Phishing

• Phishers sets up a replica page of a known financial institution or a popular shopping website
• Bulk e-mails are sent to users asking for their personal data like account details, passwords etc
• When the user clicks on the link, the replica of the website will open. Or while the user is online, a form will populate through an "in-session pop-up"
• On updation, the data goes to phishers. Post which the user is redirected to the genuine website

Phishers have refined their technology to launch sophisticated attacks and use advanced social engineering techniques to dupe online banking users.

Phishers use a combination of email phishing, vishing (voice phishing) and smishing (SMS phishing) to get customer details like account no., login ID, login and transaction password, mobile no., address, debit card grid values, credit card no., CVV no., PAN, date of birth, mother's maiden name, passport no., etc.

Scenario 1:

For funds transfer through internet banking, the user needs to add a payee and confirm the registration, using the Unique Reference No. (URN) that is received on the registered mobile no.
Phishers send out SMS to users informing them that an SMS will be received with the URN. This is required to be given to the bank employee who will call him. Meanwhile, the phisher adds a payee in the user's account. The user receives the URN from the bank to confirm the registration of the payee. The phisher posing as a bank employee contacts the user for the URN. The user does not suspect the caller and gives out the URN, which is misused.

Scenario 2:

The phisher calls phone banking posing as the customer to request for mobile no. change. He then adds a payee for funds transfer. The URN and account transaction details are received on the updated mobile no. and misused. Sporadic incidents have also been reported where phishers get a duplicate SIM issued by the mobile service provider to receive the URN and OTP directly.
Customers ignore intimations about mobile no. change, as Bank not-errors.

Scenario 3:

The phisher calls phone banking posing as the customer to request for address change. He then reports the loss of the card and requests for a fresh card, which reaches the new address and is misused.
Customers ignore intimations about change in account details.

Scenario 4:

The phisher collects the 3D Secure password through sophisticated technology and vishing to shop online.

Scenario 5:

Phishers approach customers at offices / residences to fill survey questionnaires and offer gifts in exchange. These forms contain question on confidential data.

Scenario 6:

Banks and regulatory bodies like Reserve Bank of India (RBI), Income Tax (I.T) Dept. are publicizing awareness on phishing. Phishers now send emails resembling Yahoo / rediffmail, shopping sites or regulatory bodies, like RBI / I.T. dept., asking for confidential data.

Scenario 7:

Phishers send emails with attachments that carry virus / Trojan. The keyed-in data is captured by the malware and transmitted to phishers.

• Unsolicited emails, calls from strangers or websites asking for confidential banking details
• Messages asking for urgent action due to security reasons
• Links received in emails to access known websites
• To check the actual website, roll the cursor over the link or check for https:// where "s" stands for 'secure site'
• The fraudster may use well known bank's email address, domain name, logo, etc to give an authentic look to the fake email
• Such fake emails will always address you by a generic salutation or address you by "Dear Net Banking Customer" or "Dear Bank Customer". Bank's authentic emails will always address you personally by your name e.g. "Dear Mr. Suresh Kumar"
• Very often, such fake emails are poorly drafted and may have spelling or grammatical mistakes
• Such fake emails will always encourage you to click on to a link to verify or update your confidential account information
• The links embedded in such fake emails may sometimes look authentic but when you move the cursor/pointer over the link, there may be an underlying link/url to a fake website

• Do not open spam mails. Be especially cautious of e-mails that:
  • Come from unrecognized senders.
  • Ask you to confirm personal or financial information over the Internet and/or make urgent requests for this information.
  • Are not personalised.
  • Try to upset you into acting quickly by threatening you with frightening information.
   
• Do not click on links, download files or open attachments in e-mails from unknown senders. Be cautious even if the e-mail appears to come from an enterprise you do business with. It is a good practice to call up the concerned to confirm in case the e-mail is unexpected.
• Communicate personal information only via secure web sites. In fact:
  • When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser's status bar or a "https:" URL whereby the "s" stands for "secure" rather than a "http:".

   

  • Also, check if the website address is correct before conducting online transactions.
   
• Protect your computer by installing effective anti-virus / anti-spyware / personal firewall on your computer / mobile phone and update it regularly.
• Check your online accounts and bank statements regularly to ensure that no unauthorized transactions have been made.
• Do not disclose details like passwords, debit card grid values, etc. to anyone, even if they claim to be bank employees or on e-mails/links from government bodies like RBI, I.T. Dept., etc
• Type the web address in the browser. Do not use links received in e-mails.
• In case you have used a cyber cafe / shared computer, change your passwords from your own computer.
• Register for e-mail and mobile alerts to check your account regularly.
• Report any fraudulent incident to the Bank / institution on the number mentioned on the Debit / Credit card, bank / credit card statement or official website.
• Do not rely on the name and source in the "From" field of the email address as it may be easily manipulated by the fraudster to a valid email account of bank
• Always access your bank website by typing the URL in the address bar of your browser only
• Always check the authenticity of the software before downloading
• If you get an email asking for personal or credit/debit card information, please do not provide this information no matter how 'genuine' the page appears to be. Such pop-ups are most likely the result of malware infecting your computer. Please take immediate steps to disinfect your device
• Any bank or their representative will never send you emails to get your personal information, password or one time SMS (high security) password. Such e-mails are an attempt to fraudulently withdraw money from your account through Internet Banking

• Forward the original e-mail to us at antiphishing@icicibank.com
• Report the incident with caller's no., date and time of call, etc at our 24-hour Customer Care

• Change the passwords immediately

• Report the incident at our 24-hour Customer Care

• Inform the bank immediately