From Twitter to IRCTC, data leak is making its way to the dark web. Here’s how it can be used against you

You must have come across headlines like "400 million Twitter users data leaked" or "3 crore IRCTC users data leaked and up for sale on the dark web". We often just scroll past these alerts. There's no way anyone would be interested in your data right? What will a hacker even do with your name, email ID, and phone number? 

But here's the thing, that seemingly innocent piece of information in the hands of someone who wants to steal your money (even the pennies that are in your brokea** bank account) can be and will be used to do just that. 

It is called phishing; a technique of scamming that is often targetted towards individuals. 

How do scammers use data leaks? This is phishing 101:

• A data leak which may include name, username, email, phone number, full address, gender, and language preferences, is used to further steal more valuable information like your bank account details. 
• For example, say the scammer gets an Indian Railways' traveller information. 
• The victim may then receive an email, phone call, or sms, offering them discounts or lucrative ticketing options to the destination they often travel to or were just searching about. 
• Often, these scammers pretend to be from a reputable institution or company and they love impersonating government agencies. 
• They may pose as irtcc.com or irctcticketts.com. There's just a slight change in their names that many would miss noticing, especially our older generation who are not as tech-savvy. 
• The next thing you know, you are giving personal information such as your UPI ID and UPI pin. 
• Or scammers may send you an email with a link to redeem a discount for your next rail journey. But it's actually a link to malware, designed to steal your computer data where you have stored your credit card information for faster checkout.  

Scammers don't always need leaked data to target their victims. The latest report by CRIL (Cyble Research & Intelligence Labs) found instances where Indian Twitter users were targetted using their Twitter complaints. 

Twitter is used for fraud. I tweeted for a complaint to irctc rn. I got a call asking for my upi pin for refund.which govt refund asked for upi pin. Its a threat @Cyberdost @IRCTCofficial @cyber @MahaCyber1 @PMOIndia .do the needful.sending me apk file to install when asked for pic.twitter.com/l5GnauGqGE

— shree07 (@shree071) December 9, 2022

• Shree posted a complaint on Twitter tagging Dominos and the Indian Railways that their food order from IRCTC and the pizza chain wasn't delivered. 
• Soon enough, the scammers were able to get the complainant's contact number, called her impersonating as an official from Indian Railways, asked for the her train PNR number, order number, refund amount, and payment method, then the UPI pin to initiate the refund.   
• Shree knew better than to share her UPI pin (YOU SHOULD NOT), but this is one example of how the scammers are working. 
• In other instances, the scammers were even more elaborate. They sent sms link to the victim asking them to forward the message to a specific number. 
• Ladies and gentlemen, if you forgot, this is how you link your bank account or your phone number to your UPI ID. 

We know not to share the OTP, but UPI pin, setting up of UPI ID, and linking accounts is still too new and complex to discern as a scam. 

• If not scamming you using your leaked data, scammers can also carry out fraud in your name. 
• It's not just some Nigerian Prince sitting in Ghaziabad who is out there to con you out of your money. Some are terrorists who are buying the leaked data on the dark web and misusing it. 
• In 2017, Israeli intelligence found out that the Hamas militant group was using fake profiles of women using leaked data and real people's personal photos to honeytrap Israeli soldiers and gain access to their cell phones. 

It seems like a minefield out there. If you are hyperventilating thinking about all those usernames and passwords you clicked save on Google Chrome and all those cookies that you accepted, calm down. 

Here's how you can prevent being scammed:

• Get your lazy arse to set up two-factor authentication for your social media accounts and other profiles wherever possible. 
• Google and iOS tell you when your password is used too often, too easy to crack, and has appeared in a leak somewhere. Pay heed to the warning and take action. 
• Keep changing passwords from time to time. 
• You can check if your data has been leaked somewhere using third-party websites such as haveibeenpwned.com and breachalarm.com.
• DO NOT click on links in emails or call on the phone numbers immediately. Check properly for the spelling in the content, the sender's email address, navigate to the official site if you have to, and then proceed. You will often find some spelling or grammatical errors if it's a scam.
• Set up your email to filter spam. If you have Truecaller on your phone, it also tells when a phone number has been reported as spam by other users. 

And lastly, remember that no Nigerian Prince is going to give you $50 million.