The October 2020 eSewa Data Breach

On October 9, news broke out that eSewa had suffered a massive data breach. A leading national daily reported that the email IDs, passwords (hidden partially with asterisks), and balance amounts of at least 21 users were publicly shared by a hacker with the Twitter handle @aparich95406002. eSewa has denied any hacking or data breach but blamed phishing scams by third-party sites. In this article, I want to quickly discuss what phishing is, the ways or techniques used to phish for data, and how we can protect ourselves against it so we can avoid the same predicament the scammed eSewa users faced.

What is Phishing?

‘Phishing’ is a wordplay on ‘fishing’ where just as fishermen use lures to catch unsuspecting fish, criminals lure unsuspecting users into providing their personal information through deceptive offers or threats. Phishing is essentially the use of fraudulent methods like posing as trustworthy websites or services in attempts to steal sensitive personal information such as personal identification numbers, banking details and passwords. The most common way to phish data is through the inclusion of a link that takes you to what appears to be a real company’s website with a form or login screen to fill in your information. The fake site takes your data straight to the scammers. Once your information is phished, criminals can use it to grant access to important accounts, steal your identity, or sell the information to another party. This cybercrime is conducted both online and offline, mainly through email, phone or advertisements and special offers, which is most likely the method through which those third-party sites scammed eSewa users. I will quickly explain each of those phishing techniques before offering ways to protect yourself from them.

Email Phishing

Pretending to be from a legitimate organisation, scammers attempt to steal your information through emails that seem genuine. This can also be used to get malware or some sort of data mining software installed into your system. Since this can be targeted to a mass audience simply by using email lists, it is typically the most widely known and commonly used form of phishing. For example, you may receive an email saying that there’s a problem with your Netflix account and they were ‘unable to process your payment’. The call to action here is to get you to update your payment details through the link provided. If you fall for it, you will be handing over your personal information on your own accord.

Phone Scams

Phone scams are also known as voice phishing or simply ‘vishing.’ This is engaged by a malicious caller posing as a government agent, tech support personnel, or from some other organisation. They tell you not to hang up the phone as they attempt to extract personal information or pressure you into making payments. Although it can definitely be used, I am positive that vishing was not how the information of the eSewa users was obtained because our next point is far easier to implement and more effective in outcome. In a recent viral video on Facebook, an Uber driver helped his passenger avoid being scammed by someone pretending to be from the Internal Revenue Service (IRS). He was told to make payments through an online wallet or bitcoin but in reality, the IRS only accepts payment through cheques. If you want to see how phone scammers operate and deceive people into giving their personal information or paying them, you can check out Jim Browning’s YouTube videos that expose many tech scamming operations in India.

Special Offers

Scammers can phish for data using advertisements on social media regarding giveaways or special offers. Those who are unaware tend to fall for these and input their personal information in hopes of winning the item falsely promised. eSewa users likely fell victim to this phishing technique through offers of top ups and other prizes. It does not take long to stumble on such ads and offers on Facebook. When clicked, these may redirect you to a login page that looks real but is not. You can figure this out by the URL – it will not be of Facebook. It is a cheap ploy to steal your account credentials but if you are unfamiliar with it, you may fall for these since they are quite crafty in their approach.

Protection Against Phishing

eSewa responded to the ‘data leak’ by issuing a statement calling its users to keep their password, OTP and other information private, and to change their password regularly. This can only help so far because if you are unable to identify phishing attempts, you will just go on to give away your updated password. Here are three practical ways to protect yourself and others from phishing scams:

1. Use cybersecurity software.

• In personal computers, security software can help identify phishing attempts. • Good antivirus software generally includes protection against phishing by default. • If you do not want to buy cybersecurity software, free options such as Bitdefender are available.

2. Practice due diligence when making any transactions, especially those that you did not initiate yourself.

• Identify where you are entering your login credentials and never give them over the phone or any other means. • Use multi-factor authentication wherever possible. • If you access a link and are redirected to a Facebook login screen, it is best to open Facebook and enter your password there instead. • Be highly skeptical of free stuff and offers that seem too good to be true.

3. Report any suspicious emails and scam attempts to relevant authorities so they can be properly analysed and identified.

• Phishing emails and vishing calls can be reported to the company they are posturing as or to the relevant industry authority. • Emails can also be reported to Google in Gmail. • Social media advertisements and offers can be reported to the platform authorities. In the next article, I will continue my series on AI/ML opportunities in Nepal and talk about customer support spanning multiple industries, robotics, and vehicle traffic monitoring.