gurmehar kaur
JUNE 16, 2022
Human rights activist and Digital Peace Now Global Ambassador Gurmehar Kaur opens up about her experience falling victim to a sophisticated phishing campaign.
Some vulnerabilities are temporary, while others seemingly last forever. For example, hackers may be able to leverage a software vulnerability to achieve their malicious goals until the software company releases a patch to fix it, like the WannaCry/NotPetya exploit EternalBlue (some of you didn’t get the memo though). However, one vulnerability continues to plague our shared digital world that even the latest and greatest security updates cannot fix: human error. When it comes to hackers exploiting human error, one of their go-to tactics is phishing.
Most of us have experienced a phishing attempt firsthand. From a random text message asking to verify your bank account number to an anonymous email claiming you owe additional taxes, we have grown used to hackers attempting to reel us into a scam. But as we become more seasoned at identifying phishing schemes, hackers are becoming even more savvy at creating new and unexpected lures. In fact, some phishing campaigns have become highly intricate, involving long-term communication and numerous fake online profiles to gain the trust of an unsuspected target.
To highlight the real-life impact of this sneaky hacking technique, human rights activist and Digital Peace Now Global Ambassador Gurmehar Kaur decided to share her own personal experience falling victim to a sophisticated phishing campaign. Her experience serves as a reminder to always practice online safety, such as checking email addresses for signs of fraud or avoiding clicking hyperlinks from unknown sources. Above all, her story proves that if you think you’re not susceptible to phishing schemes, think again.
(Edited for brevity and clarity)
DPN: Walk us through your day before the incident happened.
GK: This happened in the first week of February 2019. The day looked like any other day. I was in school during that period, so I had a full day of classes, followed by evening plans with my flat mates. The scam started with an email from an “unindia.org” address – so appearing to come from the United Nations – inviting me to Geneva to receive an award. I’ve been lucky enough to receive these kinds of recognitions before, such as TIME Magazine’s Next Generation Leader nomination and the Punjabi Icon Award, so getting this opportunity was within the realm of possibility. Even though I accepted the request, I didn’t tell anyone about the award because a part of me didn’t believe it was real. Maybe it was imposter syndrome or my gut telling me to be careful? After my email confirmation, I received a phone call from a man with a Dubai number. The man congratulated me, then put me in touch with a whole team of people. This team included a stylist, a travel and accommodation POC, a UN officer, and so on. Every person on the team was very knowledgeable and came off like seasoned professionals. Looking back, the hacker team thought of every detail.
Describe the moment you discovered you were targeted by a phishing campaign.
When I found out my UN award invitation was a joke, I felt like a fool. There were a lot of self-doubts that crept in. As a young woman in the public eye, especially with political ideas that go against the grain, certain people try to plant seeds of self-doubt. In moments when you experience such vulnerability, those seeds grow and constrict you. They make you feel like you are incapacitated. I found out about it because my emails began bouncing back. I shared my story with a friend whose organization collaborates with UN India. They immediately pointed out that the domain name in the emails were fake.
Can you explain how it disrupted your personal life?
As far as I’m aware, the hackers did not gain access to my device or system. However, they were able to take personal information from important documents, such as my birth certificate, passport, and photos.
But, for a long time, I couldn’t trust newly established online connections. Since these bad actors were pretending to be someone else online, we gradually became virtual friends. We had fairly regular conversations together until this happened. When I discovered they were involved with the phishing attack, I tried to confront them, but my emails bounced. To this day, I do not entirely trust others online.
Did this incident impact others?
The incident did impact others around me, including my mom and my sister. Since the scam was disguised as an international event invitation, they encouraged me to bring my family to the occasion as well. So, they had their details stolen too. That hurt. It still does. Nothing has come from them stealing my information. Not yet at least. For that, I’m grateful. However, there are strangers with my personal information and my family’s information, which is deeply unsettling.
Did you contact the authorities?
I didn’t reach out to anyone because I was deeply embarrassed. In my head, it wasn’t criminal on their part—it was stupidity on my part. Also, I didn’t lose any money, just copies of my personal data.
In your words, why do you think you were targeted?
I’ve made many assumptions since this happened, but I’m still not sure why. Since the hackers also targeted Nidhi Razdan, one possibility is they could be targeting vocal women in the Indian political space. That leads me to believe domestic hackers could have targeted me. But then, others think this attack could have been from China-backed hackers or Russia-backed hackers. Who can tell? That is the scariest bit about cyberwar. It is often difficult to figure out who launched a cyberattack and why.
What was the most concerning aspect of this hack?
The fact that it was so sophisticated. No, this wasn’t a typical “click on this link” email. Multiple people were involved. Each actor created believable online presences for numerous different personas. They even pretended to be UN employees, convincingly too. To give you a sense of how sophisticated these hackers are, they also targeted Indian journalist Nidhi Razdan. That hack gained massive media traction.
How much did you know about cyberattacks and/or cyberwarfare before the cyberattack occurred?
I didn’t know much at all. I always thought it was about older people clicking on links and getting fooled by chain emails. I didn’t dive into the topic of cyberattacks and cyberwarfare until much later. I wish I had started earlier. I wish I knew that digital attacks not only target individuals but also nation-states.
Has the experience made you change your online habits?
To me, the Internet has always been a space for connection. It was designed to make the world run smoother—look at online banking, food deliveries, community crowdfunding, and digital petitions. But after that experience, I recognized that the Internet can indeed be a weapon. Now, I take cyber hygiene a lot more seriously, such as regularly updating software and creating strong passwords.
What would you tell people unaware of the threat of cyberattacks and cyberwarfare?
It is very real. Even though the attack is not physical, it is still an attack. It is violent in its own right. The impact can last a lifetime.
What message would you like to provide for others who have been impacted by cyberattacks?
That you are not alone. You are not stupid. This is what the future of attacks will look like, and our stories are important to normalize the conversation around it. We need to speak up—it’s the only way to bring the structural change we need to address the dangers of cyberattacks.
Thank you for your time.