He is presently working with UTI Bank Ltd in their Cards Risk & Fraud Containment function & also looks after some of the Bank’s new initiatives in eCommerce. Niranjan is a member of the Indian Payment Cards Risk Council and has been a witness to the Security & Fraud control challenges that the Payment Cards Industry faces. He has been keenly involved in various aspects of the Cards Business such as Acceptance & Infrastructure development, Merchant training, Fraud Control and Transactions monitoring.
In the ocean called Internet , they are “Phishing” for you……
“Phishing” is derived from the word “fishing”, and it means luring or enticing an unwary customer of a Banking or Financial Institution to pass on sensitive information pertaining to their account. Scamsters then use this information to siphon off funds or, undertake transactions that are billed to the original customer.
How is Phishing carried out?
Let us understand the psyche of the crooks, who want to “phish” out information from their victims. These scamsters want to remain anonymous and they want to perpetrate their crimes remotely. Thus their chosen medium of attacks often remains E-mail and brand spoofing. Let us look at both these Phishing tools, which are often used in conjunction.
An unwary internet banking customer of a financial institution receives an E-mail purportedly from the institution, which warns the customer that their internet banking privileges will be revoked due to a long period of inactivity—unless they confirm their login name, password, date of birth and other “security” details so that the same can be “updated” on the Institution’s server. Tens of lakhs of such e-mails, ostensibly from a reputed financial institution are sent to people at large, hoping to catch some of the legitimate, gullible customers of that financial institution. A database of valid e-mail addresses is separately harvested by the crooks over a period of weeks or months in advance. Such an E-mail contains a clickable URL or a link, which promises to take the Customer to the Internet Banking interface of the Institution.
The moment an unsuspecting customer clicks on such a link, they are taken to what is known as a “spoofed” webpage, which the fraudsters have created. This webpage has the branding & colour-scheme, i.e. feel & look of the genuine institution’s internet interface. The URL or web-link address of such dummy WebPages is created by scamsters on freely available web-hosting servers, and is disguised to appear real. For example, if your bank’s actual internet presence is on the URL www.myownbank.com, the fraudsters would create a webpage in the fashion www.myownbank.net or www.myownbank.org etc.
Any person who submit their actual login details, are not aware that the same are captured in the background by the fraudsters. Such spoofed websites remain active only for a few hours, till the fraudsters have collected the login & password details of a number of several customers who have bitten the bait.
The mis-users then log-in remotely into such victims’ accounts and transfer funds into an account opened by them using forged documents, or into the accounts of “Mules” recruited by them with the lure of financial rewards, and using social networking skills. The mules are typically university or college students, or people in debt, or other people who have recently lost their job and thus the source of livelihood or other individuals with a financial crunch. The middlemen or the “mules” may even be paid an advance and then are asked to transfer the funds further through the internet into accounts at other branches, or sometimes even with other banks. This is called layering, which makes it difficult to trace the trail of the financial transactions, since the mules do not know the ultimate destination of the funds. Such funds are then accessed by the fraudsters remotely through ATM/ Debit cards or moved around illegally through money transfer services or hawala channels.
The account-holder victims only realize that something is amiss, when they receive their bank statements and see funds transfers that they did not do, or when their cheques are returned for insufficient funds. But by the time corrective action can be applied, the conmen have had enough window of opportunity to do a disappearing act. The other type of victims – the mules are the ones who fall into the police dragnet as links in the e-crime. The main perpetrators are often relaxing tens of thousands of miles away.
Another variant of Phishing attacks credit card holders of various banks. Legitimate customers receive a warning mail ostensibly from their Bank, advising them that a large number of suspicious transactions have been noticed on their credit card, and thus they would be required to confirm their actual card details, including the 3 digit security code (called CVV- Card Verification Value) indent-printed on the signature stripe of the Card. A spoof web link embedded within the mail would then land the cardholder on the spoofed website, where the sensitive information is captured by the fraudsters. Such credit card account information is then used by the fraudsters to order electronic goods, mobile-phones or other expensive items having a resale value, through mail orders or internet orders. Such shipments are asked to be delivered at a mail-drop address and collected by the scammers to be sold in the grey markets – at massive discounts – for cash. Yet another variant of the scam asks the e-commerce merchant to process a refund into another card account- which is then used by the fraudsters at another geographic location in a face-to-face environment, at times with conniving merchants.
A recent disturbing trend of Phishing has emerged. It is called “Vishing” – or Voice Phishing. Somebody appearing to be from your Bank either calls you, or you are asked to dial a number of their “Customer Service” or “Fraud Control” department. A hijacked phone-line then connects the caller to what appears to be the original Bank’s phone-banking unit. The customer hears a prompt to key-in their card number and other details into the Interactive Voice Response mechanism. These pip-tones are captured and converted into tangible information, which is used by criminals to make internet purchases and fraudulent transactions later billed to you.
Criminals also use a totally radical approach when harvesting sensitive financial information. They lure victims into downloading free pornographic material or music/ games etc, and such material is infected with Viruses, Trojans or Spyware (The software created with malafide intentions or to commit crime is called Malaware or Crimeware). Some such malaware captures your keystrokes when you open certain bank-specific URLs, hoping to catch login & password-related information. One brainy piece of crimeware was discovered to be selectively capturing only 16-digit strings of numbers starting with either a 4 or a 5 (All Visa credit cards start with a “4” and all MasterCard credit cards start with a “5”) whenever entered on the infected PCs.
What are Banks doing about this?
Such instances cost the customers and their banks several crores of rupees every year. These incidents also erode the customers’ confidence in the banking industry – specifically the alternate channels such as internet banking and phone banking that banks are increasingly deploying to offer convenience to their customers and to enhance profits. Banks are therefore reviewing such matters very seriously.
Many banks have engaged security firms that are constantly monitoring the internet for any phishing or spoofed websites. Such websites are taken out and reported. Banks are also using the best possible security software and firewalls to protect their customer’s information that has privacy or account related implications. On the other hand, we as bank’s customers often neglect taking certain basic precautions and fall prey to frauds.
What can I do to prevent being a victim to such frauds?
There are a number of precautions that you can take to avoid being conned by the e-age scammers. These are:
1. Know that your Bank/ Financial Institution will never ask for updation of your sensitive account information online. Banks employ secure back-up strategies for all their servers holding important customer information, so that there is no question of any banking server failing and causing the bank to lose data that requires you to re-submit the same on the Internet interface of the bank.
2. NEVER click on any link embedded in an e-mail, which takes you to a banking website or a web-page. If at all you need to visit your bank’s website, do so by going to the bank’s home-page.
3. If in doubt, make an outbound call to a known customer service number of your bank and ascertain the details.
4. Use Internet Explorer version 7 (requires you to have a licensed copy of Windows Operating System) or Mozilla Firefox version 184.108.40.206 (free download available from the URL http://www.mozilla.com/en-US/ ) to help falling victim to a spoofed or otherwise dangerous website. These browsers come embedded with technology that helps fight phishing frauds, and will warn you in most cases. You can also install the Netcraft anti-phishing toolbar as an add-on to your regular browser. It is available at the URL http://toolbar.netcraft.com/
5. Please keep your operating system such as Windows XP updated. Microsoft releases security patches every Tuesday for vulnerabilities detected, and critical updates are released as soon as possible. Turn the “Automatic Updates” option for your operating system on (and please use genuine software in the first place)
6. Use a Firewall to safeguard your computer from intrusion. You may visit the URL http://www.firewallguide.com/software.htm for further help & information in choosing the best firewall suitable for your personal needs. Some firewall solutions are free whereas some come at a cost.
7. Use a good anti-virus and anti-spyware software (and keep it updated) to prevent your computer from falling prey to malicious software. Visit the URL http://housecall.trendmicro.com/ for a free online virus-scan of your PC. Similarly, you may download a free anti-spyware called Spybot Search & Destroy (version 1.4). Visit the URL http://fileforum.betanews.com/detail/Spybot_Search_and_Destroy/1043809773/1 for downloading a free copy.
8. To check your PC’s vulnerability to various online threats and to make it more secure, you may visit the URL http://securitycheck.symantec.com for a free scan.
9. Do not be enticed by offers of rewards and lotteries that you get in an e-mail. Never respond to any unsolicited or ‘spam” mail. A response tells the spammers that your e-mail address is active. Never share your e-mail address on the internet without reason.
10. Never give Card/ account related information in an e-mail or post it on any website or forum.
11. If you are an Internet shopper, reserve a low-limit credit card specifically for such purchases, and only buy from reputed, secured websites. Also keep an eye on your statements and report any irregularity to your bank and the law enforcement promptly, if required.
12. Last but not the least – do not be scared unnecessarily. Use the alternate banking channels wisely and with due precautions. After all, one doesn’t stop travelling by road because daily so many people die in road accidents. Be diligent, aware, and patient to stay secure and afloat in the choppy ocean called the Internet.