Cybercrime is one of the biggest problems faced by all digital citizens. In recent times, our students, faculty and staff have fallen victim to various cybercrimes, cyber frauds, ransomware, blackmailing etc. To spread awareness among our users, we request every user to read and follow the following cybersecurity advisory carefully.
1. Strong Passwords
Use strong, unique passwords for all your accounts. Passwords should be a minimum of 8 characters in length and should use a combination of uppercase and lowercase letters, numbers, and special characters. Avoid use of easily guessable words, such as "password," "123456," dictionary words, first or last names or common phrases. It is recommended that the passwords are changed regularly, and previous passwords are not reused.
2. Phishing Scams
Phishing attacks come in various forms, and Internet users should be aware of the most common types to safeguard themselves effectively. Here are some typical phishing attacks to watch out for:
- Email Phishing:
- Deceptive Emails: Attackers send emails that appear to be from legitimate sources (e.g., banks, social media, or government agencies) but contain malicious links or attachments.
- Spoofed Domains: They use fake domain names that resemble real ones to trick users into clicking on links or providing sensitive information.
- Spear Phishing:
- Targeted Attacks: Phishers research and craft personalized emails to specific individuals or organizations. They often use information gathered from social media to make their messages convincing.
- Whaling:
- Targeting High-Profile Individuals: Similar to spear phishing, but aimed at high-profile individuals like CEOs and executives. Attackers seek sensitive corporate data or financial information.
- Vishing (Voice Phishing):
- Phone Calls: Attackers call victims and impersonate legitimate entities, such as banks or tech support, to extract sensitive information over the phone.
- Smishing (SMS Phishing):
- Text Messages: Phishers send SMS messages containing malicious links or asking for sensitive information, often pretending to be a trusted organization or contact.
- Pharming:
- DNS Manipulation: Attackers redirect users to fraudulent websites by altering DNS settings or exploiting vulnerabilities in routers and DNS servers.
- Man-in-the-Middle Attacks:
- Interception: Phishers intercept communications between a user and a legitimate website or service, allowing them to steal login credentials and other sensitive data.
- Social Engineering Attacks:
- Pretexting: Attackers create a fabricated scenario to obtain personal information from victims. For example, they might pose as a colleague or IT support staff to request sensitive data.
- Credential Harvesting:
- Fake Login Pages: Attackers create counterfeit login pages that mimic legitimate sites (e.g., email or banking). Users unknowingly provide their credentials, which are then stolen.
- Ransomware Attacks:
- Malicious Attachments: Phishers send emails with infected attachments. If opened, the ransomware encrypts the victim's data and demands a ransom for decryption.
- Business Email Compromise (BEC):
- Impersonation: Attackers impersonate high-ranking executives or vendors within an organization to trick employees into making fraudulent money transfers or revealing sensitive data.
- Malvertising:
- Malicious Ads: Phishers use infected online advertisements that lead users to phishing websites or deliver malware when clicked.
- Search Engine Poisoning:
- Manipulated Search Results: Attackers manipulate search engine results to lead users to malicious websites instead of legitimate ones.
- Clone Phishing:
- Duplication: Attackers create copies of legitimate emails, often with slight modifications, to trick recipients into revealing sensitive information.
To safeguard against phishing attacks, follow these general tips:
- It is recommended to enable and use Two-factor authentication(2FA) in Webmail(NWM).
- Be cautious of unsolicited emails or messages, especially those requesting personal information, login credentials, or payment. Avoid responding or clicking on links unless the sender's identity is well known.
- Be cautious of unsolicited contact from a seemingly known associate, family member, or law enforcement agency. The scammer(s) will send what appears to be a legitimate email pretending to be a faculty member, fellow student, staff or faculty colleague. The scammer(s) will tell the victim that he/she cannot connect to the Internet for some reason and will state that they need to send money to a family member or fellow student/colleague who is in dire need of the money. The scammer will then ask the victim to obtain either gift cards or utilize UPI (or other electronic means) to obtain cards, will ask the victim to take a photo of the bar code of the card(s), and send it to the scammer. Check the email address closely. Scammers will often use similar emails and assume the receiver will not look closely. Example: This email address is being protected from spambots. You need JavaScript enabled to view it. instead of This email address is being protected from spambots. You need JavaScript enabled to view it.
- Be cautious of telephone calls from individuals claiming to be members of banks, law enforcement or another government agency. Many of these scammers utilize “spoofed” phone numbers that come back listed to the government agency with which the caller claims to be affiliated. These numbers are easily found on the internet and are used to falsify the number on the Caller ID to hide the caller’s true identity. During these calls, the victims are told that they owe the government money and, if they are unable to pay the amount while still on the phone, they will be arrested. The callers then instruct the victims to purchase various gift cards and provide the numbers to them. After obtaining the gift card numbers, the callers usually hang up without giving any further instructions.
- Be cautious of fraud offers of part-time/full-time jobs or internships. Scammers commonly utilize unofficial telegram/WhatsApp Groups and social media groups such as “IITK Class of 2023” media to fraudulently sell movie/theater/game tickets and also post about open Research Internship Positions utilizing an already compromised IITK-affiliated email address as a contact. Sometimes, they use the name of a professor or administrator. Regarding tickets, payment is typically requested upfront through an electronic payment service or app, and the money is taken without the shipment of the product purchased.
- Be cautious of sextortion scams. This scam usually victimizes someone contacted randomly on Instagram/Facebook and other social media platforms, including WhatsApp. On social media, usually, this starts with a "follow" request from an unknown female person. On WhatsApp, the victim receives a random message. Once the request is approved or entertained, a conversation begins, which quickly turns intimate, sending exposing photographs and requesting photos or videos in return. Private photographs or videos are shared and/or recorded, sometimes without the consent or awareness of the victim who is being recorded. The scammer then blackmails the person by threatening to release the intimate material online to their followers unless they receive payment. In some cases, the payment only delays the release of this material, as the scammer will likely request additional payments to withhold the material.
- Never accept payment offers/checks/UPI QR code from persons or businesses that you do not personally know and never accept or cash checks that you are not expecting to receive.
- Never give out personal identifying information over the telephone or the Internet to anyone unless you know who you are speaking to.
- If you ever have suspicions about a cheque or an unsolicited financial offer from a stranger, do not go for it. If an unsolicited financial offer feels suspicious, it is usually a scam.
- Be apprehensive of situations where someone overpays you by check and then asks you to wire money or utilize a prepaid card for payment.
- Check URLs and hover over links to view their actual destination before clicking. If you are doubtful, do the following: Right-click any links, select “Copy Link”, and “Paste” the link at https://transparencyreport.google.com/safe-browsing/search or https://virustotal.com/ before directly clicking the links.
3. Secure Wi-Fi Connection
When connecting to a Wi-Fi network, always connect to secure networks. Avoid using unsecured public Wi-Fi networks for sensitive tasks. When connecting to the institute network from outside, use institute VPN (Virtual Private Network) services.
4. Data Backup
Regularly backup your important academic work and data to an external drive or cloud storage. This protects against data loss due to hardware failure or cyberattacks.
5. Secure Your Devices
Use a strong PIN, password, or biometric authentication on your devices (mobiles etc.) to prevent unauthorized access. Enable device encryption if available.
6. Social Media Caution
Be mindful of the information you share on social media platforms. Avoid sharing sensitive personal or sensitive academic details publicly.
7. Safe Downloads
Download software and files only from trusted sources. Be cautious of email attachments and downloads from unfamiliar websites.
8. Email Hygiene
Avoid opening attachments or clicking on links from unknown senders. Be cautious of email attachments with unusual file extensions.
9. Secure Video Conferencing
When using video conferencing tools for online classes or meetings, use meeting passwords and waiting rooms to prevent unauthorized access.
10. Be Skeptical of Requests
Verify the legitimacy of requests for personal or financial information. Scammers often impersonate academic institutions.
11. Respect Copyright Laws
Ensure that you respect copyright laws when using academic resources and materials online.
12. Mobile Device Security
Apply regular security updates to your mobile devices, computers, and laptops.
13. Encryption for Sensitive Data
Use encryption tools or services to protect sensitive academic and personal data.
14. Stay Informed
Stay informed about the latest cybersecurity threats and best practices. Follow updates sent from CC from time to time.
15. Reporting Incidents
If you suspect a cybersecurity incident or data breach, report it by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it. immediately.
Remember that cybersecurity is a shared responsibility, and your actions are crucial in maintaining a secure academic environment. Stay vigilant, stay informed, and help protect your institute's digital assets and personal information.