Phishing morphs into more advanced versions

Rucha Biju Chitrodia / Jan 23, 2009, 01:25 IST

Text Size

Small
Medium
Large

In a twist to the recent spate of money transfer frauds committed via internet, you now don’t need to provide your password in reply to an unsolicited mail.

Phishing morphs into more advanced versions

In a twist to the recent spate of money transfer frauds committed via internet, you now don��t need to provide your password in reply to an unsolicited mail. A hacker could still be able to crack your email ID and access sensitive data.
Delhi doctor Sanjay Sood discovered this modus operandi recently. He received an official-sounding email, supposedly from the website administrator, asking for an update of his name, date of birth and pin code.Reassured that it did not ask for his password, he quickly provided the information.
Apparently, these details were used to decode his password and hijack his email ID. Next morning, he was flooded with the kind of distress calls that have been extensively reported these days.
��Somebody had sent emails to all my contacts to kindly send dollars to my bank account as I was supposedly stranded in Malaysia.�� Sood had fallen to yet another instance of phishing, a criminal act of pretending to be an official website or email of typically a bank, payment site or website administrator. Private information thus collected is used to access bank accounts and defraud in other ways. Fortunately, Sood quickly informed his bank to deactivate his account, informed the police, and sent an SMS to those on his mailing list to ignore the email.

Many, however, have not been as lucky and their accounts have been misused. Now, what is banks�� stand on the subject, considering the fact that online banking is picking up? ��If you compromise your information,�� says a senior banker, ��the bank is not at fault.�� Cases of online money transfer fraud brought to the banking ombudsman have increased.
While taking a decision, the ombudsman��s office factors in the beneficiary of the funds, and whether the bank had adhered to know your customer (KYC) norms while opening the consumer��s account.

There have been instances, says an ombudsman official, where banks have been told to refund the defrauded amount. ��If funds are transferred from one account to another in the same bank, there is a possibility of insider involvement. If there is a duplicate website, it is the responsibility of the banks�� technical side to look into it.�� But the issue here is not cure; it��s prevention. Banks increasingly invest in security systems. In internet banking, for instance, there are levels of passwords, among other elaborate authentication procedures. One thing a bank would never do is ask you for your name or password. Says Vishal Salvi, chief information security officer at HDFC Bank, ��We don��t send messages to consumers to solicit information nor encourage such behaviour.�� ICICI Bank too educates its customers to not share personal details such as login and PIN.
Its website highlights simple tips to stay protected, such as always visit the website of a bank by typing its domain name in the browser URL, instead of clicking links on any mails, as ways to identify a spoofed site.

End of Article