Whenever a fraudulent withdrawal occurs on a Bank account, it is a common practice for the Bank to allege that there was a phishing mail which the customer answered and therefore he has compromised the access credentials to the account and responsible for the unauthorized access and the consequential loss.
The limited liability circular of RBI also limits the protection under the automatic zero/limited liability on reporting of a disputed transaction within the specified time only to cases where there are no “Proof” of the customer sharing the payment credentials. In such cases the scope of the circular is limited to the debits that occur after the reporting. The “Burden of Proof” of sharing of payment credentials have to be provided by the Bank.
In a practical situation it so happens that when an incident of fraudulent withdrawal is noticed, the customer is under a panic situation. He first calls the Bank to tell them that he is either not able to access the account or the balance in the account is less than what it should be.
In such cases, the complaint is registered and a number is allocated which needs to be kept safely as evidence of reporting (Naavi has suggested using the service of CEAC for sending such notices to bring a trusted third party evidence into the equation).
Normally in the subsequent discussions, the Bank will advise the customer to file a Police complaint and follow the incident with the Police as a crime against the customer.
The Bank in the course of the conversation may also ask “Have you received any mail recently from the Bank asking for your password? ” or “Did you give your OTP to any body” etc.
If the customer has received a mail which we normally refer to as the “Phishing Mail” or a “Vishing Call”, he will say he has received. Some of such customers may say that they had received such communication but they did not respond.
This conversation is normally recorded by the Bank but not the customer. Hence the evidence of this conversation is available with the Bank but not the customer.
The customer often goes to the Police and files a complaint making the unknown fraudster as suggested by the Bank as the accused and does not include the Bank as the main accused or as a person who has abetted the crime.
We have recently come across an allegation by a customer that the Bank asked him to delete the phishing e-mail and he deleted it. Later in the judicial proceedings it has become an evidentiary requirement.
During the proceedings in the Court, the Bank may simply deny that it has asked the customer to delete the mail and the customer will be left high and dry to prove that he is speaking the truth.
As a general warning to the Bank customers who may be victims of frauds, I would like to therefore request that they should not delete the phishing e-mail. It is a potential evidence of an attempted crime even when no loss occurs and is actually the evidence of crime if the fraud happens. Deletion is removal of evidence and is punishable under Section 65 of ITA 2000/8 and Section 204 of IPC.
If the bank suggests this, the bank is guilty of destruction of evidence or an attempt to fraudulently mislead the customer to commit such an offence.
Further the Customer should request the Bank to produce the recording of the conversation to prove or disprove whether there was such a phishing e-mail etc. Bank is bound to provide such evidence or shall admit that it itself is liable for destruction of evidence since the recording itself is an evidence.
Customer should insist that the Bank produces the recording as a Section 65B (IEA) certified evidence as otherwise there is a possibility of tampered evidence being produced.
Further even when the Limited Liability Circular fails to protect the customer, it does not foreclose the legal options of recovery which is through Adjudication where the customer may still hope for a remedy even in case of the so called phishing.
This is for the general information of the public.
Naavi
Your points are quite valid. In practical situations, customers will normally obey the bank’s words (even if the bank official is not so tech-savvy as the customer himself too) and delete the mail or take any other action as suggested. Your point should be given very wide publicity and public should be made aware of it.
Regards, V Rajendran