How To Safeguard Your Bank Accounts And Money From Phishing Attacks

Digital payments provide mobility to our money and comfort to us. At the same time, money stored in the form of digital payments or online payment mechanisms are also vulnerable to sophisticated social engineering and cyber crime attacks. Phishing attacks are one such form of cyber attacks that target innocent people and make them disclose sensitive information and details. These details include passwords, PIN number, one time password (OTP), etc and once these details are obtained, withdrawing money from credit cards or online banking is very easy.

We at Perry4Law Organisation (P4LO) And Resolve Without Litigation (RWL) are frequently approached regarding credit card frauds and cyber crimes related issues. We are presently dealing with cases of credit card fraud at State Bank of India (SBI) and phishing attack involving income tax refund. Through this post I am trying to raise some public awareness about the increasing menace of phishing in India.

Phishing is a popular method of social engineering in which cyber criminals use their persuasive power to trap gullible people and make them disclose the information that is crucial for withdrawal of money. For instance, once PIN or password is known, it is a piece of cake to withdraw money. In this post I would confine myself to phishing attack case as PTLB is handling the credit card fraud case.

It all started when TLCEODRI, an alert administrator of RWL India, caught the suspicious phishing attack on the early stage of its execution on 03-01-2018. However, action by user was not taken till 05-01-2018 and on that date the cyber criminal tried to withdraw Rs. 20,000. But the alert customer had already blocked the access to her Airtel money account and this saved her money. The ticket was created on 05-01-2018 and we are pursuing the case with Income Tax Department, Revenue Department, Financial Intelligence Unit (FIU), etc at the time of this article.

I gave the following interim suggestions in the meanwhile to safeguard her interest in best possible manner:

(1) Block all payments from all banks that are involved till you give further instructions to such banks,

(2) Change PIN/Password of all ATM/Debit/Credit cards immediately,

(3) Deactivate all Aadhaar payment systems, if any, temporarily,

(4) Most important, do not share any OTP sent to your mobile phone, and

(5) Register a mobile with your bank account(s) for record of debit/credit transactions.

Thereafter, we were informed that the cyber criminals are using e-mail spoofing by giving the address noreply (at)incometaxindiaefiling (dot)com. But once clicked, it takes you to a private domain name. This is what I suspected at the first instance and that is why I requested for the sender’s e-mail id once the reply button is clicked.

I also believe that the cyber criminals must have persuaded the victim to click on the web link purporting to be from Income tax Department’s website. Once clicked by the victim, it took the victim to an identical or fake website or webpage that is a clever and close imitation of the original website. Victims generally do not pay much attention and take the fake website to be real and submit all the information. This is how the password, PIN, etc were stolen from the victim in the present case. Nevertheless the final step of getting the OTP from the victim was still to be executed.

But what is interesting is the statement that the cyber criminals are trying to hack the mobile of phishing victim. This is natural as well as the OTP that would be sent to the registered mobile number is last defense for her and once that is compromised, money can be withdrawn easily. I reiterated the suggestion of not sharing the OTP with anybody.

Update 1: She received the second phishing e-mail with a different amount from the cyber criminals.

Update 2: She received 3 SMS notification from Idea AD-Verify as the cyber criminals are trying everything to get the money. They even tried to install a malware on her phone to steal the OTP necessary for completion of the online transactions.

At the time of writing of this article, no communication from the government departments has been received and I would update about this as soon as I get some information.

Update 1: We received an e-mail from Web Manager, Income Tax Department. He guided the tax payer to contact her Ward/Circle Jurisdictional Assessing Officer. We also added the e-mail id suggested by the Web Manager and included the Jurisdictional Assessing Officer in the communication/ticket. Any further response would be updated here and at my Twitter handle.

But what if after becoming a victim of phishing attack, the money is already withdrawn? For such victims, PTLB has already shared a very good article mentioning the legal rights and obligations of bank customers in such cases. The article covers not only phishing attacks and cyber crimes but also liability of banks for not managing a robust and resilient cyber security infrastructure. So if a bank customer can prove that bank failed to ensure robust privacy and data protection or cyber security, banks would be liable for all monetary losses.

I wish to discuss another related issue. What if such an event happens with any account linked to Aadhaar or such cyber crime happens due to Aadhaar? Well the answer to this question is simple. Aadhaar or no Aadhaar, liability of bank remains same. The Aadhaar Act, 2016 has in no way changed this position. So do not be fooled into thinking that for Aadhaar frauds and thefts you have no remedy. See this tweet of Praveen Dalal in this regard.

Also See: Aadhaar Act, 2016 Does Not Bar A Person To Sue UIDAI Or Private Companies Opines Praveen Dalal.

Be an informed customer and enforce your rights against banks, financial institutions, etc. If nobody is listening to you, we would love to help you. All you are required to do is to create a ticket at the platform of RWL India. But we have some conditions regarding Aadhaar for people who have not complied with our forms submission deadlines. Just keep that is mind and also see how we can best help you in your disputes and grievances. Once that is done, you can consider us as your friend and we would agitate on your behalf.

Advertisements

Case Study: How RWL Platform Was Used To Get Aircel SIM Cards Without Aadhaar

Aadhaar is a well known phenomenon in India where the omnipresence of Aadhaar is considered to be violation of privacy right and other Fundamental Rights by many Indians. The constitutionality of Aadhaar project and Aadhaar Act, 2016 is still pending before the Supreme Court of India. So let us ignore that aspect and move ahead and discuss the case study where RWL platform was used by us and SIMs were activated by Aircel without Aadhaar within 2 days of generating a ticket/notice.

We created a ticket/notice at Online Dispute Resolution and Cyber Arbitration platform and TLCEODRI, one of the administrators of the platform, handled the ticket. He made Aircel, Perry4Law, Department of Telecommunication (DoT) and Shri. Manoj Sinha (Minister, DoT) parties to the dispute resolution process. Once all the parties were added as the stakeholders, he sent a customised notice to the stakeholders with all documents and evidences. Simultaneously many handles of Perry4Law Organisation (P4LO) started discussing the dispute resolution ticket at Twitter.

The Twitter handle of DoT was very quick in responding back and assured us that concerned TSP has been asked to do the needful. Thereafter, prepaid SIMs of Aircel were activated without any demand for Aadhaar.

Now compare this process with traditional litigation, including the one that is currently going on in Supreme Court for many years. Can such a remedy be obtained within 2 years forget about 2 days from courts? Even if such a remedy is possible within 2 days, is it feasible to invoke litigation mechanisms of already overburdened courts with such matters?

We need alternative, effective and timely remedies for various disputes in India and if even the most controversial and technical dispute of Aadhaar can be resolved within 2 days, we certainly needs online dispute resolution (ODR) in India. And this case study of RWL is a proof that this is much required in India especially when it can support Digital India project of Indian government and Indian judiciary.