Phishing is a global problem faced by banks worldwide. It is an attempt to 'fish' for your banking details. Phishing could be an e-mail that appears to be from a known institution like banks or a popular website.
Please note that banks will never ask for confidential data like login and transaction passwords, One Time Password (OTP) etc.
How does phishing happen?
- Phishers set up a replica page of a known financial institution or a popular shopping website
- Bulk e-mails are sent to users asking for their personal data like account details, passwords etc.
- When the user clicks on the link, the replica of the website will open or while the user is online, a form will populate through an ‘in-session pop-up’
- On updation, the data goes to phishers. Post which the user is redirected to the genuine website.
Phishers have refined their technology to launch sophisticated attacks and use advanced social engineering techniques to dupe online banking users.
Phishers use a combination of e-mail phishing, vishing (voice phishing) and smishing (SMS phishing) to get customer details like account number, login ID, login and transaction passwords, mobile number, address, CVV number, date of birth, passport number etc.
How to avoid phishing?
- Do not open spam e-mails. Be especially cautious of e-mails that:
- Come from unrecognised senders
- Ask you to confirm personal or financial information over the internet and/ or make urgent requests for this information
- Are not personalised
- Try to upset you into acting quickly by threatening you with frightening information.
- Do not click on links, download files or open attachments in e-mails from unknown senders. Be cautious even if the e-mail appears to come from an enterprise you do business with. It is a good practice to call up the concerned person to confirm in case the e-mail is unexpected
- Communicate personal information only via secure websites. In fact:
- When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser's status bar or an "https:" URL whereby the ‘s’ stands for ‘secure’
- Also, check if the website address is correct before conducting online transactions.
- Protect your computer by installing effective anti-virus/ anti-spyware/ personal firewall on your computer/ mobile phone and update it regularly
- Do not disclose details like passwords, debit card grid values etc. to anyone, even if the person claims to be a bank employee or on e-mails/ links from government bodies etc.
- Type the web address in the browser. Do not use links received in e-mails
- In case you have used a cyber cafe/ shared computer, change your passwords from your own computer
- Do not rely on the name and source in the ‘From’ field of the e-mail address as it may be easily manipulated by the fraudster to a valid e-mail account of bank. Always check the actual e-mail address by clicking the alias name
- Always access your bank website by typing the URL in the address bar of your browser only
- Always check the authenticity of the software before downloading
- If you get an e-mail asking for personal or debit card information, please do not provide this information no matter how 'genuine' the page appears to be. Such pop-ups are most likely the result of malware infecting your computer. Please take immediate steps to disinfect your device
- Any bank or their representative will never send you e-mails to get your personal information, password or one time SMS (high security) password. Such e-mails are an attempt to fraudulently withdraw money from your account through Internet Banking.
How to report a phishing attempt?
- Forward the original e-mail to us at firstname.lastname@example.org
- Report the incident with the caller's number, date and time of call, etc. at any of our branches.
What should you do if you have entered data on a fraudulent link?
- Change the passwords immediately
- Report the incident to our Customer Care.
2. Spear Phishing
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organisation, seeking unauthorised access to confidential data.
Spear phishing is a targeted phishing attempt through an e-mail that appears to come not only from a trusted source, but often from someone in your own company, a superior in many cases, or from a close relative. The subject line address is customised/ personalised and often will be one of relevance to either current projects of developments within the company, or may be related to family event. The violation occurs when the user opens the e-mails, clicks on the link attached and then Trojans or malware gets downloaded or a form appears on the screen, in which data needs to be filled in by the recipient. This information is confidential and could be useful for accessing and transacting on internal organisation’s application.
How to protect from spear phishing?
- If the message displays a form asking to disclose your personal confidential information, please stop and recheck
- Do not respond or act without first contacting the 'sender' by telephone and verifying that the e-mail is legitimate
- Do check the sender’s e-mail address displayed, whether it perfectly matches with e-mail address used within your company
- Do check whether the sender associated with the e-mail is indeed from the company
- Do not open attachments in such e-mails as they might carry a virus
- Do check the website where you might get redirected. The redirected website should belong to your company
- Do not just delete these e-mails. Report them immediately to your IT department or your organisation’s computer support team
Website spoofing is the act of creating a website, as a hoax, with the intention of performing fraud. To make spoof sites seem legitimate, phishers use the names, logos, graphics and even code of the actual website. They can even fake the URL that appears in the address field at the top of your browser window and the Padlock icon that appears at the bottom right corner.
How the fraudsters operate?
Fraudsters send e-mails with a link to a spoofed website asking you to update or confirm account related information. This is done with the intention of obtaining sensitive account related information like your Internet Banking User ID, Password, PIN, debit card/ bank account number, Card Verification Value (CVV) number etc.
Tips to protect yourself from spoofed websites:
- ICICI Bank will never send e-mails that ask for confidential information. If you receive an e-mail requesting your Internet Banking security details like PIN, password or account number, you should not respond.
- Check for the padlock icon: There is a de facto standard among web browsers to display a padlock icon somewhere in the window of the browser For example, Microsoft Internet Explorer displays the lock icon at the bottom right of the browser window. Click (or double-click) on it in your web browser to see details of the site's security.
It is important for you to check to whom this certificate has been issued to, because some fraudulent websites may have a padlock icon to imitate the padlock icon of the browser.
- Check the webpage's URL. When browsing the web, the URLs (web page addresses) begin with the letters "http". However, over a secure connection, the address displayed should begin with "https" - note the "s" at the end, which stands for ‘secure’
For example: Our home page address is http://www.icicibank.com.sg. Here the URL begins with "http" meaning this page is not secure. Click the tab under "Login". The URL now begins with "https", meaning the user name and password typed in will be encrypted before being sent to our server.
Sample Spoofed Site