India recorded 50,035 cases of cyber crime in 2020, an 11.8 per cent surge in such offences over the previous year, according to the National Crime Records Bureau (NCRB) data. The Reserve Bank of India (RBI) last week once again cautioned bank customers of fraud, including those in Know-Your-Customer (KYC) cases. In fact, certain frauds have become more prevalent than others, and being aware of them is the first step towards protect yourself. Mayur Joshi, chief executive officer, Indiaforensic.com, a company engaged in the prevention, detection, and investigation of frauds says, “It is necessary to learn, to read about these scams.” Here are some such frauds, their methods and what you can do to avoid them.
KYC Fraud: Due to the pandemic, many people stopped visiting bank branches, providing fraudsters an opportunity to use KYC as a reason to engage with customers by pretending to be bankers. Ritesh Bhatia cyber-crime investigator, cybersecurity and data privacy consultant, says, “The modus operandi is simple. You get an unsolicited SMS saying your card or account will be blocked, or rewards points will be disabled–the kind of message that creates panic in the customer. And that customer naturally reacts to the SMS, without considering the legitimacy of the message,” Once you call the number mentioned in the SMS, they entice you for personal details under the pretext of KYC verification. For instance, you will be asked for account or login details, card information, PIN, OTP, etc. Bhatia says, “They may also ask you to install a remote access app, which will give them complete access to your mobile.” The fraudster quickly cleans the account empty, while the victim keeps getting SMS of the amount debited from the account.
What to do: Remember the KYC update will never happen via a third-party app. Bhatia says, “You should get in touch with the bank or card issuer–not on the number in the SMS, but the one on the reverse of your card–or call your bank customer care.” Don’t even go by web-searches, as fraudsters are also spreading fake customer care numbers of banks or UPI platforms online.
Yash Tyagi, chief technology officer (CTO) CASHe, says, “Be very careful to whom you give out your information or documents for KYC purposes as well, even if you are doing so on a website. There are many fraud sites that collect such data. Fraudsters can make copies of KYC data and use it to apply for loans.” So it’s not just SMS, calls or email you should be wary of, but websites as well.
Sim Swap Fraud: Swap simply means exchanging one thing for another. Let’s say you have a 3G SIM card and want to upgrade to 4G. You request a swap 3G SIM for a 4G SIM from the service provider. This is an authentic SIM swap. Here you are putting the request to your service provider who deactivates your old SIM and gives you a new one, which activates within a few hours. Our mobile phones are loaded with information, right from contact lists, photos, emails, and SMS to financial details such as ATM withdrawals alerts and one-time passwords sent by banks for net banking transactions. Joshi says, “The SIM Swap fraud is a nightmare that many mobile holders faced during the pandemic. Many users were locked in when they started receiving messages that their SIM card has been blocked or the request for changing the SIM had been received.”
Fraudsters use SIM swap techniques to steal your financial details by blocking your SIM card and exchanging it with a fake one. Joshi says, “The swapsters approach the service provider (posing as a genuine card holder, with fake papers), requesting to swap the SIM. After verification, the service provider deactivates the old SIM. The fraudsters get a new active mobile SIM card.” This means once the SIM is swapped they get access to your OTPs, financial accounts and card related alerts, which they used to commit the fraud.
Before contacting a service provider, the fraudster will usually engage in some form of social engineering to try and gain information about their intended victim that can be used to answer security questions related to the victim’s mobile number. Joshi adds, “This can be done by researching the victim’s social media accounts or gathering information about them from other public sources. The person attempting the SIM swap might also send phishing emails to a potential victim in the hope of obtaining other sensitive information that can be used to unlock his mobile phone number.” Phishing is a kind of e-mail fraud technique in which the crook sends out genuine-looking emails or website links in an attempt to gather your personal and financial information.
What to do: Don’t give away your details to anyone. If you see no service on your SIM, contact the service provider at the earliest.
If your SIM has been deactivated at midnight, you can’t do much about it, really.
UPI-related Frauds: Unified payments interface (UPI) has a feature in which you or the merchant can send the user a request to collect money. This feature is being used by fraudsters on second shopping websites. Manoj Chopra, head, innovation & product development, InfrasoftTech says, “When you try to sell an item on such a site, fraudsters feign interest in buying and send you a collect money request instead of sending money. Remember, you don’t need to authorise a transaction if the money is being transferred to your account, but the fraudster makes you believe you do and you end up sharing the PIN, and your hard-earned money gets re-routed.”
What can you do: Remember when you are receiving money in your bank account you don’t have to give a PIN or OTP. Likewise when you are receiving money in UPI you don’t need to enter any PIN. Treat your PIN exactly like you treat your ATM PIN. Don’t disclose it to anyone.
Offline Frauds: Oftentimes we take cash withdrawal from an ATM casually, not realising that a little carelessness could cost us our hard earned money. Shoulder surfing is such a danger associated with ATMs. Shoulder surfing is, in simple terms, when someone stands close to you or at a very close distance in order to get information. Chopra says, “So, while using an open ATM, be careful that nobody is shoulder surfing you. You can never tell whether or not the person shoulder surfing is a fraudster. Such people stand close to you to get the personal identification number (PIN) of your card while you are feeding it.” Once your PIN is compromised, it can be used by fraudsters in ways you can’t even imagine. Chopra says, “He could also have tampered with the ATM, by inserting a device in the ATM card slot. So, when you punch your PIN, the device captures the number and other information stored on your card.” Fraudsters who use the data to make cloned cards and withdraw cash at overseas ATMs, or shop online.
What can you do: First, look closely at the card slots in the ATMs. Ensure that there ae no parts jutting out, no broken pieces, no cracks or any glue-like substances around the slot. It’s a good practice to cover the hand while punching your PIN on the key. Also make sure no one is shoulder surfing.
Things to keep in mind: There’s very little you can do at your end, apart from being more vigilant. But some things that you must do can make a lot of difference. First and foremost, follow the basic online security hygiene against phishing. (See box). Ankit Ratan, co-founder and CEO, Signzy, an AI-based banking workflow automation solutions provider, says, “Use the facility that allows you to set and modify transaction limits on your cards and savings account. That way, you will be able to reduce the risk considerably.” You can set limits on all types of translations–domestic, international, POS, ATM withdrawals, and online. Banks also alllow you to switch on and switch off your debit and credit card. Imagine the peace of mind when you temporarily switch off a card you aren’t using and set a limit one those that you use. This way at least some damage will be next to zero.
Follow the basics
- Use robust passwords which is a non-word with multi-factor authentication and make it long.
- Practice safe clicking- be careful while clicking on attachments, links and emails
- Double check URLs of websites
- When using a personal laptop for office work, create a separate user account.
- Keep your systems and software updated
- Change your home WiFi default settings and passwords to reduce the potential impact on their work of an attack via other connected devices
- Watch what you share on social media
- If someone calls asking for sensitive information, say No. Call the number on the reverse of your card or mentioned on the checkbook