Rajesh Iyer lost money while selling an old television set through an online classified ad. Aarif Ansari uploaded his CV on a job portal, only to be swindled by someone claiming to be from a placement agency. Sudha Ramakrishnan was buying clothes, when by clicking on an advertisement on a social media platform, she found herself poorer by a few thousand rupees.
With the line between the real and virtual worlds becoming hazy, online frauds are becoming more common. It’s no longer about a fancy envelope arriving in your mail to announce that you have won a lottery or that you are inheriting an estate in another continent. As the time we spend online working and playing increases, fraudsters are also finding newer avenues to con us out of our hard-earned money.
You can’t be careful enough. “It is not possible to live outside the virtual world. What we need to do is to treat the virtual world as the real world and take same pre cautions accordingly,” says Ritesh Chopra, Director Sales and Field Marketing, India and SAARC, NortonLifeLock. Sometimes the fraudsters don’t even need you to act directly. Only a few months after Rekha Prasad opened a salary account with a leading private bank in India, her international debit card was used to pay for Uber rides in the UK. Suresh Nair could only watch in horror as small amounts of money started disappearing from his account every few minutes even though he had done nothing to trigger the debits.
Prasad and Nair lost money because data was leaked—inadvertently by them or a service provider. Every financial transaction involves multiple service providers and data may get leaked due to frictions between these entities. The weak link may be at any of the following levels—device manufacturing, device operation, telecom network that provides the SMS, banks, merchants or payment gateway provider. Hackers get their hands on the data by at tacking the weakest link.
Rekha Prasad, 33, Chennai: On starting a new job, Prasad opened a salary account with a leading private bank. Two months later, her international debit card was misused and she lost around Rs 20,000 on one Sunday. SMSes from the bank revealed that the card was used to pay Uber hires in the UK. She later realised that a fake Uber account was created using her card details. As she had not shared her card details with anyone, the bank refunded the money after a couple of months.
As users, we don’t have control on any of these links. What we can only do is take the following steps to ensure our financial data remains safe.
Don’t share OTPs or scan random QR codes
A sure-fire way to lose your money is by sharing one time passwords (OTP) with unknown entities or scanning unverified quick response (QR) codes. “QR codes need to be scanned to give money and not to receive money. Similarly, you enter an OTP when giving money and not when you have to receive money. Hence, to receive money via UPI, one does not need to scan a QR code or enter a PIN or OTP,” says Shilpi Mishra, Senior EVP, Kotak Mahindra Bank. Several fraudsters are misusing the ‘collection facility’ allowed under UPI. “A fraudster may send a collection request and ask you to approve it to receive money. You will end up losing money if you give digital consent to these kinds of trans actions,” says Topendra Bhattacharjee, Head – Digital Bank, RBL.
You should also never share an OTP while making a payment. Remember most sites, including banking sites, allow you to change passwords with OTP authentication. So by sharing the OTP you could be allowing scamsters to take control of your online banking logins.
QR code with malicious software is also emerging as a new threat. QR codes are two dimensional barcodes and contain large amount of data. “While you are paying Rs 200 by scanning a QR code, a malicious code will capture details linked to the wallet, bank account, etc that can be misused later,” says Chopra. Should you avoid scanning QR codes completely? No, but exercise caution. “Scan QR codes only with known and genuine merchants and make sure that the merchant’s name is appearing there,” says Suresh Rajagopalan, CEO, Wibmo.
Rajesh Iyer, 45, Mumbai: He put out an ad on an online classified site to sell his old television. Next day, a potential buyer contacted him and the deal was finalised at Rs 1,500. The purchaser said he would send a vehicle to pick up the TV. He took Iyer’s bank account number to transfer the money. Soon afterwards, Iyer got a message showing Rs 4,500 had been transferred into his account. The purchaser called to say he had mistakenly transferred Rs 4,500 and asked Iyer to transfer Rs 3,000 back, which he did. The buyer then failed to turn up to collect the TV. When a suspicious Iyer checked his bank account he realised that no money had been sent to him in the first place, the SMS was a fake, and instead he had been cheated of Rs 3,000.
Don’t click on that link
Before clicking on a link you check the source and ‘mouse over’ the link to see whether you are being taken to the genuine site or not right? However, that’s no longer enough. Fraudsters may send you a mail that is masked to show the sender as a genuine entity, in other words they resort to phishing. You could also get several messages that seemingly come from genuine sources, like your bank. Mouse over and checking the link is of little use due to the increased usage of tiny URL, a system that allows users to hide their long URLs. “Due to masking of ids and companies using tiny URLs, there is no fool proof way for an individual to stop the malicious links,” says Chopra from Norton.
So, what should one do? “Since it is difficult to distinguish between the correct and fake link, don’t click on any link,” says Bharat Panchal, Chief Risk Officer, India, Middle-East & Africa, FIS. Even if you have to click on any link, make sure the site opened is secured. Look out for a small lock emblem at the extreme left side of the URL before parting with any personal information. “You can also get more details by clicking on the lock icon. Ideally, you should do it every time before giving out personal information,” says Sachin Goel, EVP and CTO, Tata AIA Life Insurance.
Deregister from offers
The best way to keep frauds at bay is by updating contact details stored with your bank. However, banks and other financial institutions tend to bombard customers with regular doses of promotional mails and SMSes. By ignoring these messages, you could miss out on important messages too. The safest way out is to unsubscribe from these promotional offers. “The transactional SMS and emails are mandated by RBI and banks can’t stop these if you opt out of marketing SMS and emails,” says Panchal.
Don’t store card details
Many of us have the habit of saving debit and credit card details on several sites and apps. However, this is best avoided. “All sites are vulnerable to being attacked. As a safe practice, desist from storing card and bank details on websites. Some of these sites may also have other data about you, like phone number, address, etc. So the risk is of an attacker getting access to that data as well,” says Shivangi Nadkarni, Co-Founder and CEO, Arrka, a data privacy and cyber security company. Sometimes your data gets saved automatically. This happens when you fail to turn off the auto fill facility in your browser. Turning it off will increase inconvenience, but make your online transactions more secure.
Protect your SIM
Since banking is now at your fingertips thanks to your smartphone, protecting your SIM is important. “Twenty to 30 minutes are enough to clone a SIM. If you suddenly lose network, that is a warning sign,” says Mishra from Kotak Mahindra Bank. If you leave your SIM cards unattended, fraudsters with SIM reader / writer can clone it, use it on some other phone and receive the OTPs and other SMSes sent to you by banks. “Several banks today use device finger printing, and it will ask for additional information if both the SIM and device doesn’t match,” says Rajagopalan.
Keep the device safe
Device finger printing has increased the importance of your devices like mobiles and laptops. A device can be hacked offline or online. Offline hacking can happen if you leave the device in the hands of someone else, like leaving your mobile in a not so reputed repair shop.
Though online hacking can happen from direct attacks, most occur when you download apps or pirated movies or similar stuff from unsecured platforms. How many of us take the trouble of checking the privacy policies of apps that we download? As a rule, don’t give permission to all your data— photos, location, email, SMS, microphone, camera, etc. This can be a serious threat because banks send emails and SMSes for every transaction and any app that reads all that will know your exact banking transaction details.
Among apps, one segment in particular is turning out to be a big problem. “Gaming / casino apps are the main source of worry now because they collect details and store it outside India. Some also have the ability to read data from other apps,” says Rajagopalan. For example, Nair lost money because of the gaming apps installed on his phone by his son.
You should also be careful while sharing sensitive information using your mobile, because these shared information get stored there. “Don’t share important documents like Aadhaar, PAN, etc on WhatsApp. Please delete all details from the phone gallery also,” says Mishra.
Lock devices with antivirus software. A hacker’s life becomes easy when there is an overflow of information and we keep watching movies on our mobiles. “Since many videos, pictures and some downloaded apps may contain virus / malware, it is better to have a paid antivirus / anti malware soft ware to protect your device – especially Android,” says Dheeman Thacker, Head- Digital Banking, Ujjivan SFB.
Beware tap & pay cards
Customers need to be extra careful with tap and pay cards because there is no PIN authentication needed for it and this can create problems if the card is misplaced or stolen,” says Rajagopalan. The threat has increased ever since RBI hiked its maximum daily usage limit from Rs 2,000 to Rs 5,000 in January. Limit use of this facility or block it altogether to stay safe.
Similarly, you also need to be extra careful while transacting in a foreign country or on foreign sites. “Risk increases with foreign transactions because other than India, only few countries like Singapore have started using second factor authentication like OTP,” says Panchal. Some foreign sites also force you to save card details before making payments. “The best strategy when shop ping online is not to store card details on the merchant website. Unregister the card and delete the card details once the transaction is complete,” says Mishra.
Sudha Ramakrishnan, 29, Chennai: She clicked on a Facebook advertisement to buy some dress material. Since the site did not offer the option of cash on delivery, she paid Rs 900 using UPI. When the product failed to arrive, she called the seller, only to be told that a delivery had been made. When she protested, they offered to refund her money and asked for her bank details. They asked her to share a verification code to get the refund. As soon as she shared the OTP, Rs 10,000 disappeared from her account. Her bank refused to reimburse as she had shared the OTP.
Use new system
RBI has introduced several steps to protect bank customers. However, customers need to act on them. “Though RBI introduced positive pay from 1 January, most customers are not using it,” says Panchal. Under positive pay system, you can ask your bank now to verify details of the cheque if the amount involved is more than Rs 50,000 and this will prevent the misuse of cheque leaves. All you need to do is to inform a few details of the cheque like date, name of the payee, amount, etc to your bank electronically. As of now, positive pay system is voluntary, but RBI has allowed
banks to make it mandatory for cheques involving more than Rs 5 lakh.
Similarly, most bank customers are still not using the facilities to re strict usage of their debit and credit cards. “Keeping the cards in inactive mode or with very low transaction limits is the best strategy. Activate it or
increase limits only when you actually need it,” says Rajagopalan.
Suresh Nair, 48, Kozhikode: He holds an account with a leading multinational bank. One night he got a message showing Rs 1 had been credited to his account. After a few minutes, small amounts between Rs 300 and Rs 400 started getting debited from his account. Within no time he had lost Rs 1,700. The bank did not refund any money on the premise that his phone might have been infected with malware while downloading some apps.
Don’t ignore other data
Not just financial data, you should guard all data from misuse. “Not just financial information, people should avoid sharing any highly personal information, on social media and other public sites. Fraudsters can get hold of your details and misuse them for fraudulent activities,” says Nadkarni.
This fraud is becoming easy now due to mushrooming of online loan portals. “Since digital on boarding of any site is based on the available digital data only, someone can replicate your pro file with publicly available / leaked data and create a new account and take loans,” says Bhattacharjee of RBL.
Problems can come in other forms also. “Don’t think that cyber crime is just restricted to financial loss. For example, cyber criminals could create deep fake videos using the video you posted on social media,” says Chopra from Norton. Publicising every move is another no no. “Don’t publicise where you are through social media. It is only helping the fraudster know that you are not at home,” says Bhattacharjee.
Similarly, don’t give out family details on social media. Refrain from mentioning your date of birth and avoid revealing details that can be linked to your passwords.
If you lose money
Contact your bank immediately if you are a victim of fraud. However, this doesn’t mean that the bank will reimburse the money immediately. Liability depends on where the leakage occurred. “The bank is responsible for the illegal use of the card or if the card cloning happened in its ATM. However, the customer is responsible if the loss is because customer shared any information like OTP, CVV, password, etc,” says Panchal.
Aarif Ansari 36, Mumbai: He posted his CV on a leading job portal. After a few days, he got a call from a placement agency, which asked him to send Rs 100 to get details of a company interested in hiring him. He was sent a link, asked to click on it and share the verification code. He realised his mistake immediately when Rs 10,000 disappeared from his account. His complaint with the placement portal or bank did not yield any results.
Keep your data safe
- Don’t carry out financial transactions from public computers or from public wifi.
- Keep passwords as cryptic as possible.
- Don’t write down your passwords
- Increase the security of your device with multi-factor authentication like fingerprint or iris scan.
- Though inconvenient, keeping a separate phone for banking is a good idea.
- Start a separate bank account for your investments. Use separate account with small balance to carry out online transactions.
