Cyber security involves protecting systems, networks and data from digital attacks, unauthorised access and data breaches. It ensures the confidentiality, integrity and availability of information. Common cyber threats include phishing, malware, ransomware, social engineering attacks and data breaches.
Cybersecurity risks refer to potential threats to your personal and financial information online. These risks can lead to identity theft, financial loss and compromised sensitive data. As a customer/investor, it is essential to be aware of these risks to protect yourself and your assets.
You can protect yourself by doing the following:
1) Always use strong and unique passwords
2) Keep your software and operating system up to date
3) Use antivirus software
4) Be cautious when clicking on links or downloading attachments from unknown sources
Social engineering is the manipulation of people into disclosing confidential information or performing actions that compromise security. It often involves deceptive tactics such as impersonation or urgency.
Look out for red flags such as unexpected requests, pressure to act quickly, unverified sources and suspicious behaviour. Always verify requests through official channels before taking any action.
No, social engineering can occur both online and in person. While many people associate social engineering with digital scams, it is just as prevalent in face-to-face interactions. In-person social engineering typically involves a person pretending to be someone you trust, such as an employee from your bank or a service provider, and attempting to manipulate you into divulging sensitive information. For example, an attacker may pretend to be from Crisil Ratings, claiming to need access to your financial details, upgrading a service or verifying your identity. These in-person attacks often rely on deception, persuasion and exploiting trust, making it crucial to verify anyone requesting sensitive information, regardless of whether the interaction is online or in person.
Phishing is a deceptive cyber-attack where criminals impersonate trusted entities - such as banks, colleagues or service providers - often through emails, to trick victims into revealing sensitive information such as passwords, financial details or personal data. These emails typically contain red flags, such as misspellings, generic greetings (Dear Customer), unexpected attachments, suspicious links and urgent language designed to create panic. To verify a link’s legitimacy, hover over it without clicking to preview the actual web address before taking any action.
If you think you have received a phishing email, do not click on any links or attachments. If the email appeared to come from Crisil or was impersonating the Crisil brand, immediately report the email to us at crisilratingdesk@crisil.com.
Vishing, or voice phishing, is a type of social engineering attack carried out over a phone call, wherein attackers impersonate trusted organisations or authorities to steal personal information. These scams typically involve unsolicited calls requesting sensitive data, such as one-time passwords, UPI PINs (unified payments interface personal identification numbers) or financial details. To protect yourself, remember that legitimate companies will never ask for sensitive information over the phone. If you receive such a call, it is best to hang up and contact the organisation directly using verified contact details.
If you receive a vishing (voice phishing) call, it is important to stay calm and avoid engaging with the caller. The first thing you should do is hang up. Do not provide any personal details, passwords or account information, no matter how convincing the caller may sound.
After disconnecting, contact the company or organisation directly using a verified phone number from their official website or documents. Do not use any contact information provided in the vishing call as it is likely to be fraudulent. When you contact the company, ask them to verify if they made the call and clarify any concerns or requests they may have. Legitimate companies will never ask for sensitive information, such as passwords or account numbers, over the phone, especially in an unsolicited manner.
Smishing is a type of phishing attack carried out via SMS (text messages), where attackers send fraudulent messages with links to fake websites designed to steal personal information. These messages often include suspicious links, grammatical mistakes and a sense of urgency that pressures you to take immediate action. Smishing attempts can occur through any text or chat application, so it is important to be cautious and verify the authenticity of any message requesting sensitive information.
Do not click on links in unsolicited text messages and verify the sender’s identity before responding with personal details.
QR phishing, also known as quishing, involves attackers creating malicious QR codes which, when scanned, redirect victims to fraudulent websites designed to steal personal information. To avoid falling victim to this attack, always be cautious of QR codes from unknown or untrusted sources, especially those found in unsolicited emails, messages or public places. Before scanning, verify the legitimacy of the source to protect your personal data.
Only scan QR codes from trusted sources and ensure the URL is legitimate before entering any sensitive information. When scanned through the camera application, some phones first display the link that you will be redirected to, giving you an option to check before taking further action.
A digital arrest is a type of impersonation fraud where scammers pretend to be law enforcement or legal authorities and claim to have a warrant for your arrest for an illegal activity, such as multiple SIM cards issued in your name and possession of illegal substances.
If you receive a phone call from someone claiming to be from law enforcement, especially regarding a "digital arrest", remain calm and cautious . Scammers often impersonate officials to create fear and pressure you into providing personal information or making immediate payments. Do not share any sensitive details over the phone. Verify the caller’s identity by independently contacting the law enforcement agency using a verified number. Legitimate authorities will never demand payment over the phone. Report the incident to local law enforcement or cyber-crime cell.
Yes, if you do not use strong passwords or security measures, cybercriminals can gain access to your accounts and misuse your personal information.
You should not share your login credentials. Sharing your login credentials gives unauthorised individuals access to your personal accounts, which could lead to identity theft, financial loss or unauthorised access to sensitive data.
Use a mix of upper and lowercase letters, numbers and special characters. Avoid using information that can be easily guessed, such as your name or birthdate.
It may seem overwhelming to create different passwords for different accounts. However, doing so, reduces the chances of account compromise. You can create phrases that are relevant to you (for example, I drink coffee every morning at 10 AM); take the first letter of each word (Idcema10) and replace a couple of letters with symbols, experiment with capitalisation and add a number (1Dcem@10).
Using the same password across multiple accounts increases the risk of a widespread security breach if one account is compromised.
An OTP is a unique, temporary password sent to your phone or email for authentication, typically used in two-factor authentication (2FA).
Sharing your OTP with anyone, even if they appear to be legitimate - such as someone claiming to be from your bank or a trusted service provider - puts your accounts at risk. Cybercriminals often trick individuals into revealing OTPs through phishing, vishing or smishing. Once an attacker has access to the OTP, they can bypass security measures and gain control of your account, potentially leading to theft of personal information, money or sensitive data. Remember, no legitimate organisation will ever ask you for an OTP over the phone, email or text. Always keep your OTP private; do not share it with anyone, even if they claim to need it for verification purposes.
Immediately change your password and contact the service provider (such as your bank) to report the situation and secure your account.