Like diplomacy, cyber-attacks, too, can be a continuation of war by other means. With tensions on the border with China still simmering and also many fraudsters seeking to take advantage of the widespread coronavirus-induced anxiety, there seems to be an increased threat perception of cyber-attacks against India.

PO13BSSBIphishingwarning
 

A few weeks ago, banks such as SBI and ICICI Bank started warning their account holders of an imminent cyber-attack. This was on the basis of an advisory from the Indian Computer Emergency Response Team (CERT-In) that cyber-criminals are planning to send malicious emails claiming to be from the government — promising free and mandatory Covid-19 testing.

PO13BSICICI
 

Thankfully, this expected phishing attack does not seem to have happened, so far. But that does not mean we can let our guard down.

Financial cyber-crime has become a real-and-present danger with the increasing adoption of online banking, mobile banking, fintech apps, and credit and debit cards in the country.

Every other day, there is news about some financial cyber-fraud. A few days back, senior financial journalist Tamal Bandyopadhyay was defrauded by a caller who led him to enter his OTP (one-time password) on a spoof Paytm website on the pretext of completing his KYC (know-your-customer) process.

Related Stories
Trip the tricksters
 

From the simple to the sophisticated, cyber-criminals employ a range of tools to commit financial fraud.

These conmen are an ingenious lot, always on the look-out for vulnerabilities and ways to exploit them.

Things have got worse with the pandemic. In a world disrupted by Covid-19, financial fraudsters are on the prowl, preying on the many rendered emotionally and financially vulnerable. The fraudsters are employing many methods — some new and some time-tested. They are also quick, using day-to-day developments.

Related Stories
Podcast | Tackling financial frauds

For instance, after the RBI announced EMI moratorium on loans, some borrowers got calls asking for OTPs to process the EMI deferment.

Tricksters were trying to get OTPs on fraudulent transactions to siphon money from borrowers’ accounts.

Then, there were cases of many fake UPI IDs seeking donations to the PM CARES Fund set up by the government to provide relief to persons affected by the coronavirus. (The SBI clarified that pmcares@sbi is the correct UPI ID.)

These are not the only instances. Reports say globally, and in India, conmen are employing a variety of ruses — pretending to offer access to government benefits; offering refunds on travel and hotel booking cancellations; asking for money to treat a loved one who is in a distant place; seeking donations; using fake websites/apps to offer coronavirus-related information; sending emails/messages supposedly from organisations such as the World Health Organization (WHO), government agencies and reputed corporates; offering medical products, purported cures and vaccines; and dangling offers including free subscription to platforms such as Netflix.

PO13BSFraudKYCmessage

A fraud KYC message sent to Paytm customers

 

The game plan is: make you part with your money directly, or with information such as personal details, banking and credit card information, passwords and OTPs, or to install malware in your electronic devices and use that to siphon your money.

J Kesavardhanan, founder and CEO of IT security firm K7 Computing, says: “Many individuals are working from home without the protection of enterprise IT infrastructure, but are still accessing enterprise data and networks. This is also an opportunity that hackers are keen to exploit.

“We have recorded a 260 per cent increase in cyber-attacks since the lockdown began, which illustrates how threat actors are rushing to take advantage of the current situation.”

Be alert and on your guard.

Some precautionary steps on your part, along with tightening of security measures by the RBI, should help keep many of these fraudsters at bay. Here are some major tricks conmen deploy and how you can fend off their attacks.

Identity theft

PO13BSIdentityjpg
 

What’s it: The fraudster masquerades as a victim to commit financial fraud.

This is generally the first step in the design of cyber-criminals, and involves getting hold of potential targets’ personal details such as names, addresses, dates of birth, phone numbers, PAN and Aadhaar numbers. These details are used to commit identity theft.

How’s it done: Identity theft is done many ways. The fraudster could install malware or hack into electronic appliances and websites the victim accesses, shoulder-surf, gather personal data through fake websites, divert mails, collect paperwork, etc.

Social engineering — befriending the victim or someone close to him to pry out information — is also used to commit identity theft.

The conman could use this information to create fake documents, open accounts, or get loans using the victim’s identity. Such information could also be used to convince the victim about the conman’s credentials while extracting other confidential data.

How to avoid: Be careful about what you disclose about yourself, whether in the real world or on social media. Share personal information discreetly and only on a need-to-know basis.

Update your electronic appliances with the latest anti-hacking and anti-virus protection. Keep passwords strong with a combination of alpha-numeric and special characters, and change them at regular intervals.

Input personal information into your devices discreetly. Avoid public computers and networks for financial transactions.

Despite precautions, there is a risk of personal details going into the wrong hands, given that we often have to share this information for many purposes including getting basic services.

So, it’s critical to safeguard information of a confidential nature that’s known only to you and that’s needed to complete financial transactions. This can prevent frauds such as phishing, vishing and smishing.

Phishing, vishing, smishing

PO13BSMailjpg
 

What’s it: In phishing, conmen ‘fish’ or ‘phish’ (seek to extract) for your confidential information such as passwords, personal identification number (PIN), card verification value (CVV) and OTP.

Phishing happens over email, and is one of the most widely used tricks.

Vishing is short for ‘voice phishing’ and SMShing (also called smishing) is phishing through SMS. In vishing, the conman tries to extract your confidential information over the phone, while in smishing, he attempts to trick you via phone messages.

How’s it done: In phishing, a genuine-looking email preys upon your kindness, need, greed or fear. So, the bait in the email could be an appeal to donate to, say, Covid-related causes, get relief you may be eligible for, collect a refund, lottery prize or some such. Or it could be a purported message from your bank, the RBI or a fintech provider seeking verification of details to keep your account or card active.

These phishing emails could ask you to respond with your confidential information, or to click on attached links or attachments and enter the details.

Clicking on the link takes you to another website that looks just like your bank’s or the RBI’s or the fintech provider’s — this is called website spoofing.

The information entered here is captured by the fraudster.

These links or attachments could also install malware into your electronic device which may, among other things, capture your keystrokes (called keylogging) or open fake overlay login pages, leaving you exposed.

In vishing, the trickster on the phone line claims to be calling from the bank or some such product or service provider. The ruse is similar to phishing.

Similarly, in smishing, messages supposedly from your bank or other entities ask you to respond with confidential information. Some messages may carry links or phone numbers that you are goaded to click or call.

How to avoid: Rule No 1: Never share your confidential details such as passwords, PIN, CVV and OTP with anyone. Be on the alert. Your bank, fintech provider, card company or the RBI will never ask for such information.

Rule No 2: Never forget Rule No 1.

Keep off links or attachments that come from unknown sources. Report such emails to your bank, fintech or card provider.

Check the security settings of websites before doing financial transactions. Transact on secure websites starting with https (as against http). A lock icon on the browser also indicates a secure site. Also, look for tell-tale signs of fraud such as typos and errors in email id and the message.

A virtual keyboard for online transactions is a good idea — it lets you enter details with a mouse instead of typing them on a keyboard, and can prevent cyber-criminals from capturing keystrokes. Besides, it is smart to use a tokenised card. Through this, actual card details are replaced with an alternative code, called the token, for online transactions.

Also, reduce vulnerability to malware by using genuine software and shielding your electronic devices with strong, updated anti-virus protection.

The RBI has tightened the security around most electronic financial transactions by insisting on ‘two-factor authentication’. So, you have to enter your PIN to complete most offline (physical) transactions, or you have to enter the OTP sent to your mobile number to complete an online transaction.

This confidential information is known only to you.

Don’t share it with anyone.

Skimming

PO13BSCardjpg
 

What’s it: Fraudsters skim your credit/ debit card to get details. This is used to put through unauthorised financial transactions, along with confidential information extracted from you.

How’s it done: Skimmer devices stealthily installed in ATMs or card-reading machines in physical stores capture data on the cards. Unscrupulous store personnel could also note down details surreptitiously.

This can then be used for fraudulent online transactions, using the second-factor authorisation got through phishing, vishing or smishing.

Until chip-based EMV (Europay, MasterCard and Visa) cards were made mandatory, skimmed data could have been used to make clone cards for physical transactions, too.

But with data encrypted in EMV cards, cloning cards may not be possible.

How to avoid: Check for hidden cameras or devices at ATM enclosures.

Enter PIN discreetly in ATMs or at physical stores. Look for oddly positioned or shaky card-insertion slot at ATMs. Avoid such ATMs.

Sign on the reverse of your card, memorise the CVV number and scratch it off. At physical stores, don’t let the card be taken out of your sight.

Many stores these days have mobile card readers; ask them to be brought to you to input the PIN.

As always, never reveal your confidential data such as OTPs. Skimmed data may not be of use without this second-factor authorisation.

From March 16, 2020, cards can be enabled or disabled for different kinds of transactions based on usage pattern or risk-taking ability.

Besides, you can set/modify transaction limits. This will help limit damage in case there is a fraudulent transaction on your card.

Mobile banking fraud

PO13BSMobilejpg
 

What’s it: The use of mobile banking apps has been growing fast, and so have frauds in this space. These include fake apps, SIM swaps and malware. Phishing, vishing and smishing attacks can happen over mobile banking, too.

How’s it done: Fake apps with the same user interface as the original application, steal the user’s confidential information. In a SIM swap, the conman swaps your registered mobile’s SIM card with his, gets confidential messages meant for you, and puts through financial transactions.

It’s a two-step fraud — extraction of personal information followed by impersonation. The fraudster uses the personal information to create a fake ID, impersonates you, cancels your genuine SIM card and gets a duplicate SIM card from the mobile operator.

How to avoid: The risk of fake apps can be reduced by downloading apps only from genuine sources such as Google Play and Apple App Store, and not tampering with the security settings of the mobile phone.

Avoid malware by staying away from unknown links and keeping the protection systems up-to-date. Never share confidential information. Be alert about your mobile phone connection. If it stops for unknown reasons, check with your mobile operator immediately and notify your bank as well.

Register for both SMS and email alerts for financial transactions. This can alert you to any hanky-panky over email even if your SIM card has been compromised.

Use password protection on your phone and on your banking app, if available. Do not store confidential data such as passwords or PIN on your phone. If you lose your phone, inform your mobile operator and bank immediately to prevent misuse.

UPI fraud

PO13BSPassjpg
 

What’s it: UPI (United Payments Interface) is a mobile application that allows real-time money transfer. Apps that provide the UPI feature include BHIM, Paytm, Google Pay and PhonePe.

UPI transactions, being quick and convenient, are seeing increased adoption. But they are also attracting scamsters trying to get your MPIN (mobile banking PIN) to defraud you.

How’s it done: In UPI fraud, fraudsters could ask victims to click on links, accept ‘collect request’ received over text messages and enter UPI MPIN.

Fraudsters could also ask to share card details, text messages, UPI registration OTP, and use this data to create a new virtual payment address (VPA) ID and set MPIN. They could also open fake UPI IDs and goad you to donate to these.

How to avoid: Never share your UPI MPIN. UPI MPINs are not needed to receive money; they are needed if you want to pay money. Don’t click unknown links and do not forward suspicious SMS. Verify a UPI ID for its genuineness before making a payment.

Other tricks

Be aware of and safeguard against other tricks, too.

In juice jacking, fraudsters transfer malware to your phone or copy data using a chip embedded in public charging spots. Avoid using public charging stations such as at airports or railway stations. Carry your charging adapter or power bank.

In remote assistance fraud, tricksters ask you to install desktop/system-sharing apps such as AnyDesk or TeamViewer. This gives them access to your devices. Do not install such software and do not let anyone access your electronic devices remotely.

Ransomware locks you out of your electronic device or data, and the conman demands ransom money to give you access back to it. Malware installed on your system could encrypt your data or lock your device, and you could be asked to pay up, usually in cryptocurrency, to get the data decrypted and gain access again. Protect your devices with the latest protection solutions.

Don’t install apps or software unless they are from credible sources. Back-up your files on external hard drives.

Keep yourself updated about new tricks that conmen regularly come up with, and take protective steps.

A couple of days back, there were reports that fraudsters recently managed to open a fake SBI branch in Panruti, Tamil Nadu and run it for three months before they were busted. This might be a rare case. Even so, it's a good idea to check the genuineness of a bank branch before transacting. This can be done through the 'branch locator' option available on bank portals or by checking with their call centers.

Cheated? Here’s what to do

What should you do if you have become the victim of an unauthorised electronic banking transaction? First, limit your damage quickly. Notify your bank immediately.

As per RBI rules, if the fraudulent transaction happened due to your negligence, that is, because of your sharing your password, PIN, OTP, etc, you will have to bear the loss till you report it to your bank.

If the fraudulent transactions continue even after you have informed the bank, your bank will have to reimburse those amounts.

If you delay the reporting, your loss will increase and it will be decided based on the RBI guidelines and the policy approved by your bank’s board. If your grievance is not made good at the bank level, or if you are not satisfied with the resolution, you can take up the matter with the banking ombudsman and thereafter with the appellate authority.

You can also go to court.

There are similar rules on the limits on customer liability in case of unauthorised electronic payment transactions in prepaid payment instruments issued by non-banks. An ombudsman for digital transactions conducted through non-banking entities has also been set up.

In any case, if you have been defrauded, file a complaint on the National Cyber Crime Reporting Portal ( cybercrime.gov.in ) and file an FIR with the police.

    Key safeguards

  • Never share confidential data such as OTP, CVV, PIN, UPI MPIN, passwords
  • Register for both SMS and e-mail alerts for financial transactions. Check these alerts
  • Do not click suspicious links or open suspicious attachments
  • Do not click links or open e-mail attachments sent by unknown persons
  • Do not enable macros by default
  • Transact on websites with URLs starting with https (as against http) and having a padded lock icon
  • Share personal information with others only on a need-to-know basis
  • Buy genuine software
  • Update electronic devices with the latest anti-hacking and anti-virus protection
  • Use strong passwords, change them regularly
  • Use virtual keyboard and virtual cards for online transactions
  • Check for hidden cameras or devices at ATM enclosures
  • Enter PIN discreetly in ATMs or at physical stores
  • Sign on your debit and credit cards. Memorise the CVV and scratch it out
  • Download mobile apps from genuine sources
  • Do not tamper with the security settings of your mobile phone
  • Be wary of emails from organisations such as WHO. Visit their official websites for updates
  • Be wary of emails/messages with spelling mistakes or grammatical errors.
  • Be wary of emails in which the sender’s email address is not the same as their display name.
  • Be wary of emails/messages that tell you to act urgently or reply immediately.
  • Remember, UPI MPINs are not needed to receive money, they are needed only for paying money
  • Do not forward suspicious SMSes.
  • If your mobile phone service stops for unknown reasons, inform operator and bank immediately
  • Avoid using public charging stations such as ones at airports. Carry your charging adapter or power bank
  • Avoid public computers for financial transactions
  • Avoid using unsecured Wi-Fi
comment COMMENT NOW