- Phishers sets up a replica page of a known financial institution or a popular shopping website
- Bulk e-mails are sent to users asking for their personal data like account details, passwords etc
- When the user clicks on the link, the replica of the website will open. Or while the user is online, a form will populate through an "in-session pop-up"
- On updation, the data goes to phishers. Post which the user is redirected to the genuine website
Phishers have refined their technology to launch sophisticated attacks and use advanced social engineering techniques to dupe online banking users.
Phishers use a combination of email phishing, vishing (voice phishing) and smishing (SMS phishing) to get customer details like account no., login ID, login and transaction password, mobile no., address, debit card grid values, credit card no., CVV no., PAN, date of birth, mother's maiden name, passport no., etc.
Scenario 1:
For funds transfer through internet banking, the user needs to add a payee and confirm the registration, using the Unique Reference No. (URN) that is received on the registered mobile no.
Phishers send out SMS to users informing them that an SMS will be received with the URN. This is required to be given to the bank employee who will call him. Meanwhile, the phisher adds a payee in the user's account. The user receives the URN from the bank to confirm the registration of the payee. The phisher posing as a bank employee contacts the user for the URN. The user does not suspect the caller and gives out the URN, which is misused.
Scenario 2:
The phisher calls phone banking posing as the customer to request for mobile no. change. He then adds a payee for funds transfer. The URN and account transaction details are received on the updated mobile no. and misused. Sporadic incidents have also been reported where phishers get a duplicate SIM issued by the mobile service provider to receive the URN and OTP directly.
Customers ignore intimations about mobile no. change, as Bank not-errors.
Scenario 3:
The phisher calls phone banking posing as the customer to request for address change. He then reports the loss of the card and requests for a fresh card, which reaches the new address and is misused.
Customers ignore intimations about change in account details.
Scenario 4:
The phisher collects the 3D Secure password through sophisticated technology and vishing to shop online.
Scenario 5:
Phishers approach customers at offices / residences to fill survey questionnaires and offer gifts in exchange. These forms contain question on confidential data.
Scenario 6:
Banks and regulatory bodies like Reserve Bank of India (RBI), Income Tax (I.T) Dept. are publicizing awareness on phishing. Phishers now send emails resembling Yahoo / rediffmail, shopping sites or regulatory bodies, like RBI / I.T. dept., asking for confidential data.
Scenario 7:
Phishers send emails with attachments that carry virus / Trojan. The keyed-in data is captured by the malware and transmitted to phishers.