Digital payments provide mobility to our money and comfort to us. At the same time, money stored in the form of digital payments or online payment mechanisms are also vulnerable to sophisticated social engineering and cyber crime attacks. Phishing attacks are one such form of cyber attacks that target innocent people and make them disclose sensitive information and details. These details include passwords, PIN number, one time password (OTP), etc and once these details are obtained, withdrawing money from credit cards or online banking is very easy.
We at Perry4Law Organisation (P4LO) And Resolve Without Litigation (RWL) are frequently approached regarding credit card frauds and cyber crimes related issues. We are presently dealing with cases of credit card fraud at State Bank of India (SBI) and phishing attack involving income tax refund. Through this post I am trying to raise some public awareness about the increasing menace of phishing in India.
Phishing is a popular method of social engineering in which cyber criminals use their persuasive power to trap gullible people and make them disclose the information that is crucial for withdrawal of money. For instance, once PIN or password is known, it is a piece of cake to withdraw money. In this post I would confine myself to phishing attack case as PTLB is handling the credit card fraud case.
It all started when TLCEODRI, an alert administrator of RWL India, caught the suspicious phishing attack on the early stage of its execution on 03-01-2018. However, action by user was not taken till 05-01-2018 and on that date the cyber criminal tried to withdraw Rs. 20,000. But the alert customer had already blocked the access to her Airtel money account and this saved her money. The ticket was created on 05-01-2018 and we are pursuing the case with Income Tax Department, Revenue Department, Financial Intelligence Unit (FIU), etc at the time of this article.
I gave the following interim suggestions in the meanwhile to safeguard her interest in best possible manner:
(1) Block all payments from all banks that are involved till you give further instructions to such banks,
(2) Change PIN/Password of all ATM/Debit/Credit cards immediately,
(3) Deactivate all Aadhaar payment systems, if any, temporarily,
(4) Most important, do not share any OTP sent to your mobile phone, and
(5) Register a mobile with your bank account(s) for record of debit/credit transactions.
Thereafter, we were informed that the cyber criminals are using e-mail spoofing by giving the address noreply (at)incometaxindiaefiling (dot)com. But once clicked, it takes you to a private domain name. This is what I suspected at the first instance and that is why I requested for the sender’s e-mail id once the reply button is clicked.
I also believe that the cyber criminals must have persuaded the victim to click on the web link purporting to be from Income tax Department’s website. Once clicked by the victim, it took the victim to an identical or fake website or webpage that is a clever and close imitation of the original website. Victims generally do not pay much attention and take the fake website to be real and submit all the information. This is how the password, PIN, etc were stolen from the victim in the present case. Nevertheless the final step of getting the OTP from the victim was still to be executed.
But what is interesting is the statement that the cyber criminals are trying to hack the mobile of phishing victim. This is natural as well as the OTP that would be sent to the registered mobile number is last defense for her and once that is compromised, money can be withdrawn easily. I reiterated the suggestion of not sharing the OTP with anybody.
Update 1: She received the second phishing e-mail with a different amount from the cyber criminals.
Update 2: She received 3 SMS notification from Idea AD-Verify as the cyber criminals are trying everything to get the money. They even tried to install a malware on her phone to steal the OTP necessary for completion of the online transactions.
At the time of writing of this article, no communication from the government departments has been received and I would update about this as soon as I get some information.
Update 1: We received an e-mail from Web Manager, Income Tax Department. He guided the tax payer to contact her Ward/Circle Jurisdictional Assessing Officer. We also added the e-mail id suggested by the Web Manager and included the Jurisdictional Assessing Officer in the communication/ticket. Any further response would be updated here and at my Twitter handle.
But what if after becoming a victim of phishing attack, the money is already withdrawn? For such victims, PTLB has already shared a very good article mentioning the legal rights and obligations of bank customers in such cases. The article covers not only phishing attacks and cyber crimes but also liability of banks for not managing a robust and resilient cyber security infrastructure. So if a bank customer can prove that bank failed to ensure robust privacy and data protection or cyber security, banks would be liable for all monetary losses.
I wish to discuss another related issue. What if such an event happens with any account linked to Aadhaar or such cyber crime happens due to Aadhaar? Well the answer to this question is simple. Aadhaar or no Aadhaar, liability of bank remains same. The Aadhaar Act, 2016 has in no way changed this position. So do not be fooled into thinking that for Aadhaar frauds and thefts you have no remedy. See this tweet of Praveen Dalal in this regard.
Be an informed customer and enforce your rights against banks, financial institutions, etc. If nobody is listening to you, we would love to help you. All you are required to do is to create a ticket at the platform of RWL India. But we have some conditions regarding Aadhaar for people who have not complied with our forms submission deadlines. Just keep that is mind and also see how we can best help you in your disputes and grievances. Once that is done, you can consider us as your friend and we would agitate on your behalf.