arrow
Safe Banking
img

Phishing

..........................................................................................................
Phishing

What is Phishing?

Phishing is a global problem faced by Banks worldwide. It is an attempt to 'fish' for your banking details. Phishing could be an e-mail that appears to be from a known institution like banks / a popular website.

Please note that Banks will never ask for confidential data like login and transaction password, One Time Password (OTP), Unique Reference No. (URN), etc.


How does phishing happen?
  • Phishers sets up a replica page of a known financial institution or a popular shopping website
  • Bulk e-mails are sent to users asking for their personal data like account details, passwords etc
  • When the user clicks on the link, the replica of the website will open. Or while the user is online, a form will populate through an "in-session pop-up"
  • On updation, the data goes to phishers. Post which the user is redirected to the genuine website

Phishers have refined their technology to launch sophisticated attacks and use advanced social engineering techniques to dupe online banking users.

Phishers use a combination of email phishing, vishing (voice phishing) and smishing (SMS phishing) to get customer details like account no., login ID, login and transaction password, mobile no., address, debit card grid values, credit card no., CVV no., PAN, date of birth, mother's maiden name, passport no., etc.

Scenario 1:
For funds transfer through internet banking, the user needs to add a payee and confirm the registration, using the Unique Reference No. (URN) that is received on the registered mobile no.
Phishers send out SMS to users informing them that an SMS will be received with the URN. This is required to be given to the bank employee who will call him. Meanwhile, the phisher adds a payee in the user's account. The user receives the URN from the bank to confirm the registration of the payee. The phisher posing as a bank employee contacts the user for the URN. The user does not suspect the caller and gives out the URN, which is misused.

Scenario 2:
The phisher calls phone banking posing as the customer to request for mobile no. change. He then adds a payee for funds transfer. The URN and account transaction details are received on the updated mobile no. and misused. Sporadic incidents have also been reported where phishers get a duplicate SIM issued by the mobile service provider to receive the URN and OTP directly.
Customers ignore intimations about mobile no. change, as Bank errors.

Scenario 3:
The phisher calls phone banking posing as the customer to request for address change. He then reports the loss of the card and requests for a fresh card, which reaches the new address and is misused.
Customers ignore intimations about change in account details.

Scenario 4:
The phisher collects the 3D Secure password through sophisticated technology and vishing to shop online.

Scenario 5:
Phishers approach customers at offices / residences to fill survey questionnaires and offer gifts in exchange. These forms contain question on confidential data.

Scenario 6:
Banks and regulatory bodies like Reserve Bank of India (RBI), Income Tax (I.T) Dept. are publicizing awareness on phishing. Phishers now send emails resembling Yahoo / rediffmail, shopping sites or regulatory bodies, like RBI / I.T. dept., asking for confidential data.

Scenario 7:
Phishers send emails with attachments that carry virus / Trojan. The keyed-in data is captured by the malware and transmitted to phishers.
How to identify a Phishing attempt?
  • Unsolicited emails, calls from strangers or websites asking for confidential banking details
  • Messages asking for urgent action due to security reasons
  • Links received in emails to access known websites
  • To check the actual website, roll the cursor over the link or check for https:// where "s" stands for 'secure site'

Examples Of Phishing E-mails
Subject
Mandatory Net Banking Security Update
Security Update
Your Tax Refund is now available in 12 hours !
Urgent Notification! From ICICI Internet Banking
Confirm your online account details! (message id: b38403334)
ICICI Bank Technical Verification
Alerts!!! Upgrade And Secure Your Online Account Immediately
Urgent Security Warning
ICICI Online Banking Account Security Upgrade


How to avoid Phishing?
  • Do not disclose details like passwords, debit card grid values, etc. to anyone, even if they claim to be bank employees or on emails / links from government bodies like RBI, I.T. Dept., etc
  • Type the web address in the browser. Do not use links received in emails
  • Change your passwords from your own computer, in case you have used a cyber cafe / shared computer
  • Register for email and mobile alerts to check your account regularly
  • Install effective anti-virus / anti-spyware / personal firewall on your computer / mobile phone and update it regularly
  • Do not open email attachments from strangers as they may contain virus / trojan which transmit keyed-in details to phishers
  • A click on the padlock icon appearing on the web page will display the digital certificate for genuineness of the website
  • Report the incident to the Bank / institution on the number mentioned on the Debit / Credit card, bank / credit card statement or official website

How to report a phishing attempt?
  • Forward the original e-mail to us at antiphishing@icicibank.com
  • Report the incident with caller's no., date and time of call, etc at our 24-hour Customer Care

What should you do if you have entered data on a fraudulent link?
What should you do if your money has been fraudulently transferred through phishing?
  • Inform the bank immediately