Phishing is a type of online scam that targets consumers by sending them an e-mail that appears to be from a well-known source – an internet service provider, a bank, or a mortgage company, for example. It asks the consumer to provide personal identifying information.
CloudSEK investigates Electric Vehicle related phishing campaigns exploiting advances in the sector, and Google Ads, to steal users’ data and money. New Delhi (India), March 2: CloudSEK today released Unearthing the Million Dollar Scams Targeting the Indian Electric Vehicle Industry, highlighting a large-scale phishing campaign targeting Electric Vehicle (EV) consumers and businesses. It is notable that the scams increased considerably after the production-linked incentive (PLI) scheme, for electric and hydrogen fuel cell vehicles, was approved by the cabinet in September 2021. CloudSEK’s in-depth investigation has revealed that scammers are exploiting Google Ads to misdirect users to phishing sites that collect users’ data and money. With each site defrauding users of INR 200,000—400,000, in booking fees and down payments, the scam has so far cost the Indian public over INR 40— 80 Million.
Overview of the Phishing Campaign
Since the second half of 2021, CloudSEK’s flagship digital risk monitoring platform XVigil has detected a spike in phishing campaigns impersonating EV manufacturers and dealerships. Scammers propagate this scheme by:
• Registering fake domains that resemble legitimate domains of EV manufacturers and marketplaces.
• Creating Google Ads for the fake domains, and manipulating SEO, such that these ads are top results for generic searches as well as searches for specific EV brands .
• Directing users clicking on these ads to phishing domains that impersonate the content and images of legitimate websites.
• Collecting users’ information and money in the guise of reservation/ booking fees for a vehicle or a security deposit, through phishing websites, to become an EV dealer.
Impact on Consumers and EV Companies
The phishing campaign has already cost the Indian public over INR 40— 80 million, and this value is expected to increase significantly in the future. Apart from financial loss, users also share Personally Identifiable Information (PII) and banking details, which can be leveraged to orchestrate other social engineering campaigns, and even identity theft. For EV companies, these phishing websites lead to direct loss of business, reputation, and credibility. This could also lead to a general decline in the adoption of e-mobility, an already unfamiliar technology, if users’ first touch point in a phishing campaign.
Addressing Threats to the Growing EV Sector in India
EV companies can mitigate the threats posed by these phishing scams by running awareness campaigns to educate users/ customers about the ongoing scams. They can also report the campaigns to the Cyber Crime Cell. In addition, businesses that are part of the EV sector can implement real-time monitoring of phishing domains with XVigil to identify and suspend phishing websites spoofing their business. CloudSEK is an AI-driven Digital Risk Monitoring Enterprise. CloudSEK’s XVigil platform helps clients assess their security posture in real-time from the perspective of an attacker. XVigil scours thousands of sources (across the surface, deep and dark web), to detect cyber threats, data leaks, brand threats, identity thefts, etc.