How To Safeguard Your Bank Accounts And Money From Phishing Attacks

Digital payments provide mobility to our money and comfort to us. At the same time, money stored in the form of digital payments or online payment mechanisms are also vulnerable to sophisticated social engineering and cyber crime attacks. Phishing attacks are one such form of cyber attacks that target innocent people and make them disclose sensitive information and details. These details include passwords, PIN number, one time password (OTP), etc and once these details are obtained, withdrawing money from credit cards or online banking is very easy.

We at Perry4Law Organisation (P4LO) And Resolve Without Litigation (RWL) are frequently approached regarding credit card frauds and cyber crimes related issues. We are presently dealing with cases of credit card fraud at State Bank of India (SBI) and phishing attack involving income tax refund. Through this post I am trying to raise some public awareness about the increasing menace of phishing in India.

Phishing is a popular method of social engineering in which cyber criminals use their persuasive power to trap gullible people and make them disclose the information that is crucial for withdrawal of money. For instance, once PIN or password is known, it is a piece of cake to withdraw money. In this post I would confine myself to phishing attack case as PTLB is handling the credit card fraud case.

It all started when TLCEODRI, an alert administrator of RWL India, caught the suspicious phishing attack on the early stage of its execution on 03-01-2018. However, action by user was not taken till 05-01-2018 and on that date the cyber criminal tried to withdraw Rs. 20,000. But the alert customer had already blocked the access to her Airtel money account and this saved her money. The ticket was created on 05-01-2018 and we are pursuing the case with Income Tax Department, Revenue Department, Financial Intelligence Unit (FIU), etc at the time of this article.

I gave the following interim suggestions in the meanwhile to safeguard her interest in best possible manner:

(1) Block all payments from all banks that are involved till you give further instructions to such banks,

(2) Change PIN/Password of all ATM/Debit/Credit cards immediately,

(3) Deactivate all Aadhaar payment systems, if any, temporarily,

(4) Most important, do not share any OTP sent to your mobile phone, and

(5) Register a mobile with your bank account(s) for record of debit/credit transactions.

Thereafter, we were informed that the cyber criminals are using e-mail spoofing by giving the address noreply (at)incometaxindiaefiling (dot)com. But once clicked, it takes you to a private domain name. This is what I suspected at the first instance and that is why I requested for the sender’s e-mail id once the reply button is clicked.

I also believe that the cyber criminals must have persuaded the victim to click on the web link purporting to be from Income tax Department’s website. Once clicked by the victim, it took the victim to an identical or fake website or webpage that is a clever and close imitation of the original website. Victims generally do not pay much attention and take the fake website to be real and submit all the information. This is how the password, PIN, etc were stolen from the victim in the present case. Nevertheless the final step of getting the OTP from the victim was still to be executed.

But what is interesting is the statement that the cyber criminals are trying to hack the mobile of phishing victim. This is natural as well as the OTP that would be sent to the registered mobile number is last defense for her and once that is compromised, money can be withdrawn easily. I reiterated the suggestion of not sharing the OTP with anybody.

Update 1: She received the second phishing e-mail with a different amount from the cyber criminals.

Update 2: She received 3 SMS notification from Idea AD-Verify as the cyber criminals are trying everything to get the money. They even tried to install a malware on her phone to steal the OTP necessary for completion of the online transactions.

At the time of writing of this article, no communication from the government departments has been received and I would update about this as soon as I get some information.

Update 1: We received an e-mail from Web Manager, Income Tax Department. He guided the tax payer to contact her Ward/Circle Jurisdictional Assessing Officer. We also added the e-mail id suggested by the Web Manager and included the Jurisdictional Assessing Officer in the communication/ticket. Any further response would be updated here and at my Twitter handle.

But what if after becoming a victim of phishing attack, the money is already withdrawn? For such victims, PTLB has already shared a very good article mentioning the legal rights and obligations of bank customers in such cases. The article covers not only phishing attacks and cyber crimes but also liability of banks for not managing a robust and resilient cyber security infrastructure. So if a bank customer can prove that bank failed to ensure robust privacy and data protection or cyber security, banks would be liable for all monetary losses.

I wish to discuss another related issue. What if such an event happens with any account linked to Aadhaar or such cyber crime happens due to Aadhaar? Well the answer to this question is simple. Aadhaar or no Aadhaar, liability of bank remains same. The Aadhaar Act, 2016 has in no way changed this position. So do not be fooled into thinking that for Aadhaar frauds and thefts you have no remedy. See this tweet of Praveen Dalal in this regard.

Also See: Aadhaar Act, 2016 Does Not Bar A Person To Sue UIDAI Or Private Companies Opines Praveen Dalal.

Be an informed customer and enforce your rights against banks, financial institutions, etc. If nobody is listening to you, we would love to help you. All you are required to do is to create a ticket at the platform of RWL India. But we have some conditions regarding Aadhaar for people who have not complied with our forms submission deadlines. Just keep that is mind and also see how we can best help you in your disputes and grievances. Once that is done, you can consider us as your friend and we would agitate on your behalf.

Advertisements

Credit Card Frauds Are Increasing At SBI And RBI Is Sleeping

Something very absurd is going on in the State Bank of India (SBI) that also within the actual knowledge of none other than Reserve Bank of India (RBI). There is a spate of credit card frauds in SBI and the bank is doing nothing in this regard. SBI is neither refunding back the stolen money nor is it strengthening its cyber security and banking security. This is despite the legal obligations that all banks are required to comply with regarding refund of stole money and establishment of robust cyber security.

So what exactly is going on at SBI? To get the idea, just follow a single discussion at Twitter regarding credit card fraud that is pending for redressal for the last two months. The mere fact that SBI has not been able to resolve the issue for 60 days is self explanatory. Credit card frauds are happening at SBI and neither SBI nor RBI is doing anything about this situation. Bank customers are running from one place to another with no remedy.

If a bank customer has promptly informed the concerned bank branch about any credit card fraud, it is the legal duty of that bank to not only refund the money quickly but also to investigate such credit card fraud. But banks in India, including SBI, are simply harassing the victims in the hope that they would not pursue the matter further. And this is happening as well.

If a victim of banking fraud has no remedy either at the bank level or at the RBI level, he/she can only hope that the government would listen to him/her. But our government not only lacks the will but also the necessary infrastructure to manage such disputes.

We at Perry4Law Organisation (P4LO) are trying to fill this vacuum. We have launched a test online dispute resolution (ODR) platform few years back. If nothing works for a victim, he/she can open a ticket at our platform and we would help him/her in this regard. Just add the relevant documents either at the time of creating the ticket or when we reply back through e-mail and mention about the status of Aadhaar. Once this is done, we would pursue your cause as our own.

As mentioned above, we are currently pursuing one such ticket about credit card fraud that happened about two months back as per the creator of the ticket. We have given sufficient time to SBI to respond back but SBI is engaging in time wasting tactics and next level of action against SBI is needed. That is why we have written this article that would be updated from time to time till the matter is resolved. If SBI continues with its present approach, we would take few more steps and with every such step the accountability and legal obligations of SBI would increase.

We also offered to help SBI to resolve its debit and credit card frauds so that victims can get their money back immediately. However, SBI is not interested in early resolution of disputes for reasons best known to it.

We hope SBI would resolve the issue mentioned in the ticket immediately so that we need not to escalate this issue to next levels.