Trade Advisory
02 August 2021 β’ 20 min read
Cyber Scams: Staying Safe as Importers/Exporters
Read key cyber-security frauds affecting exporters-importers. Why SMEs should be alert? How SMEs can protect themselves when under attack? Useful tips to stay safe.
On January 4, the Directorate General of Foreign Trade (DGFT) β Indiaβs import-export regulator β issued an advisory warning importers and exporters of rising instances of cyber fraud in payments and advising them to implement certain βsecurity protocolsβ for their email communication. This is not the first time a government authority has issued a cybercrime warning to Indiaβs import-export community, the majority of which is made up of micro, small and medium enterprises (MSMEs).
As more and more importers/exporters transact online, they must realise that this transition comes with conveniences and risks. It is important that they learn to detect, resist and respond to cyber threats. In todayβs blog, you will learn:
- What is a cybercrime?
- Who are cyber criminals?
- What are the cybercrimes targeting importers, exporters and MSMEs?
- What can they do to protect themselves?
- What should they do when under attack?
- Case studies
What is a cybercrime?
The Home Ministry defines a cybercrime as βany unlawful act where [a] computer or communication device or computer network is used to commit or facilitate the commission of [a] crimeβ. A cybercrime can be launched for various reasons β to steal money or intellectual property, access sensitive data, disrupt the operations of a company/individual, defame a company/individual. Cybercrimes come in many forms, the most common examples being:
- Cyber fraud, such as phishing scams
- Malware attacks such as viruses, worms and trojans
- Ransomware attacks
Cybercrimes harm businesses by:
- Stopping trade and transactions temporarily
- Causing financial losses
- Forcing existing customers out and turning new ones away
- Damaging a companyβs reputation, sometimes permanently
Cyber criminals: Who are they?
Anonymous and hard to trace, cyber criminals or hackers, as they are generally called, fall in the following categories, according to this academic paper by Norwich University:
- Identity thieves: They gain access to their victimβs personal information and use it to impersonate the victim and make financial transactions.
- Internet stalkers: They monitor their victimsβ online activity on social media or through a malware attack. Usually, their objective is to access personal information and use this to defame the victim or blackmail them into paying a bribe.
- Phishing scammers: They mimic business and government websites and trick their victims into revealing sensitive information, which they use to commit identity theft or sell on the dark web.
- Cyber terrorists: They are criminals who target governments and businesses purely to cause them harm. Their main motive is not financial.
Hackers can be individuals or organised groups. Often, they are insiders β employees, business partners, contractors and vendors who are either negligent or act maliciously. In 2018, a McKinsey study found an insider threat in 50% of cyber security breaches reported between 2012 and 2017.
MSMEs: A soft target
Unlike large companies, small businesses have basic cyber security measures in place, if at all. This makes them a soft target.
- 43% of cyber attacks worldwide are aimed at small businesses, says a 2019 Accenture study.
- Two-thirds of small businesses (10-49 employees) in the UK suffered cyber attacks in 2018, says another survey. The attacks cost each targeted business Β£65,000.
- A 280% increase in cyber attacks targeting small businesses was recorded in the 10 months of 2020 when Covid-19 forced companies to transact online and work from home, says cyber security firm Cyfima.
- Indian MSMEs are especially vulnerable, according to a 2016 survey in the Asia-Pacific region by cyber security firm ESET.
Cyber scams targeting importers, exporters and MSMEs
The top online crimes against MSMEs, especially those in the import-export business, are:
- Phishing: The attacker poses as a legitimate entity, contacts the victim via email, telephone, text or social media and lures them into revealing sensitive information (log-in and banking details, etc). With this information, they access important accounts and steal money. A phishing scam can have multiple targets or just one, in which case it is called spear-phishing. Itβs probably phishing if the communication you receive comes with a) a limited-period offer thatβs too good to be true, b) a mysterious hyperlink or attachment, c) spelling and grammatical errors.
- Ransomware: The attacker demands payment to release their victimβs computer system from a virus installed by them. The mode of attack is usually a phishing email. In 2020, Australian logistics firm Toll Group was hit by two ransomware attacks in three months. Payouts can cost hundreds of thousands of dollars, sometimes even a million dollars. Even if you donβt pay, the cost of recovering from an attack is enormous. Itβs probably a ransomware attack if a) you canβt access your desktop or files, b) your file name has a strange extension attached to it, c) software tools you didnβt install appear on your system, d) there is increased CPU and disk activity.
- Malware: Apart from ransomware, criminals use other types of malware β short for malicious software β to hold small businesses hostage:
- Trojans β They imitate safe software but contain malicious instructions, which must be executed by the victim to take effect. A common trojan is the anti-virus pop-up that claims your computer is infected and instructs you to run a programme to clean it up.
- Worms β They spread copies of themselves from device to device, without the victim taking any action.
- Viruses β The only malware capable of duplicating itself and spreading to multiple files, making them dangerous and hard to clean.
- Spyware β As the name suggests, this malware spies on you to gain sensitive data.
- Botnet β Short for βrobot networkβ, a botnet is a network of devices infected by malware and controlled by the attacker, who is called a bot-herder.
- DDoS attack: A distributed denial-of-service (DDoS) attack shuts down a web server or system by flooding it with fake traffic. If the crash is severe and the downtime long, it can cause considerable loss of business.
How to protect yourself
The DGFT advisory recommends these email safety protocols for importers/exporters:
- Sender Policy Framework (SPF), which verifies that a message coming from a particular domain was actually sent from that domain
- Domain Keys Identified Mail (DKIM), which adds a digital signature to each message, verifying that it wasnβt forged
- Domain-based Message Authentication, Reporting and Conformance (DMARC), which enforces SPF and DKIM authentication
The Delhi Police Cyber Cell also has some useful tips for MSMEs engaged in the import-export trade:

Then, there are a few other easy steps you can take yourself to protect your business:
- Use security software (anti-virus, anti-spyware) and set it to update automatically
- Update your operating system, browsers, plug-ins regularly
- Use strong, unique passwords. Have different passwords for different websites
- Back up your data, but donβt leave the back-up external hard drive connected to your computer
- Donβt click on unverified emails, hyperlinks and attachments. Hover over a suspicious hyperlink to see the actual address, which might be different
- Try not to use public WiFi, or use it only with a secure VPN
- Download software only after reviewing it. Remove software you no longer use
- Encrypt sensitive information (customer data, etc). Encryption works by converting data into secret code that cannot be read by unauthorised persons
- Detect and block high-risk sites to prevent your employees from viewing them
- Watch out for tell-tale signs. A phishing email, for example, looks like itβs from a sender you know (say, a bank), has a generic greeting (Hi!) that a genuine business partner probably wouldnβt use, urges you to click on a link, etc
- Uninstall/disable Java and Flash Player when not in use. Both programmes have recently been associated with ransomware attacks
It is vital to take your employees on board while implementing cyber security measures:
- Train your employees to read the warning signs, to not click on unverified links and email, to know when a breach has occurred and to report it
- Set specific guidelines for the companyβs online activity, including social media
- Hold regular training sessions and briefings to ensure your workers are aware of the cyber security measures in place
- Ensure strict controls on access to information. Access should be given only to employees who need it
- Have a work-from-home policy in place. Ask employees to encrypt their home WiFi, reset their routerβs default password, back up their data. Discourage them from using personal devices for work and from downloading their own apps on work devices. Ask them to keep their devices in a safe location. Train them to turn off their bluetooth when not in use.
What to do when under cyber attack
- Disconnect your device/devices from the Internet and all linked networks
- Use your security software to perform a complete scan
- Restore files from back-up
- Reinstall your operating system
- Reset your passwords and personal details
- Alert your bank if you suspect a threat to your financial data
- Close your accounts to prevent fraud/theft
- Investigate the breach to find out how it happened, who was responsible and who was affected, what weakness in your system was exploited, etc
- In case of a ransomware attack, donβt pay the ransom.
Know your cybercrime authorityβ
In India, most state police forces have a cyber cell that deals with online crimes. You can lodge a complaint with them directly or submit one online on the Home Ministryβs National Cyber Crime Reporting Portal, which will then be dealt with by the police or appropriate law enforcement agency (such as the National Cybercrime Forensic Laboratory and National Cybercrime Threat Analytics Unit). Read the steps to filing an online complaintIn Pics Here S All You Need To Know About Reporting A Cybercrime In India 120071300525 1. The laws covering cybercrimes in India are the Information Technology Act, 2000, the IT Amendment Act, 2008, and relevant sections of the Indian Penal Code.
Case studies 2020β
The DGFT and Delhi Police advisories are an indication of the growing number, frequency and threat of cyber attacks on small businesses:
- Rebate licence theft: In July 2020, the Delhi Police Cyber Cell busted a gang that targeted garment exporters by stealing their duty rebate licences (a government incentive) worth Rs 3.4 crore. The rebate can only be claimed on the DGFT website with the help of a digital signature certificate (DSC) key. The attackers reportedly accessed information about the companies and fraudulently obtained the DSC keys and licences by exploiting weaknesses in the DGFTβs document verification process.
- Malspam targets manufacturers, exporters: The same month, IT firm Quick Healβs enterprise security brand Seqrite warned of a malicious spam campaign against Indiaβs manufacturing and export sector. The attack reportedly began with a phishing email containing infected MS Office PowerPoint files.
- Duty scrip theft: The Madhya Pradesh Police Cyber Cell arrested six persons in October 2020 for transfering the duty credit scrips (DCS) β an export promotion benefit β of a pharma firm and an automobile company to fake beneficiaries by fraudulently using their digital signatures.
- Pharma majors attacked: In 2020, Hyderabad-headquartered Dr Reddy's Laboratories and Mumbai-based Lupin came under cyber attack. At the time, Dr Reddyβs was conducting clinical trials for a Covid-19 vaccine while Lupin had just launched a Covid-19 drug. Both companies are multinationals and not small businesses. But the attacks reinforce the fact that pharmateutical companies are a top target of hackers.
Given the growing menace of cyber attacks, cyber security now accounts for 30%-40% of the IT budgets of Indian companies. Indiaβs cyber security industry is expected to be worth $35 billion by 2025. This shows that businesses, big and small, are waking up to the threat of cyber attacks, as they rightfully should.