BSE (formerly Bombay Stock Exchange) | Market watch

Notice No

20180912-21

Notice Date

12 Sep 2018

Category

Others

Segment

General

Subject

Cyber Security Advisory (Email Security - Phishing Attack)

Content

Alert: Widespread phishing campaign affects members, brokers and vendors

BSE has identified a phishing campaign affecting members, brokers and vendors. The email states that there is an update in the account to which payments are to be made. On further investigation by BSE, the tools and techniques used, suggest criminal involvement. The emails are sent from contacts in the recipient’s address book, so may look legitimate. In one particular case, fraudulent email was sent in the name of BSE asking for payment.

Phishing is a method of stealing confidential information by sending fraudulent emails to a victim. These messages often contain a link to a fake website where victims are coaxed to enter personal details. Phishing emails appear to be from a known and trusted source, but the links and attached files are designed to bypass security and access a network.

Take a look at the below sample email address:

sapna@bseidndiae.com

Is this a legitimate email account? If your answer is ‘Yes’, check again. The domain ‘bseindia.com’ is substituted by ‘bseidndiae.com’.

How to Protect Yourself from Phishing

Although you cannot prevent a phishing attack, there are things you can do to make sure you recognize one.

§ Know what to look for in a phishing email. You might notice that:

ü you don’t recognize the sender

ü the sender name doesn’t sound quite right

ü you don’t recognize the name of the company

ü company logo doesn’t look like it should

ü Email refers to you in a generic or odd way — for example, 'Dear You…'

ü the email creates sense of urgency, demanding “immediate action”

ü If you hover over a link in the email with your mouse, the address that you see does not match the place it is saying it will take you.

ü The email contains bad grammar or spelling or uses a personal email address like @gmail.com, @yahoo.com or @hotmail.com or any other webmail IDs.

§ Be careful what you share about yourself online both personally and professionally.

§ Don't view emails that look suspicious, based on the Subject or Sender. You can hover the mouse

§ Don’t click on links unless you and/or your staff are certain the email is legitimate. When in doubt, manually type the web address into a browser, rather than clicking on a link.

§ Don't download files that are attached to a suspicious or unexpected email, and certainly do not open any executable files (e.g. .exe, .bat, .bin, .cmd, .com, .app, .osx)

§ Trust your instincts—if you or your staff think you know the source of an email but something seems odd—phone to check if they did send it.

§ Report suspicious emails to bse.isms@bseindia.com

Shivkumar Pandey

CISO

September 12, 2018