Recently I came across a case involving Axis, here are a few clips (click to expand)
To an unsuspecting non-net savvy account holder (you won't believe the number out there) this will look like a genuine mail from the bank. Even the email id is very convincing.
Now if you click on "view", this is what you see (I didn't download it)
I am assuming after you have given all your details, the downloaded file will connect to some server out of Russia or something, the info will be stolen and your credit card, bank account etc all will be swiped clean.
I obviously was not going to sit quietly and let this happen, so I contacted Advocate Purvi Shah to help me take these guys to task. What she revealed was a shocking state of affairs for banks online services. She has dealt with many similar cases, the list of banks being targeted seemed endless. There was a copy of Axis bank site, ICICI bank site, SBI site, Income tax departments site and what not. She showed me a live example where the mail claimed to be from the Income Tax department about an incometax refund, the amount mentioned was some 3,500 rupees to make it sound convincing. Once you open the mail, it asked you to click on a link to claim the refund, this action took you to a website which was an exact replica of the Income tax department's website and asked you to fill in your bank account details for any of the banks listed. I was shocked to see the list. It had some 7 banks listed including biggest PSU and Private sector banks and each had a connected site which was an exact replica of the actual bank's website. With such an elaborate scheme, it is very likely that many people are getting defrauded every day.
I asked her what can citizens about this? the answer is not much besides may be reporting to the police and this being most likely an international operation, it is very difficult for even the police to catch such criminals. For the Income Tax department website case mentioned earlier, she has taken the case up with Mumbai police's cyber crime branch on her own, however she thinks there are many cases which do not get reported by internet savvy customers who, after realizing it to be a fraud, will simply close the browser instead of reporting the case to proper authorities. At least there is some hope if authorities keep getting information as soon as possible about such sites.
While this was one aspect of online frauds, in our conversation she revealed many cases where the information was never stolen online. It was in the offline world that the actual fraud occurred, online gateways were only the means of transferring money from your account to other accounts. And if you are a bank customer with an active online banking facility, you are basically on a weak wicket if money is stolen using correct passwords. She revealed cases where allegedly the passwords etc were provided by close associates of the customer or bank employees who were hand in glove with the criminals.
These cases raise many questions about risk management framework, especially operational risk pillar that the BASEL committees have been emphasizing so much on, in Indian banks. Particularly the gravity of the risk of employees defrauding the customer needs to be appreciated by top managements as it brings with it reputational risks. While banks are trying to balance the need for security with convenience of use for the customer, the growing number of cases should make them more vigilant for the sake of their customer as well as their own. The fact remains that irrespective of what information the criminals posses, they need to go through the real websites/POS machines to get the money out of your bank account/Credit Cards and the banks must work out solutions to stop them. The first step for this are dynamic passwords and issuing only photo cards along with active mitigation, intelligence and counter attack strategies. That these websites are still in existence is a failure not only of the police department but of the risk control and mitigation departments of the banks themselves. (ever heard of DDoS attack?)
We are lucky to have a very sensible regulator in RBI and am sure in some time the banks hand will be forced. Lets just hope banks don't wait for that long and act now to save their customers the harassment and suffering.
If you come across something like this, please report it to either the cyber crime branch of your local police or if you are not sure what to do, get in touch with Purvi for guidance.
