"Phishing" is one of the most disconcerting
Cyber Crimes that is affecting Indian Banking fraternity at
present. On the one hand Banks are pushing ahead with technology
introduction and Internet Banking has now become a standard
service for all Savings Bank customers in Banks. "Mobile
Banking" is the next technology advancement which is taking
roots.
While Banks are interested in using
technology for business promotion, they have not been equally
keen in investing for better security. As a result every
technology advancement brings in its wake a new series of Cyber
Fraud risks which makes Indian Banking weaker than ever before.
Despite our best efforts, "Phishing" will
remain a major threat for Bank customers in the near future. In
two of the recent Phishing cases that Naavi.org came across, it
was found that the victims were ex-Bankers themselves. What this
indicated was that even persons whom we expect to be
knowledgeable about Banking risks are potential victims of
Phishing. The challenge to make every Bank customer aware of the
Phishing risk is therefore daunting. However, there is no option
but to continue our efforts in this direction.
There have been several articles on
"Phishing" published in Naavi.org earlier including the legal
aspects and technical aspects. The current Phishing Awareness
series of articles is another attempt to fight the Phishing
menace.
I refer to the earlier article on
"How To
Recognize a Phishing Mail". This article tries to discuss
what an ordinary Netizen may do when he receives such a mail to
mitigate any harmful effects of such a mail.
In case the mail is referring to a Bank in
which you donot have an account, the risk is less. However even
in that case it is better to consider the "Trojan Risk"
indicated below. If however you do have an account in the same
Bank, then you have to consider the risk of "Employee Fraud" as
explained below and immediately take some preventive steps. In
case the account is jointly operated ensure that the other users
are also informed of the Phishing mail so that they donot fall
victim to the mail.
Trojan Risk
After recognizing that a mail is a Phishing
mail, the first risk that needs to be countered is the
possibility of a virus or a key logger trojan being planted in
the user's computer. One can examine attachments if any and the
source code of the mail to identify if any self executing virus
is present. It would be better to run an anti virus scan
immediately on the mail folder, delete cache files and at the
earliest scan the computer. The user should also check if his
anti virus is updated and is one of the top three anti virus
products in the market. They can check websites such as
http://anti-virus-software-review.toptenreviews.com/v2/ for
a review of anti virus products. If you intend using your
computer for online banking, it is imperative that you invest in
installing a good anti virus protection in the system.
Employee Fraud Risk
In case you hold an account in the Bank to
which the Phishing mail refers to, then you should consider that
the risks are high and immediate action is called for.
It is presumed that if you are reading this
article, you would not be one of those who will respond to the
Phishing e-mail. Hence we can presume that there is no risk of
direct disclosure.
However, it is considered possible that some
insiders in the Bank who acquire the passwords of the customers
through other means may use the fact of your receiving the
Phishing e-mail as a strong evidence to claim that you must have
answered the mail and disclosed the account details even if you
have not. Normally, immediately after a Phishing complaint, the
Bank will ask a routine question to the customer if they had
received any mail purportedly from the Bank asking you to
respond with your password. An honest customer who has received
the mail will obviously say "Yes.. but I have not responded".
Bank will still contend that "Our security is perfect. You only
should have disclosed the password negligently." There after, it
will be your word against that of the Bank and a long legal
battle to recover your lost money.
In order to meet this "Employee Fraud Risk",
Naavi suggests the following routine and has introduced a
service under CEAC (www.ceac.in).
This service called
CEAC-ITN can be used for all identity theft
instances including the Phishing. An extended service called
CEAC-VPN is also offered which again can be used for Phishing or
any other instance where a Netizen needs to provide a public
disclaimer notice at low cost.
The suggested routine is as follows:
1. Send an e-mail to your Bank in the format
suggested below with copy to
cean.naavi@gmail.com
From: ............ (Name)
Account Number: .....................,
Branch.....................
I hereby give notice that I have received the enclosed
e-mail which I suspect to be an attempt to deceive me into
parting with my password for my Internet Banking access.
The mail was received on ................ at
..................... (time)
I hereby give notice that I have not responded to the
mail and shall not be responsible for any unauthorized
withdrawals from my account attributed to this phishing
attempt.
This notice is being archived with CEAC for records.
|
This will not only be
helpful to prove your innocence later but also protect other
innocent victims. This is because your mail will be considered
as a notice to the Bank under Section 79 of ITA 2008 and if the
Bank does not take appropriate remedial steps, expose them to
liabilities under Section 79/85 of ITA 2008.
2. In case necessary,
strengthen your defense by
(a) Obtaining a
certified copy of your mail from CEAC or
(b) Using the E Mail
forwarding service of CEAC.
(c) Using the CEAC-VPN
service by placing a notice ont he website.
In case you find that your
account has been unauthorisedly debited, file a complaint first
with the Bank and then at the nearest Police Station. Ensure
that your complaint to the Police will note the Bank as the
first accused. Take professional assistance for drafting the
complaint if required.
After filing the Police
complaint and taking an acknowledgement, file an "Adjudication
Application" for recovery in consultation with experts.
Beware of wasting time in
approaching alternate forums though there have been instances of
a) Bank making payment
of the defrauded amount without contest. (Eg: Dwarak Ethiraj
Vs ICICI Bank)
b) Banking Ombudsman
ordering return of money with interest (N.Vidyashankar Vs
Bank of India)
c) Consumer Court
ordering payment of compensation (Nikhil Futan Vs HDFC Bank)
Readers may recall that in
S. Umashankar Vs ICICI Bank, adjudicator of Tamil Nadu has given
a well reasoned judgment which would be helpful in fighting any
other case of similar nature.
For any other
clarification, contact Naavi through e-mail.
Naavi
October 1 2010
