How to survive onslaught of financial frauds
Beware of emails demanding an urgent response; check your account and transaction history regularly
One morning, Saravanan Kumaran (name changed on request), an employee of a leading software firm in Bangalore, received a text message saying money had been debited from his account. As he couldn't open the message, he didn't know the amount debited. At that time, Kumaran didn't have any payment due, nor had he left a transfer instruction. Fortunately, his account balance didn't show any change, something his bank confirmed. Still, his account was flagged for close vigilance for three days.
Luckily for Kumaran, it was a hoax. If the message was opened or if Kumaran had responded to it, it could have allowed transactions or compromised his crucial financial details.
Many have received emails supposedly from the Income Tax Department, informing them of refunds. The mail has a link to send a tax refund request. When clicked, the link takes one to a duplicate tax department website. On selecting the bank for the refund, the page changes to the selected bank's homepage, without a change in the url. At that point, if bank details are keyed in, the account is debited in a jiffy.
Not everyone is aware of these frauds. More important, there are multiple ways of attacking an account. To siphon off money from a bank account, all one requires is the username and password. To secure these details, fraudsters could use an email, a phone call, a text message, a virus (by way of a pornographic video) or dummy cards at automated teller machines (ATMs) or point-of-sale (POS) machines. When one who has received such a mail/call/text message/video tries to open these, his/her details are compromised, says Vijay Mukhi, an information technology and e-security expert.
| TO AVOID FRAUDULENT ATTACK(S) |
- Do not respond to text messages or voice-mails from unknown numbers
- Do not give out personal information in response to an email, a website reached via an external link or a pop-up screen
- Do not respond to emails, text messages or calls requesting personal information on behalf of your bank or RBI
- Never try to open links or attachments within unsolicited emails
- Read website's privacy policy
- Type URL of a merchant or bank website directly into a browser's address bar
- Do not download unless sure of the source
- Never download mobile app(s) from a link sent in a text message
- Fraudsters might threaten to disable bank account or delay services till certain information is provided; do not get pressured
- Contact banks/merchant directly to confirm the authenticity of such requests
- Use comprehensive security software solution to combat attacks
- Review your bank and credit card statements regularly for unauthorised transactions
- If you suspect cybercrime, report to the proper authorities immediately
|
While phishing is undoubtedly the route most used to capture financial information online, its other forms such as smishing, vishing, etc, have created a multiplier effect, says Ritesh Chopra, country sales manager (India and the South Asian Association for Regional Cooperation) at Symantec-Norton. "The rise of mobile applications (apps) usage further provides cybercriminals with myriad opportunities to attack one's information. It is imperative for users to download legitimate apps, be it free or paid. Cybercriminals will also find opportunities on social media, as the usage is set to rise," he adds.
How to identify an attack?
There is no fixed formula to identify attacks. However, you should be wary of emails that demand an urgent response. For instance, some emails appear to come from banks; these say "your bank account transactions have been limited due to suspicious activity. Verify your account immediately to avoid suspension". The majority of such emails request one to follow a weblink that takes you to a fake webpage, as is the case with the fake tax department website. Also, emails might ask one to call a particular number, noting your data during the call.
In vishing, an automated (as is the case with toll numbers) or a personal call could be made. Soon, these automated instructions start asking for sensitive information.
Typically, fraudulent mails target a large number of users and use generalised addresses such as "dear valued customer". Though malicious websites look similar to legitimate ones, they use a different domain name or spelling. For example, instead of xyz.com, a phishing website might use xyz.in or xyz.net. Also, it wouldn't have 'https://'.
What should you do?
First, inform your bank of a suspicious transaction or fraud at the earliest and take an acknowledgment of this. "A bank customer can only do this much, as banks and the regulator don't do much on their part. For instance, the banking system allows you to inform your bank by a text message but fraudsters can disable your message from going to the bank and instead, it goes to them. Banks feel the customer would always revert to a fraudster's text and this could be used to confirm frauds. It doesn't always happen this way," complains Mukhi.
After informing the bank, you should file a written complaint. If there is no satisfactory response from the bank, approach the nodal officer. If after 30 days, the nodal officer, too, fails to respond, you could file a complaint with the banking ombudsman.
"Ignore emails asking for your password or PIN and inform us of the same for us to investigate the matter. Neither the police nor we would ever contact you to ask you to reveal your online banking or payment card PINs, or your password information. Check your account and transaction history regularly," says the Banking Codes and Standards Board of India.
On its part, a bank should immediately start investigating the matter. If it can't be proved the customer is responsible for leaking his financial details, the bank should compensate the customer. "Banks never own up to lapses in their system. Instead, they take one to court on such matters and then, it is never-ending," says Mukhi.
Link your mobile number to your bank account and card. This way, you get an alert as soon as your card is swiped or a withdrawal is made, helping you take immediate action if you have not carried out the transaction. Source Business Std
| MAIL AND MOBILE THREATS |
| Phishing
Attempting to acquire personal information such as passwords and credit card details by masquerading as a trustworthy entity via e-mails
Vishing
This is phishing through the telephone, to trick a user into disclosing personal information
SMS spoofing
Pranksters can send messages using another person's number, called SMS masking or SMS spoofing. If someone is successful in spoofing your mobile number, then they can carry out a lot of transactions pretending to be you
Smishing
This comes through an SMS onto a cell phone. The SMS comes with a link, clicking on which causes the trojan horse to be installed on the mobile phone, compromising your details
SMS or call spam
In future, SMSes can be embedded with malware. Given that most mobile phones do not have an effective anti-spam, they can be a threat
Pharming
Sending mass e-mails to a large number of accounts, with a convincing message that should trick the recipient into visiting the spoofed site, thereby revealing his original credentials
Pranking for profit
This is a new class of attacks intended to steal money (as opposed to data) from compromised terminals. This crimeware uses RedBrowser to infect smartphones and send premium SMS messages from the device to a website that withdraws money from a bank or credit account before the user or network realise this
Bluejacking / Bluespamming
A practice of sending anonymous text messages to mobile users using Bluetooth technology (mobile spam). This technique essentially tries to push malicious data via Bluetooth
Bluesnarfing
An unauthorised access to information that aims at copying the contents of a mobile device from a Bluetooth connection. This allows access to a calendar, contact list, emails and text messages and on some phones users can copy pictures and private videos
Madware
Sneaks on to a user device when they download an app—often sends pop-up alerts to the notification bar, adds icons, changes browser settings, and gathers personal information
Snoopware
This enables a hacker to remotely access a smartphone to activate the microphone feature and listen to private conversations or confidential corporate meetings. Such software is also capable of viewing a calendar and list of contacts on a handheld device, making it easier for a cyber criminal to know exactly which meetings are worth eavesdropping. This particular threat can be especially dangerous, as sensitive business and personal data could be passed along in conversation Source: Norton by Symantec |
Best Regards
Prakash Nair
Certified Personal Financial Advisor(CPFA)
No comments:
Post a Comment