Phishing is a global problem faced by banks worldwide. It is an attempt to 'fish' for your banking details. Phishing could be an e-mail that appears to be from a known institution like banks or a popular website.
Please note that banks will never ask for confidential data like login and transaction passwords, One Time Password (OTP) etc.
How does phishing happen?
- Phishers set up a replica page of a known financial institution or a popular shopping website
- Bulk e-mails are sent to users asking for their personal data like account details, passwords etc.
- When the user clicks on the link, the replica of the website will open or while the user is online, a form will populate through an ‘in-session pop-up’
- On updation, the data goes to phishers. Post which the user is redirected to the genuine website.
Phishers have refined their technology to launch sophisticated attacks and use advanced social engineering techniques to dupe online banking users.
Phishers use a combination of e-mail phishing, vishing (voice phishing) and smishing (SMS phishing) to get customer details like account number, login ID, login and transaction passwords, mobile number, address, CVV number, date of birth, passport number etc.
How to avoid phishing?
- Do not open spam e-mails. Be especially cautious of e-mails that:
- Come from unrecognised senders
- Ask you to confirm personal or financial information over the internet and/ or make urgent requests for this information
- Are not personalised
- Try to upset you into acting quickly by threatening you with frightening information.
- Do not click on links, download files or open attachments in e-mails from unknown senders. Be cautious even if the e-mail appears to come from an enterprise you do business with. It is a good practice to call up the concerned person to confirm in case the e-mail is unexpected
- Communicate personal information only via secure websites. In fact:
- When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser's status bar or an "https:" URL whereby the ‘s’ stands for ‘secure’
- Also, check if the website address is correct before conducting online transactions.
- Protect your computer by installing effective anti-virus/ anti-spyware/ personal firewall on your computer/ mobile phone and update it regularly
- Do not disclose details like passwords, debit card grid values etc. to anyone, even if the person claims to be a bank employee or on e-mails/ links from government bodies etc.
- Type the web address in the browser. Do not use links received in e-mails
- In case you have used a cyber cafe/ shared computer, change your passwords from your own computer
- Do not rely on the name and source in the ‘From’ field of the e-mail address as it may be easily manipulated by the fraudster to a valid e-mail account of bank. Always check the actual e-mail address by clicking the alias name
- Always access your bank website by typing the URL in the address bar of your browser only
- Always check the authenticity of the software before downloading
- If you get an e-mail asking for personal or debit card information, please do not provide this information no matter how 'genuine' the page appears to be. Such pop-ups are most likely the result of malware infecting your computer. Please take immediate steps to disinfect your device
- Any bank or their representative will never send you e-mails to get your personal information, password or one time SMS (high security) password. Such e-mails are an attempt to fraudulently withdraw money from your account through Internet Banking.
How to report a phishing attempt?
- Forward the original e-mail to us at firstname.lastname@example.org
- Report the incident with the caller's number, date and time of call, etc. at any of our branches.
- Change the passwords immediately
- Report the incident to our Customer Care.
- If the message displays a form asking to disclose your personal confidential information, please stop and recheck
- Do not respond or act without first contacting the 'sender' by telephone and verifying that the e-mail is legitimate
- Do check the sender’s e-mail address displayed, whether it perfectly matches with e-mail address used within your company
- Do check whether the sender associated with the e-mail is indeed from the company
- Do not open attachments in such e-mails as they might carry a virus
- Do check the website where you might get redirected. The redirected website should belong to your company
- Do not just delete these e-mails. Report them immediately to your IT department or your organisation’s computer support team
- ICICI Bank will never send e-mails that ask for confidential information. If you receive an e-mail requesting your Internet Banking security details like PIN, password or account number, you should not respond.
- Check for the padlock icon: There is a de facto standard among web browsers to display a padlock icon somewhere in the window of the browser For example, Microsoft Internet Explorer displays the lock icon at the bottom right of the browser window. Click (or double-click) on it in your web browser to see details of the site's security.
It is important for you to check to whom this certificate has been issued to, because some fraudulent websites may have a padlock icon to imitate the padlock icon of the browser.
- Check the webpage's URL. When browsing the web, the URLs (web page addresses) begin with the letters "http". However, over a secure connection, the address displayed should begin with "https" - note the "s" at the end, which stands for ‘secure’
For example: Our home page address is http://www.icicibank.com.sg. Here the URL begins with "http" meaning this page is not secure. Click the tab under "Login". The URL now begins with "https", meaning the user name and password typed in will be encrypted before being sent to our server.
What should you do if you have entered data on a fraudulent link?
2. Spear Phishing
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organisation, seeking unauthorised access to confidential data.
Spear phishing is a targeted phishing attempt through an e-mail that appears to come not only from a trusted source, but often from someone in your own company, a superior in many cases, or from a close relative. The subject line address is customised/ personalised and often will be one of relevance to either current projects of developments within the company, or may be related to family event. The violation occurs when the user opens the e-mails, clicks on the link attached and then Trojans or malware gets downloaded or a form appears on the screen, in which data needs to be filled in by the recipient. This information is confidential and could be useful for accessing and transacting on internal organisation’s application.
How to protect from spear phishing?
Website spoofing is the act of creating a website, as a hoax, with the intention of performing fraud. To make spoof sites seem legitimate, phishers use the names, logos, graphics and even code of the actual website. They can even fake the URL that appears in the address field at the top of your browser window and the Padlock icon that appears at the bottom right corner.
How the fraudsters operate?
Fraudsters send e-mails with a link to a spoofed website asking you to update or confirm account related information. This is done with the intention of obtaining sensitive account related information like your Internet Banking User ID, Password, PIN, debit card/ bank account number, Card Verification Value (CVV) number etc.
Tips to protect yourself from spoofed websites:
Sample Spoofed Site
Here are some precautions for safe and secure mobile banking:
- Set up a PIN/ Password to access the handset menu on your mobile phone
- Delete junk and chain messages regularly
- Do not follow any URL in a message that you are not sure about
- If you have to share your mobile with anyone else or send it for repair/ maintenance:
- Clear the browsing history
- Clear cache and temporary files stored in the memory as they may contain your account numbers and other sensitive information
- Block your mobile banking applications by contacting your bank. You can unblock them when you get the mobile back
- Do not save confidential information such as your debit card numbers, CVV numbers or PINs on your mobile phone
- Do not part with confidential information received from your bank on your mobile
- Install an effective mobile anti-malware/ anti-virus software on your smartphone and keep it updated
- Keep your mobile's operating system and applications, including the browser, updated with the latest security patches and upgrades
- Password protect your mobile device to protect against unauthorised access. Set up a PIN/ Password that is difficult to crack
- Do not enable auto-fill or save User IDs or Passwords for mobile banking online
- If possible, maximise the security features by enabling encryption, remote wipe and location tracking on device
- Never leave your mobile phone unattended
- Turn off wireless device services such as Wi-Fi, Bluetooth and GPS when they are not being used. The bluetooth can be set up in invisible mode
- Avoid using unsecured Wi-Fi, public or shared networks
- Do not use "jailbroken" or "rooted" devices for online banking. Jailbreaking or rooting a device (the process of breaking into the phone's built-in operating system to control it outside the vendor's original intention) exposes the device to additional malware and gains administrative or privileged access of OS
- Only download apps from official app stores such as Apple App Store, Android Marketplace, Google Play Store and BlackBerry App World
- Never disclose personal information or online banking credentials via e-mail or text messages as these can be used for identity theft
- Logout from online mobile banking or application as soon as you have completed your transactions. Also make sure you close that window
- Be aware of shoulder surfers. Be extra careful while typing confidential information such as your account details and password on your mobile in public places.
Cash - Safety Tip
- Do not fold bank notes
- Do not staple bank notes
- Always handle bank notes with clean and dry hands
- Avoid writing anything on bank notes. Keep the water mark always clear
- Never take help from strangers at branch cash counter for counting notes
Cheque Book Safety Measures
- Record all details of cheques issued
- Do not leave your cheque book unattended. Always keep it in a safe place, under lock and key
- Whenever you receive your cheque book, please count the number of cheque leaves in it. If there is a discrepancy, bring it to the notice of the Bank immediately.
Tips to fill a cheque leaf correctly
- Do not sign blank cheques. Always fill in the date, the name of the receiver and the amount before signing the cheque
- Remember to cross your cheque whenever applicable and prevent it from being misused.
- Always draw a line through any unused space
- Never sign in multiple places unless authenticating a change
- Avoid using cheques with changes on them. Issue a new cheque if possible
- When you cancel a cheque, mutilate the MICR band and write "CANCEL" across the face of the cheque
- Do not write/ sign/ mark/ pin/ staple/ paste/ fold on the MICR band
- Always use your own pen to write a chequ
- In case of an NRE/ NRO account, while talking to the phone banking officer, never disclose:
- 4-digit ATM/IVR PIN
- OTP password
- CVV (Card Verification Value)
- Internet Banking password
- Avoid giving verification details to the phone banking officer in a public place
- Phone Banking channel is meant to be used by the account holder only, do not transfer the line or hand over the phone to a third party after completing self-authentication.