Phishing campaigns have seen exponential growth in recent times and fraudsters have been adept at concocting, let’s say, ‘new and improved’ ways of preying on unsuspecting individuals. India has one of the most stringent regulations in the world, yet between April 2020 and March 2022 – over 9 lakh incidents of phishing were reported in India – siphoning off Rs 1500 crore. Phishing attacks happen everywhere and, on every channel, appearing legitimate and are commonly used for cybercrime. Cisco laid down in their 2021 cyber security threat trends publication that phishing accounts for 90% of data breaches.
Over the last few years India has seen a spurt in digital interactions that help brands and consumers connect for products and services. Hence, the communication received from enterprises have become a part of consumers’ daily lives making it easier to fall prey to dubious messages masquerading as genuine ones such as, “Track your order with this link: https//…” Yet another popular way is luring through cautionary messages, such as “Unusual login detected, recover your bank account here https//bank [NS3] .com/v3b.”
Phishing scams also come up in the form of investment opportunities, refer and earn, job vacancies, KYC alerts or even opt-out reminders. The reason why over five lakh people across India potentially fell for phishing scams, while 30 crores are vulnerable, is that it successfully feeds on one’s anxiety, prompting unguarded users to take hasty decisions without letting ample time for a second thought.
Need of the hour: Strengthen the ecosystem
Despite stringent regulations in place, the menace of phishing continues which should be a compelling reason for stakeholders in the ecosystem, right from the regulatory body to telecom operators, CPaaS companies and enterprises to come together and think about what more can be done to ensure that the enterprise-customer communication system does not collapse.
Regulatory body to tighten the noose
Given its strong position, the Telecom Regulatory Authority of India (TRAI) is rightfully the entity that has the power to take definitive steps to thwart phishing. In the wake of surging phishing incidents, the regulatory body has reiterated the verification of principal entities (enterprise senders) and the message headers and templates registered by them, suspension of unused templates, removal of lookalike headers among other measures. TRAI has also advised mobile operators to stop unsolicited business calls and texts from being placed through virtual mobile numbers and has asked them to utilize artificial intelligence (AI) based technology infrastructure to monitor and stop unauthorized communication.
Several other rules and regulations around the Distributed Ledger Technology (DLT) have also been changed, such as cap on the number of templates and variables used in each template that can be registered by the enterprise, thereby reducing the risk. These are steps in the right direction to ensure A2P fraud mitigation, although some revisions are still in the process of implementation.
Telecom operators must strengthen network
Telecom operators have implemented DLT platform to help reduce unsolicited communication being sent to consumers and bring in a system for authorization and authentication. Every CPaaS company sending SMS communication to consumers on behalf of enterprise is mandated to adhere to the DLT requirements. These rules have been further tightened but given the vast amount of data that telecom operators hold there is a lot of road to cover before the technology and process fully deliver on the guidance given by TRAI.
Operators must see to it that unauthorized companies are prohibited from misusing the headers to avoid businesses witnessing huge downtime and possible leak of crucial customer information. There is an immediate need for Operators to revalidate the CPaaS companies they give connectivity and only allow those companies on their network which have the requisite standards for Data Security, well documented processes for Data Protection and at least ISO standard 27701 certification. The operators also need to strengthen their operating environment by improving the firewall performance in their network leveraging AI systems in conjunction with the DLT platform to continuously block the fraudulent and unauthorized messages in real-time.
Enterprises must review their CPaaS Partners
It requires a concerted effort to fight phishing and so the responsibility extends beyond the regulatory body and telecom industry.
For businesses to thrive, customer loyalty is non-negotiable. Usually, large corporations are impersonated by phishers and SMS particularly has been a channel that fraudsters often tap into given its high open and read rate. When customer’s information is misused, their trust is compromised. So, the best defence against phishing is that enterprises review and take charge of their communication requirements and rigidly comply with regulations through their CPaaS partners.
The good news is that enterprises have swung into action reviewing all the templates being used for communication and removing any unused template from the DLT platform. Enterprises also have the obligation to partner with authorized and trusted CPaaS companies since they need to create a trusted communication channel for their consumers. Hence, they should share a list of authorised CPaaS partners with the Operators, so that messages emanating from any other unauthorized source impersonating the enterprise headers or templates are dropped ensuring a secure last-mile delivery to the end consumer.
CPaaS companies have a huge responsibility to shoulder as a bridge between the enterprises and the Operators before messages get delivered to the end consumers. Risk gets created when enterprises fall into the lost cost trap being offered by telemarketers or CPaaS companies who lure them with discounted pricing. Later these telemarketers are unable to detect or do not have the intention to detect any unauthorized messages using look-alike or actual headers and templates of large Enterprises that circumvents the Operator firewall. Removing such indiscriminate telemarketers can reduce phishing incidents by 60-70%.
So, to begin with – enterprises must ask the right questions when narrowing down on their CPaaS partnerships. What is the security and process audit procedure used by the company, what is their data management, retention, and data sharing strategy? Do they have a CISO & Data protection officer? What is the Data Encryption technology do they deploy? And so on…
It is in the interest of the enterprise to choose a CPaaS partner who can transparently provide end-to-end traceability of SMS, in real-time from the origin to the mobile phone of the consumer. Very few CPaaS companies in the market have this capability today but it is very useful in early detection of fraud and saves a lot of time for enterprises who would otherwise have to approach all their communication partners for reports in case of trouble, leading to delays in investigation.
It is beneficial for enterprises to consider players who can strengthen the enterprise ecosystem by giving them unified communication and control of their promotional and business messages, advanced template management and audit trails. This puts any enterprise in a position to resolve issues much faster and at the same time, keep their data protected.
It is equally important to understand that at the end of the day, each one of us is a consumer. Consumers are the most vulnerable and that is precisely the reason why phishing succeeds at the rate that it does. India is among the top five countries where phishing attacks are most common. Thus, awareness is crucial, and enterprises have the onus of educating their customers.
It is our goal to build trust across the eco-systems delivering messages safely to end consumers. We comply with all the necessary regulations and more. We endeavor to help enterprises leverage digital communication as a competitive differentiator and create unique experiences for their customers. We can ensure a safe environment for businesses to communicate.
Get the full coverage on Times of India