There is an imminent threat of a massive phishing attack in India, according to the Cert-In. The new phishing attack could imitate government organizations and can steal sensitive personal data and financial information. The new advisory claims that the phishing attack, conducted by "malicious actors", will be done in the guise of a Covid-19 related directive and it is expected to begin on 21 June. These cyber-attacks will be focused on both individuals and business organizations ranging from small to large. "The phishing campaign is predicted to use malicious emails under the pretext of local authorities responsible of dispensing government-funded Covid-19 support initiatives they are fake. Such emails are designed to drive recipients towards fake websites where they're deceived into downloading malicious files or entering personal and financial information," CERT-In said during a statement. The attackers are expected to claim to be a part of the financial aid being rolled out by the government to deal with Covid-19.
They could ask for sensitive personal information as well as banking information which can later easily be put to use to conduct thefts. The advisory claims that these malicious actors have up to 20 lakh email IDs of individuals. The advisory states that these cybercriminals are “planning to send emails with the subject free Covid-19 testing for all residents of Delhi, Mumbai, Hyderabad, Chennai, and Ahmedabad, inciting them to provide personal information." These email IDs are expected to seem tons almost like official government domains and may easily be mistaken for the first timers and they can donate but it’s fake . The advisory claims an email ID like 'firstname.lastname@example.org' could be used in the phishing attack. The government agency tasked with cybersecurity also listed some guidelines for the users to follow.
The agency claims, users shouldn’t download or open attachments from unsolicited emails and even refrain completely from clicking on URL within such emails. Even if the mail is expected or the cause seems genuine, its best practice to go to the original website and access the page. Users can even check for spelling mistakes or irregularities within the email. Most phishing emails offer some kind of reward or prize. The recipient should not submit their personal or banking details to such mails.