small businesses hostage:
  • Trojans – They imitate safe software but contain malicious instructions, which must be executed by the victim to take effect. A common trojan is the anti-virus pop-up that claims your computer is infected and instructs you to run a programme to clean it up.
  • Worms – They spread copies of themselves from device to device, without the victim taking any action.
  • Viruses – The only malware capable of duplicating itself and spreading to multiple files, making them dangerous and hard to clean.
  • Spyware – As the name suggests, this malware spies on you to gain sensitive data.
  • Botnet – Short for “robot network”, a botnet is a network of devices infected by malware and controlled by the attacker, who is called a bot-herder.
  1. DDoS attack: A distributed denial-of-service (DDoS) attack shuts down a web server or system by flooding it with fake traffic. If the crash is severe and the downtime long, it can cause considerable loss of business. 


How to protect yourself

The DGFT advisory recommends these email safety protocols for importers/exporters:

The Delhi Police Cyber Cell also has some useful tips for MSMEs engaged in the import-export trade: 

How to Stay safe from Cyber scams in export import
To view the actual twitter thread click here

Then, there are a few other easy steps you can take yourself to protect your business:

  • Use security software (anti-virus, anti-spyware) and set it to update automatically
  • Update your operating system, browsers, plug-ins regularly
  • Use strong, unique passwords. Have different passwords for different websites
  • Back up your data, but don’t leave the back-up external hard drive connected to your computer
  • Don’t click on unverified emails, hyperlinks and attachments. Hover over a suspicious hyperlink to see the actual address, which might be different
  • Try not to use public WiFi, or use it only with a secure VPN
  • Download software only after reviewing it. Remove software you no longer use
  • Encrypt sensitive information (customer data, etc). Encryption works by converting data into secret code that cannot be read by unauthorised persons
  • Detect and block high-risk sites to prevent your employees from viewing them
  • Watch out for tell-tale signs. A phishing email, for example, looks like it’s from a sender you know (say, a bank), has a generic greeting (Hi!) that a genuine business partner probably wouldn’t use, urges you to click on a link, etc  
  • Uninstall/disable Java and Flash Player when not in use. Both programmes have recently been associated with ransomware attacks  

It is vital to take your employees on board while implementing cyber security measures:

  • Train your employees to read the warning signs, to not click on unverified links and email, to know when a breach has occurred and to report it
  • Set specific guidelines for the company’s online activity, including social media
  • Hold regular training sessions and briefings to ensure your workers are aware of the cyber security measures in place
  • Ensure strict controls on access to information. Access should be given only to employees who need it         
  • Have a work-from-home policy in place. Ask employees to encrypt their home WiFi, reset their router’s default password, back up their data. Discourage them from using personal devices for work and from downloading their own apps on work devices. Ask them to keep their devices in a safe location. Train them to turn off their bluetooth when not in use.         


What to do when under cyber attack

  • Disconnect your device/devices from the Internet and all linked networks
  • Use your security software to perform a complete scan
  • Restore files from back-up
  • Reinstall your operating system
  • Reset your passwords and personal details
  • Alert your bank if you suspect a threat to your financial data
  • Close your accounts to prevent fraud/theft
  • Investigate the breach to find out how it happened, who was responsible and who was affected, what weakness in your system was exploited, etc
  • In case of a ransomware attack, don’t pay the ransom  


Know your cybercrime authority

In India, most state police forces have a cyber cell that deals with online crimes. You can lodge a complaint with them directly or submit one online on the Home Ministry’s National Cyber Crime Reporting Portal, which will then be dealt with by the police or appropriate law enforcement agency (such as the National Cybercrime Forensic Laboratory and National Cybercrime Threat Analytics Unit). Read the steps to filing an online complaint here. The laws covering cybercrimes in India are the Information Technology Act, 2000, the IT Amendment Act, 2008, and relevant sections of the Indian Penal Code.       


Case studies 2020

The DGFT and Delhi Police advisories are an indication of the growing number, frequency and threat of cyber attacks on small businesses:

  • Rebate licence theft: In July 2020, the Delhi Police Cyber Cell busted a gang that targeted garment exporters by stealing their duty rebate licences (a government incentive) worth Rs 3.4 crore. The rebate can only be claimed on the DGFT website with the help of a digital signature certificate (DSC) key. The attackers reportedly accessed information about the companies and fraudulently obtained the DSC keys and licences by exploiting weaknesses in the DGFT’s document verification process.
  • Malspam targets manufacturers, exporters: The same month, IT firm Quick Heal’s enterprise security brand Seqrite warned of a malicious spam campaign against India’s manufacturing and export sector. The attack reportedly began with a phishing email containing infected MS Office PowerPoint files.        
  • Duty scrip theft: The Madhya Pradesh Police Cyber Cell arrested six persons in October 2020 for transfering the duty credit scrips (DCS) – an export promotion benefit – of a pharma firm and an automobile company to fake beneficiaries by fraudulently using their digital signatures.
  • Pharma majors attacked: In 2020, Hyderabad-headquartered Dr Reddy's Laboratories and Mumbai-based Lupin came under cyber attack. At the time, Dr Reddy’s was conducting clinical trials for a Covid-19 vaccine while Lupin had just launched a Covid-19 drug. Both companies are multinationals and not small businesses. But the attacks reinforce the fact that pharmateutical companies are a top target of hackers.                         

Given the growing menace of cyber attacks, cyber security now accounts for 30%-40% of the IT budgets of Indian companies. India’s cyber security industry is expected to be worth $35 billion by 2025. This shows that businesses, big and small, are waking up to the threat of cyber attacks, as they rightfully should. 


Editorial Team
Editorial Team
Customer success manager
Tea cup with steam illustration
JOIN US FOR CHAI

Signup & get articles in your inbox

Signup to Cogoport. Get trade new & updates, and get assistance with booking international shipments online!

More articles

Export of Goods Without Payment Of IGST: GST Refunds Part 1

Export of Goods Without Payment Of IGST: GST Refunds Part 1

Everything you need to know about the export of goods without payment of IGST, under bond/LUT, how to claim refund of input tax credit, and recent changes in the GST law

HS Code: All About Classification Of Goods In Export-Import

HS Code: All About Classification Of Goods In Export-Import

Know about the Harmonised System Code (HS Code), how to find the correct code for the product along with their importance, correct uses & the consequences of incorrect usage

4 Problems Exporters in India Face, and Their Solutions

4 Problems Exporters in India Face, and Their Solutions

From under-developed infrastructure and complicated procedures to limited access to finance, multiple factors are preventing Indian exporters from reaching their full potential and making them less competitive in the global market.

General Average: What Is It, And How Can You Stay Safe In A Disaster At Sea?

General Average: What Is It, And How Can You Stay Safe In A Disaster At Sea?

Know about General average & when is it declared. How does general average affects you as a cargo owner, importer & exporter? Conditions for cargo release & how to stay protected.

Best Practices for Efficient Communication with your Chinese Supplier

Best Practices for Efficient Communication with your Chinese Supplier

One of the obvious challenges of trading with China or Chinese suppliers is overcoming the language barrier. Read on for tips on making your communication with them more effective.

What is an eBRC & Why Do Exporters Need It

What is an eBRC & Why Do Exporters Need It

Know about eBRC, the process to check and print the certificate on DGFT. Also learn about the roles & responsibilities of the Bank, exporter & DGFT. And what to do in case of an error.

Export/Import Updates!

Heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Sara Smith
Customer success manager

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Heading

What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.

Static and dynamic content editing

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

How to customize formatting for each rich text

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

Resources

No items found.