December 5, 2008
A Mumbai-based lawyer, Manjiri Kulkarni, became a victim of an online fraud around nine months ago. She received an email from 'her bank', saying that since they were installing new servers, her details needed to be updated. The mail also warned that in case she failed to respond, her net banking facility would be deactivated.
Kulkarni provided all the details asked, including her PAN card and driving licence numbers, addresses and date of birth. A month later, she found that Rs 96,000 was missing from her account. When Kulkarni contacted her bank, she realised that she had been a victim of phishing.
"Almost 80 per cent of online banking frauds occur through phishing after customers give their details on receiving dubious emails," said Jayapradha Bharathan, IT officer at Punjab National Bank [Get Quote]. The bank had faced a similar fraud last week when a group of hackers siphoned off Rs 1.66 crore (Rs 16.6 million) from a Noida-based businessman's account.
Types of frauds
Phishing: Here, when a customer clicks on the website address in the email, s/he is taken to a webpage that appears similar to the bank's net banking website. The user is then asked to provide details such as account number, username, password, credit card or debit card number and other personal details. Hackers use these information to transfer money to bogus bank accounts.
Vishing: In this case, the victim gets a phone call, where an automated recording says that an illegal transaction has taken place on his/ her credit card and that the user should call on a given number. When the cardholder calls back, a computer-generated voice tells him/ her to verify the account with details such as the 16-digit credit card number. A customer-care executive attends to the call and asks for more details, pretending to assist the person in blocking the account.
Avoid phishing and vishing
- Never give out passwords, pin and other personal details to anyone or any website
- Never respond to emails that request personal information
- When you access your netbanking facility, check for security certificates
- Change your password often
- Do not access netbanking or do online shopping in cyber cafes
- While shopping online, buy only from websites you trust
- Pay using credit card for online transactions
Dos and don'ts
Security experts say the first rule to avoid falling into a hacker's trap is to never give out passwords, pin and other personal details to anyone or any website. Never respond to emails that seek personal information.
When you access your net-banking facility, check for security certificates. On the bottom right hand side of the page, on the status bar, there will be an icon, usually yellow in colour that looks like a lock. This is called padlock. If you double click on this, you will get information on the security certificate. In a forged site, this icon is absent.
Of late, banks have been providing a virtual keyboard too. This helps avoid any software from storing the information that you have typed using the keyboard.
Change your password often.
Do not access net-banking or do online shopping in cyber cafes as these places may have software that can track your activity.
While shopping online, buy from websites you trust. If it is a new website, research on the company's history before making a transaction. Give your credit card number only if you are making a purchase, never to verify your identity.
Pay using credit card for online transactions. Avoid payment through net banking.
What if you are a victim?
Though prevention is better than cure, if you have fallen prey to online fraud, there isn't much you can do.
"Banks do not take responsibility for a loss that occurs due to negligence on the part of the customer," said a senior official with a private bank on condition of anonymity. To top it, registering a complaint of such a fraud can be an excruciating exercise.
For instance, in Kulkarni's case, the bank asked her for a copy of the First Information Report. The police station close to her area of residence did not register her complaint as, going by the law, they could only take the FIR of a crime occurring in their jurisdiction. Despite being a lawyer, it took her nine months and regular phone calls to finally get an FIR lodged.
"When a consumer becomes a victim of an online fraud, years may go by before s/he can even lodge a complaint. As per current regulations, neither the bank nor the police can be blamed," said Vijay Mukhi, an e-security expert.
If the victim resides in Delhi but holds a Mumbai account, the police station in both areas may refuse to register the complaint. The cyber crime cells, which are active in many areas of the country, may not also help as they do not register FIRs but only take up cases filed at a police station. The law needs to clarify as to how and where such complaints can be lodged.