Phishing for trouble

She was cautious throughout the conversation, during which the person at the other end confirmed her bank account number, debit card number and some other details. After that, he asked Mrs Sarala about her Aadhar Card details, purportedly for “fitting that in” with her bank account details. Mrs Sarala did not hesitate sharing that, as the person had asked for details considered “safe” – with nothing to do with her ATM PIN or net-banking OTP.

An hour later, her bank account was debited by over Rs 1 lakh in four instalments. She later registered a complaint at a south Delhi police station and a case of cheating was registered 

against unknown persons. However, there has been no significant development from the investigating end.

“It is a typical phishing case. The fraudsters surely did not do anything with the Aadhar number. They only needed to know that the bank account was active. Had they disconnected the phone immediately after confirming the account details, the target would have turned suspicious and informed the bank, leading to freezing of the account. So they resorted to the Aadhar details idea,” said Kislay Chaudhary, Chairman of the Indian Cyber Army and Senior Technical Advisor to police departments in five states – UP, Haryana, Madhya Pradesh, Rajasthan and West Bengal.    

In this case, the alleged cons did not ask for the OTP, as far as the complaint is concerned, which indicates that the fraudsters had used a foreign server for the transaction. As per RBI guidelines, all India-based servers are required to generate OTPs for online transactions, said the expert.

“In most of the phishing cases that we come across, the victims fail to recall that when and how they had actually passed on the OTP details, as the fraudsters are sly enough to get that detail leaked, on some pretext or the other,” Chaudhary added.

In May, the south district of Delhi Police – having a terribly tough time fighting cyber crimes – had help a meeting with senior bank officials. “We had recommended the banks to update their cautionary messages/mails, which presently warn only about sharing of PIN and OTP,” said Prem Nath, Deputy Commissioner of Police (South).

“In several cases, complainants claimed that they were sure that the call was from the bank. When asked, they said that they had called back and verified the number. However, during investigation, they too turned out to have been duped,” said a police official. He further said, quite a few phishing rackets in the city have been set up by experts in the business. They are experienced in this field and have run rackets earlier at other cities in India and also abroad – most of them reported during the late 90s in UK.

Expert phishing cons get themselves equipped with a customised computer application, popular as “spoofer” or “spoof caller”. With that, they call their targets making sure that the official phone number of the concerned bank is displayed in their cellular phone’s screen. In most of those cases, in which the victims claimed that they had verified the phone number, they were actually “spoofed”, said the official.

He further said, some phishing syndicates are so confident about themselves that they operate systematically through call centres, and dupe people large scale – ensuring that they make money after covering the set up and operation cost of the business.

In June, Noida Police had claimed to have busted a phishing syndicate which had allegedly set up two call centres in west Delhi’s Uttam Nagar area. The syndicate had allegedly purchased details pertaining to lakhs of account holders at the rate of around seventy paisa per account from an agent, who allegedly had connections with marketing agents. In this case, the complaint was officially registered by a SBI branch, said an official who investigated the case. The bank cooperated in the operation and the cons were tracked through both technical and human intelligence, the official added.

For years, investigating agencies were troubled by the question: How do these cons avail almost all details, except the secret PIN and/or OTP, about the customer’s debit card or online banking account? To this, senior police officials who had investigated such cases allege that it is mostly through the Direct Selling Associations (DSAs) the banks hire.

Around 15 years ago, the banks – mostly the private banks – took up aggressive marketing measures, both for growth and fighting a choke throat competition. Sales agents and DSAs were hired for opening bank accounts, as part of massive drives. These third parties were entrusted with handing over of banking packages – comprising of the Debit Card, Cheque Book and other documents – directly to the customers. This gave the third party agents access to crucial details about the bank customers.

In a large number of cases worked out by the police, these agents were found to have either allegedly connived with the experts or sold off the details, said the source. When phishing became rampant, the nationalised banks and some private banks stopped the third party’s access to the customer’s voucher and resorted to the conventional mailing-to-doorstep procedure. But some still continue, subjecting the customers to immense risk, said a senior police official who did not wish to be named.

In 2013 cyber criminals had defrauded banks in the country of almost Rs 130 crore with a record of around 33,000 cases of fraud pertaining to ATMs, debit and credit cards and internet banking registered in the previous three years, quoting records reportedly filed at the Ministry of Finance.

The largest number of cyber fraud cases was registered by the ICICI Bank with around 25,000 cases totalling approximately Rs 74 crore in the said period. Citibank stood second with around 1,500 cases involving approximately Rs 6.9 crore followed by American Express with 1200-odd cases involving around Rs 8.16 crore.

Whose responsibility is it to look into this menace, considering how thousands of bank customers are duped of several crores every year?

 “No one party can be singled out and imposed the responsibility of countering phishing cases. The responsibility has to be shared by the investigative agencies, the banks, the government and even the society, in terms of inculcating a general awareness about it,” said Kislay Chaudhary.

For instance, the e-mail account of a senior journalist in Delhi was allegedly hacked in 2014 and his contacts were extracted. The alleged cons then created a similar e-mail account, with details copied from the journalist’s account and a minor change in the e-mail address. They then started mailing his contacts and asking for money, writing “My family has met with an accident in a foreign country, my daughter is in a serious condition and I need money urgently.” One of his relatives, a lawyer by profession, responded to the mail and sent money to the particular bank account mentioned in it. Later, when he found out that he has been duped, he reported the matter both to the bank and the police.

While the concerned police station in northwest Delhi allegedly failed to do anything about it, the concerned private bank held an inquiry on its own and gave itself a clean chit in seven days. “In such cases, the biggest hurdle for the police happen to be the inadequacy of provisions regarding data sharing with companies having their servers based overseas.

We are presently facing a terrible time with cases regarding defacement of social network accounts and we have been able to do nothing about it so far. Most of the social network giants claim that they do not have servers in India,” said a senior official at the Economic Offences Wing of Delhi Police.

He further said that the difficulty in checking basic cyber crimes, like phishing, have now led to the import of more modified varieties of it, the latest of them reportedly being cases of “Mandate Fraud”. 

Under this modus operandi, exporters or their buyers are targeted and then the exporter’s details on the sales invoice mailed to the buyer are altered, by hacking into the account of either of the two.Like mainstream phishing, mandate fraud was also rampant in UK in the first decade of twentieth century. The Guernsey’s £2.6 m mandate fraud case was probably the biggest ‘mandate fraud’ case reported till date. The money was paid out to people posing as Lagan Construction, the contractor working on Guernsey’s airport project. Later, a 34-year-old man was arrested by the police.

In 2015, Delhi Police stumbled upon mandate fraud cases for the first time and three complaints have been registered with the Economic Offences Wing in the past six months. Lack of scientific evidences in all these cases have left the investigators so helpless that no FIR could yet be registered in connection with any of them, said a police source.