What is Phishing?
Phishing is a global problem faced by banks worldwide. It is an attempt to 'fish' for your banking details. Phishing could be an e-mail that appears to be from a known institution like a bank or a popular website.
Banks will never ask for confidential data like Login and Transaction Password, One Time Password (OTP), Unique Reference Number (URN), etc. through e-mail, telephone, social media platforms or other such means.
How does phishing take place?
- Phishers set up a replica page of a known financial institution or a popular shopping website
- Bulk e-mails are sent to the users asking for their personal data like account details, passwords, etc.
- When the user clicks on the link, a replica of the website opens. While the user is online, a form will populate through an ‘in-session pop-up’
- On updating, the data goes to the phishers and the user is redirected to the genuine website
Phishers have refined their technology to launch sophisticated attacks and use advanced social-engineering techniques to dupe online banking users. Phishers use a combination of e-mail phishing, vishing (voice phishing) and smishing (SMS phishing) to get customer details like Account Number, Login ID, Login and Transaction Password, Mobile Number, Address, Debit Card Grid Values, Credit Card Number, CVV Number, PAN, Date of Birth, Mother's Maiden Name, Passport Number, etc.
How do you identify a Phishing attempt?
- Unsolicited e-mails, calls from strangers or websites asking for confidential banking details
- Messages asking for urgent action due to security or regulatory reasons
- Links received through e-mails to access known websites
- To check the actual website, roll the cursor over the link or check for https:// where ‘s’ stands for 'Secure site'
- The fraudster may use a well-known bank's e-mail address, domain name, logo, etc. to give an authentic look to the fake e-mail
- Such fake e-mails will always address you by a generic salutation or address you by ‘Dear Net Banking Customer’ or ‘Dear Bank Customer’. Authentic e-mails sent by a bank will always address you personally by your name e.g. ‘Dear Mr. Suresh Kumar’
- Often, such fake e-mails are poorly drafted and may have spelling or grammatical mistakes
- Fake e-mails will always encourage you to click on a link to verify or update your confidential account information
- The links embedded in such fake e-mails may sometimes look authentic but, when you move the cursor/pointer over the link, there may be an underlying link/URL to a fake website
How to avoid Phishing?
- Do not open spam mails. Be especially cautious of e-mails that:
- Come from unrecognised senders
- Ask you to confirm personal or financial information over the Internet and/or make urgent requests for this information
- Are not personalised
- Try to coax you into quick action through threats
- Do not click on links, download files or open attachments in e-mails from unknown senders. Be cautious, even if the e-mail appears to come from an enterprise you do business with. It is a good practice to call up the concerned enterprise to confirm, in case the e-mail arrives unexpectedly
- Communicate personal information only through secure websites. In fact:
When conducting online transactions, look for a sign that the site is secure such as, a lock icon on the browser's status bar or a ‘https:’ URL whereby the ‘s’ stands for ‘secure’ rather than a ‘http:’
- Also, check if the website address is correct before conducting online transactions
- Protect your computer by installing effective anti-virus/anti-spyware/personal firewall on your computer/mobile phone and update it regularly
- Check your online accounts and bank statements regularly to ensure that no unauthorised transactions have been made
- Do not disclose details like passwords, Debit Card Grid values, etc. to anyone, even if they claim to be bank employees or on e-mails/links from Government bodies like the Reserve Bank of India (RBI), Central Bank of Bahrain (CBB), etc.
- Type the web address in the browser. Do not use links received through e-mails
- In case you have used a cyber cafe/shared computer, change your passwords from your own computer
- Register for e-mail and mobile alerts to check your account regularly
- Report any fraudulent incident to the bank/institution on the number mentioned on the Debit/Credit Card, Bank/Credit Card statement or official website
- Do not rely on the name and source in the ‘From’ field of the e-mail address, as it may be easily manipulated by the fraudster to appear as a valid e-mail account of your bank
- Always access your bank website by typing in the URL in the address bar of your browser only
- Always check the authenticity of the software before downloading
- If you get an e-mail asking for your personal or Credit/Debit Card information, please do not provide this information no matter how 'genuine' the page appears to be. Such pop-ups are most likely the result of malware infecting your computer. Please take immediate steps to disinfect your device.
- Any bank or their representative will never send you e-mails to get your personal information, password or one-time SMS (high security) password. Such e-mails are an attempt to fraudulently withdraw money from your account through Internet Banking.
How to report a phishing attempt?
- Forward the original e-mail to us at <firstname.lastname@example.org>
- Change the password immediately
- Report the incident to our Customer Care 80004877
What should you do if your money has been fraudulently transferred through phishing?
- Inform the bank immediately
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organisation, seeking unauthorised access to confidential data.
What is spear phishing?
Spear phishing is a targeted phishing attempt through an e-mail that appears to come not only from a trusted source, but often from someone in your own company, a superior in many cases, or a close relative. The subject line address is customised/personalised and often will be one of relevance to either the current projects of development within the company, or may be related to a family event. The violation occurs when the user opens the e-mail, clicks on the link attached and then Trojans or Malware gets downloaded or a form appears on the screen, in which data needs to be filled in by the recipient. This information is confidential and could be useful for accessing and transacting on the internal organisation’s application.
How does a Trojan/Malware help a fraudster?
Please follow the link below for details on this:
How does spear phishing work?
Spear phishing has success in manipulating a user’s confidential information for three reasons:
- The source appears to be known, trusted and one that the user has frequent correspondence with
- The verbiage used in the subject reinforces the validity that the source is legitimate
- The information requested seems to make reasonable sense to the user, considering the 'source'
An example of spear phishing would be an e-mail that appears to come from a specified and known network or IT person within your company. It prompts you to login with your employee name and password. Upon doing so, a malware is downloaded. Once the perpetrator has the user name and password of that employee, he/she can then access great amounts of company data using that access or perform transactions.
How to protect from spear phishing?
- If the message prompts you to disclose your personal/confidential information at any time, STOP. Recheck
- Do not respond or act without first contacting the 'sender' by telephone and verifying that the e-mail is legitimate
- Do check the sender’s e-mail address - whether it matches the e-mail address used within your company
- Do check whether the sender associated with the e-mail is indeed from the company
- Do not open attachments in such e-mails as they might carry a virus
- Do check the website where you might get redirected. The website you are redirected to should belong to your company
- Do not just delete these e-mails. Report them immediately to your IT department or your company contacts for computer support
What is Spoofing?
Website spoofing is the act of creating a website, as a hoax, with the intention of performing a fraud. To make spoof sites seem legitimate, phishers use the names, logos, graphics and even code of the actual website. They can even mimic the URL that appears in the address field at the top of your browser window and the Padlock icon that appears at the bottom right corner.
How do the fraudsters operate?
Fraudsters send e-mails with a link to a spoofed website asking you to update or confirm account related information. This is done with the intention of obtaining sensitive account related information like your Internet Banking User ID, Password, PIN, Credit Card/Debit Card/Bank Account Number, Card Verification Value (CVV) number, etc.
Tips to protect yourself from spoofed websites:
- ICICI Bank Limited will never send e-mails that ask for confidential information. If you receive an e-mail requesting your Internet Banking security details like PIN, password or account number, you should not respond
- Check for the Padlock icon. There is a de facto standard among web browsers to display a Padlock icon somewhere in the window of the browser. For example, Microsoft Internet Explorer displays the lock icon at the bottom right of the browser window. Click (or double-click) on it in your web browser to see details of the site's security. It is important for you to check to whom this certificate has been issued, because some fraudulent websites may have a padlock icon to imitate the Padlock icon of the browser.
- Check the webpage's URL. When browsing the web, the URL (web page address) begins with the letters ‘http’. However, over a secure connection, the address displayed should begin with ‘https’- note the ‘s’ at the end
For example: Our home page address is http://www.icicibank.com . Here the URL begins with ‘http’ meaning this page is not secure. Click the tab under "Login". The URL now begins with "https", meaning the user name and password typed in will be encrypted before being sent to our server.
What Is Vishing?
Vishing is an attempt by a fraudster to represent a bank and take confidential details from you over a phone call. Details like user ID, login and transaction password, One-Time Password (OTP), Unique Registration Number (URN), Card PIN, Grid Card values, CVV or any personal parameters such as date of birth, mother's maiden name. These details will then be used to conduct fraudulent activities on your account without your permission leading to financial losses.
How do the fraudsters operate?
The fraudster calls the customer and claims to be calling from the Bank. He then asks for personal details like your user ID, login and transaction password, One-Time Password (OTP), Unique Registration Number (URN), Card PIN, Grid Card values, CVV or any personal parameters such as date of birth, mother's maiden name, etc.
Tips to protect yourself from vishing:
- Your bank would have some knowledge of your personal details. Be suspicious of any caller who appears to be ignorant of basic personal details like first and last name (although it is unsafe to rely on this alone as a sign that the call is legitimate). If you receive such a call, report it to your bank
- Do not call and leave any personal or account details on any phone system that you are directed to from a call or from a number provided in a message, an e-mail or an SMS especially, if it is regarding possible security issues with your Credit Card or bank account
- When a phone number is provided, you should first call the number on the back of your Credit Card or on your bank statement to verify whether the given number actually belongs to the bank
- If you get an SMS or call asking for your personal or Credit/Debit Card information, please do not provide the information
What is Skimming?
Skimming is an act of stealing information through the magnetic strip on the cards that are used in ATMs and merchant establishments. Fraudsters collect information from a Credit/Debit/ATM card by reading the magnetic strip on the reverse of the card. For doing this, they conceal a small device in the card slot of ATM's or Merchant Payment Terminals. The 'skimmer' scans the card details and stores its information. A tiny strategically positioned camera may also be used to capture the PIN. Skimming can occur in ATMs, restaurants, shops or other locations.
How the fraudsters operate:
- At ATM machines
Fraudsters insert a skimming device into the ATM card slot. This device scans the card and stores its associated information. While a customer keys in his PIN, the wireless skimming device transfers the data to the fraudsters. This information is then used by the fraudsters for online shopping or to make counterfeit Credit Cards.
- At restaurants/shopping outlets
At restaurants and shopping outlets, the Credit Card is swiped twice, once for the regular transaction and the other in the skimming device that captures the personal information, which is retrieved later by the fraudsters.
Tips to protect yourself from skimming
Tips to avoid skimming
- Protect your PIN by standing close to the ATM and shielding or covering the key pad with your other hand when entering your PIN
- If you see anything unusual, strange, suspicious, something that does not look right with the ATM or if the keypad does not feel securely attached, stop your transaction and inform the bank
- If the ATM Machine appears to have anything stuck onto the card slot or key pad, do not use it. Cancel the transaction and walk away. Never try to remove suspicious devices
- Be cautious if strangers offer to help you at an ATM, even if your card is stuck or you are having difficulties. Do not allow anyone to distract you
- Keep your PIN a secret. Never reveal it to anyone, even to someone who claims to be calling from your bank or to a police officer
- Check that other people in the queue are at a reasonable distance away from you
- Regularly check your account balance and bank statements, and report any errors to your bank immediately
Below are additional tips for staying safe when using an ATM:
- Memorise your PIN – never write it down or store it with your card(s)
- Have your card and envelopes ready for your transaction when you approach the ATM
- Be aware of your surroundings and people nearby
- Monitor your account, statements and report suspicious transactions to the bank
- Do not take help offered by strangers or allow anyone to watch you enter your PIN
- Always press the 'Cancel' button once your transaction is over
It is a combination of Short Message Service (SMS - also known as text messaging) and phishing (the act of e-mailing someone with the intent of obtaining personal information that can be used for identity theft).
Messages are being received across the country by cell phone users claiming their accounts are delinquent, need to be updated or even to register for a new programme. Links in the messages and toll-free telephone numbers are being used.
Points to remember
- Cell phones can instal viruses, so never click on links from any unknown person
- Never share financial or personal information by e-mail or text message
- Tell us about suspicious e-mails that contain our name or logo
- Check accounts regularly to spot a fraud or unauthorised account access
What is SIM-Swap/Exchange fraud?
A mobile phone is a convenient banking channel. One can get account-related alerts, One Time Password (OTP), Unique Registration Number (URN), 3D Secure code, etc. required for financial transactions and also make various financial inquiries through the mobile.
Under a SIM swap/exchange fraud, the fraudster manages to get a new SIM card issued for your registered mobile number through the mobile service provider. With the help of the new SIM card the fraudster gets the URN/OTP and other alerts required for doing financial transactions through your bank account.
How does a SIM swap work?
- Fraudsters obtain your bank account details and your registered mobile number through phishing or through Trojans/Malware
- Under the pretext of losing the mobile handset or a damaged SIM card, the fraudster approaches a mobile service provider by creating a fake identity of the genuine customer
- Post customer verification, the mobile service provider will deactivate the old SIM card, which is in the customer’s possession and issue a new SIM card to the fraudster. There will be no network on the customer’s handset. Now, the customer will not receive any SMS , information such as alerts, OTP, URN, etc. on their phone
- With the banking details stolen through phishing or a Trojan/Malware, the fraudster may access and operate your account and initiate financial transactions without your awareness since all the SMSes for alerts, payment confirmation, etc. will go to the fraudster.
They may get my SIM, but how did they get my bank details?
SIM swapping/exchange is usually phase two of a fraud attack. Initially, they send a phishing e-mail (or other similar phishing attempt) to get all your banking details. These details can also be stolen using Trojans/Malware. They also work towards getting the victims personal information and may even go as far as stealing their identity and creating a fraudulent ID. In order to use all of this gathered information, they need to access the victim’s mobile messages – hence, the SIM swap.
- Be vigilant and try to stay aware of your cell phone’s network connectivity status. If you realise that you are not receiving any calls or SMS notifications for a long time, something may be wrong and you should enquire with your mobile operator to be sure that you have not fallen victim to this scam
- Some mobile network operators send customers an SMS to alert you of a SIM swap, which means you can act and stop this fraud on its tracks by contacting your mobile operator immediately
- Do not switch off your cell phone in the event you are receiving numerous annoying calls, rather don't answer the calls. This could be a ploy to get you to turn off your phone or put it on silent to prevent you from noticing that your connectivity has been tampered with
- Register for alerts (SMS and e-mail) so that when there is any activity on your bank account you will receive an alert
- Always check your bank statements and online banking transaction history regularly to help identify any issues or irregularities
- ICICI Bank will never send e-mails that ask for confidential information. If you receive an e-mail requesting your Internet Banking details like your PIN, password, account number, you should not respond
- Delete suspicious e-mails without opening them. If you happen to open them, do not click any link or attachment they may contain
- To secure your computer, read our Computer Safety Measures
- To know about e-mail related frauds and tips to protect yourself from frauds, read Phishing and Spoofing
Online thieves often direct you to fraudulent websites through e-mail and pop-up windows and try to collect your personal information. One way to detect a phony website is to consider how you arrived there. Generally, you are directed by a link in a fake e-mail requesting your account information. However, if you type, or cut and paste the URL into a new web browser window and it does not take you to a legitimate website, or you get a not-error message, it was probably just a cover for a fake website.
Nigerian 4-1-9 Scam
This scam is often referred to ironically as the 4-1-9 scam after section 4-1-9 of the Nigerian Penal Code, which relates to fraudulent schemes. The scam starts with bulk mailing/e-mailing of offers asking the recipients to enter into business or to extend help in getting money transferred in return for a huge commission.
The most common forms of fraudulent business proposals are:
- Offer of disbursement of money from wills
- Contract fraud (purchase of goods or services)
- Purchase of real estate
- Transfer of funds from over-invoiced contracts
- Sale of crude oil at below market prices
- There is always a sense of urgency
- There are many foreign-looking documents and sometimes, references of actual Nigerian Government buildings are used
- Often, blank letterheads and Account Numbers are requested
- There is a variety or processing fee or bribe that must be paid, and the transaction is asked to be kept confidential
- Use caution while dealing with foreign buyers and sellers
- Beware if the buyer or seller asks you to send money quickly
- No legitimate company will offer to pay you by arranging to send you a cheque and asking you to wire some of the money back. If that's the pitch, it's a scam
- If it sounds too good to be true, it probably is
- If you receive an e-mail claiming to be from ICICI Bank regarding updating sensitive account information like PIN, password, account number, let us know by forwarding the e-mail to email@example.com . Never provide sensitive account like PIN, password, account information or personal information in response to an e-mail. If you have entered your personal information, report it to us immediately
- If you notice any spoofed (duplicate/unofficial) ICICI Bank website, let us know by writing at firstname.lastname@example.org. Please call our Customer Care 80004877
PIN and Password safety measures
- Destroy the PIN mailer after memorising the PIN and/ or change the PIN after the first usage
- Never keep your PIN and ATM card /Debit Card /Credit Card together
- Your password should be complex and difficult for others to guess. Use letters, numbers and special characters [such as, !,@, #,$, %, ^, &,* (, )] in your passwords
- Do not use passwords that are obvious, like your name/nickname, names of your family members, your address, phone number, or any other information that a thief might find in your purse or wallet
- Do not use the same password as the one which you use to log in to your computer or access your e-mail
- If your login IDs or passwords appear automatically on the sign-in page of a secure web site, you should disable the auto-complete function to increase the security of your information To disable the "Auto Complete" function.
- Open Internet Explorer and click on ‘Tools’ > ‘Internet Options’ >’Content’
- Under ‘Personal Information’, click on ‘Auto Complete’
- Uncheck ‘User names and passwords on forms’ and click on ‘Clear Passwords’
- Click ‘OK’
- Change your Internet Banking password (both, login password and transaction password) after your first login, and thereafter regularly (at least once a month)
- Create and maintain different passwords for logins and transactions. This provides additional security for financial transactions through Internet Banking
- If you access any website (including ICICIBank.com) from a cyber-cafe, any shared computer or a computer other than your own, change your passwords after such use in your own computer at your workplace or at home. It is very important to do so especially when you have entered your transaction password in such a cyber-cafe computer or shared computer
- Never share your passwords with others, including family members. Do not disclose your Internet Banking password to anybody, not even to an ICICI Bank Limited employee
- Let your password be a combination of character, number and special characters
- Do not write down or save Internet Banking password in notepads or personal devices
- Do not tick the box of save password while logging in to any site
ICICI Bank is NOT liable for any loss arising from you sharing any of your user IDs, passwords, cards, card numbers or PINs with anyone, and from their consequent unauthorised use.
- If your Credit Card gets stolen/lost
- If your card doesn't function and you need a replacement card
- To report unauthorised transactions.
Please call our Customer Care 80004877
- Be very sure of the website address. The website address is reflected in the address bar of your Internet browser. This check is recommended every time you access any website from a link given elsewhere. Always type the website address into the address bar or bookmark the websites that you use frequently
- Never enter, confirm or update your account-related details in a pop-up window
- If you tend to use your Credit Cards for online shopping frequently, make sure that you sign up for the Verified by Visa and/or Mastercard Secure Code programme(s)
- Confirm that the website is a secure one. Make sure any Internet purchase activity you engage in is secured by encryption to protect your account information. Look for ‘secure transaction’ symbols
- Shop only from reputed websites
- Beware of online offers that require you to provide your account details ‘for verification’
Frauds through social networks
Social media sites are popular among the youth today and also among fraudsters.
It has been observed that often victims get a Facebook, Twitter or WhatsApp invite to instal different types of festive themes, games, apps or links on their mobile or internet.
Once they click the link or download the app or software, a malicious browser extension gets downloaded on their computer, which monitors the users’ activities and leaks personal details to the fraudster.
Sometimes, the users are also redirected to the survey page and are asked to fill vital information like name, date of birth, mobile number, etc.
Never share your OTP, URN, CVV or passwords with anyone even if the person claims to be a bank employee.