By Kamal Subramaniam, Principal Consultant of VTRAC, Cybersecurity Consulting Services, Verizon Business
India is at the forefront of a digital revolution with its digital economy set to surpass the $1 trillion mark by 2028, as per a recent study by Ask Capital. This growth is driven by expanding 4G and 5G access, increased mobile connectivity, and innovations like the Unified Payments Interface (UPI). By mid-2024, India was home to over 650 million smartphone users and over 950 million internet subscribers. The volume of retail digital payments in India is set to double to $7 trillion by 2030, according to a Kearney and Amazon Pay study.
However, this transformational digital growth also exposes the country to a sharp spike in cyberattacks. According to a report by non-profit Prahar suggests that India may face up to 1 trillion cyberattacks annually by 2033. This number could swell to 17 trillion attacks a year by 2047.
At the same time, phishing attacks are becoming increasingly sophisticated, leveraging AI tools to craft highly tailored, hyper-personalised messages. The question to ask then is: Is India prepared for these advanced, data-driven cyber threats? What steps must be taken to brace ourselves against the imminent tide of cyberattacks?
What Makes Hyper-Personalised Attacks Difficult to Counter?
While awareness about phishing is growing, thanks to news reports and public service messages, hyper-personalised attacks remain challenging to detect, even for seasoned internet users. These attacks often mine personal data from social media and digital footprints to craft messages. They rely on emotional triggers, local dialects, or cultural cues to create a sense of familiarity. According to the 2024 Data Breach Investigations Report, the median time for users to fall for phishing emails is less than 60 seconds. The report also found that pretexting, where actors target users with ongoing email chains and context, continues to be the leading cause of cybersecurity incidents.
Several new and emerging phishing techniques create a false sense of urgency or scarcity, forcing individuals to act fast without adequate checks and balances.
For instance, scammers often use the technique of spear phishing, which relies on social engineering to target specific individuals within an organisation or a community. They use targeted emails with local holiday or festival themes to entice victims with contextually relevant details. Another technique is vishing, short for voice phishing, which uses voice-based messages such as mimicking local banks or government agencies to extract sensitive information like login credentials, credit card numbers, or bank details. Often, they exploit basic human emotions of greed, fear, or kindness.
Baiting is another type of social engineering that could present itself through something as seemingly harmless as a social media quiz to collect personal data or download malware.
Why India Is Particularly Vulnerable?
Over the last few years, Indians of all demographics have embraced social media, often making it an integral part of their day-to-day lives. They frequently use it as a platform to share personal information, life updates, and engage with their extended families and community. This inherent trust in personal and professional networks often makes them vulnerable to social engineering.
At the same time, there is lesser emphasis on upgrading infrastructure or security on devices. Several news articles point to individuals losing money after being subjected to ‘digital arrests.’ The Press Information Bureau (PIB) recently exposed the modus operandi of a digital arrest gang that uses fake cybercrime letters to arrest people digitally.
The Role of Organisations, Government, and Individuals
Even as India becomes increasingly digital, hyper-personalised attacks are India’s new cybersecurity reality. Addressing a challenge of this magnitude requires a concerted effort from organisations, individuals, and the government alike. Organisations must invest in robust authentication systems and detailed incident response plans. Employee training and awareness building are also extremely crucial. A robust regulatory framework, such as the Digital Personal Data Protection Act, 2023, enacted on 11 August 2023, provides critical legal safeguards. It regulates the processing of digital personal data within India, whether collected online or offline, and ensures accountability for entities handling such data. The act focuses on the rights of individuals, obligations of data fiduciaries, and protection from misuse or unauthorised processing of personal data
For individuals, educating themselves on the perils of reckless online data sharing, building awareness of social engineering cues, and embracing cyber hygiene practices is important.
Building awareness, vigilance, and adopting stringent cybersecurity measures can help us move forward effectively in safeguarding the population against cyberattacks.