Tuesday, January 13, 2009

How we are in the hands of phishers

Its Monday morning. Ugh. Turn on your computer and check that mail! What’s this?

“In accordance with new KYC [Know Your Customer] norms, please login to your bank account by clicking on the link below and update your personal details. Thank you for your cooperation.”


Oh well – you click the link, the bank’s home page opens, you key in your user id and password and ….. ‘Network Error’! Hmmm… something wrong with the website. You try again. And then forget it – you’ll do it another time.



Ah, never mind. End of the month – you get your bank statement and …. Hey wait a minute! What are all these transfers and withdrawals? Hands shaking, you call the bank [helpline, dial 1 for English, 2 to cry, 3 to die…] and “Sorry sir, these are withdrawals you have made with your user id and password online”. But.. but “Thank you for calling the Left bank of the Ganges, you were talking to Unhelpful Kumar, have a nice day.” Nice day?



That email was a con, leading you to a fake website, a clone of your bank’s page [and a very good one], leading you on to giving your user id and password to the crook at the other end, gleefully waiting for another sucker to bite the dust.


Welcome to the world of online fraud - You’ve just been phished!


Another time, you get a call from your credit card bank, asking if you’ve made any online purchases recently. You think about it and say “I may have – a few dollars worth of magazine subscriptions or an email account payment.” Well sir, you will be pleased to learn that your online purchases at Paypal to the tune of $2150 [Rs. 1 Lakh] have been honoured by the credit card issuer.


Did’nt make that purchase? Welcome again to the world of online fraud – your card s just been misused and the bank expects you to pay!

Every time you give out your personal details [and you need to that for everything – a driver’s licence, that passport to Indian Officialdom, our famous ration card, a cellular phone, an insurance policy et al], you are inviting someone to take you for a ride. These are all the details that are needed for a paying bank to “verify” the user of your credit card or bank account.


Use your card at a restaurant, a store or worse, provide a photocopy to a hotel or vendor for “record”, you are, as the saying goes, literally asking for it. A copy of the card and your mailing address is all that’s needed to put you in the doghouse. So what do you do? Stop using your credit card or your bank account? Not a bad idea in these times, but it doesn’t work for you, does it?


A few simple precautions and a basic knowledge of the law will certainly minimize damage. Do not part with your personal information to an agent, salesperson or an indirect channel like that nice car loan agent. If you have to, provide that information directly to the authorities concerned. And for god’s sake, you NEVER need to give out your user id and password to anyone, not even to the nice guy at the bank – not even your home internet password.


Most people use easy to remember passwords – their date of birth combined with their name or that of some one close to them. A patsy for even a novice hacker! A strong, difficult to break [no such thing as unbreakable] password would have a combination of random letters, alphabets and even special characters like a +. Change your passwords regularly and don’t share them!


Do not access your bank accounts from other people’s computers; most certainly not from cybercafés and airports. Windows has an unhealthy habit of ‘remembering’ passwords and user names – note how the user name automatically gets filled into the box when you put in the first character.


Memorise your ids and passwords [I know, I know – easier said than done] or if you HAVE to write them down, please lock them away. Keep a list of your card numbers under the same lock and key, incase you have to report their loss. Try not to leave those keys around the house! If you travel, keep them with someone you trust – just like your will.


Don’t answer emails like the one above – no bank needs you to provide them with your user id and password by clicking on a link – they already have your details. Carefully check the spelling of the link – a phish ALWAYS has a different link. If it was the same as your bank’s, it would take you to the REAL page! Its safer to type in the link yourself when you want to login to your account.


If you DO get phished or conned, report it at once and DISPUTE the withdrawals or charges in writing. The Reserve Bank of India requires your bank to reverse the charges when disputed by you, pending an investigation. You do NOT need to pay them and then have your complaint heard, in spite of what the bank tells you.


Once you claim that the charges or withdrawals are fraudulent, it is for the bank to investigate and prove that the charges have indeed been incurred by you. Provided you have exercised reasonable caution, you cannot be held liable for a fraudulent withdrawal or charge.


A delay in reporting the fraud could end up making you liable – you must show that you have reported it at the first reasonably available instance. Keep the card, even after you have it blocked – you will need to produce to show that you still have it ion your own possession. Charges on a lost card are your liability till you report the loss. Some bank’s will insure you for that kind of loss or offer a limited liability plan.

If you are unfortunate enough to have a relative or friend steal and misuse your card or bank id, you will probably decide to grin and bear it – the bank isn’t going to let you off the hook.


All said and done, if you do not throw caution to the winds and exercise reasonable security, you will probably have only the headache and perhaps some heartache to contend with – a small price to pay for the freedom and flexibility that the internet gives you.

No comments: