Reading 2- Digital and Online Banking Frauds

Digital banking fraud in India refers to fraudulent

activities or scams that target mobile banking users,
leading to financial losses and potential compromise of
personal and financial information. Mobile banking frauds
are a significant concern due to the widespread adoption
of mobile banking services in India.
 1 Identity theft

Identity theft involves stealing of personal information, such as Aadhar

card, PAN card, Voter card no. and/or bank account details, to commit
fraud or other crimes in the victim's name.
Identity theft can occur through-

Stolen personal documents like passports, Aadhar card, voter ID cards,

or PAN cards.

Impersonation: Perpetrators may pose as someone else, often using

forged documents, to gain access to services, benefits, or financial
accounts.

To understand how this works, it is important to understand about the

modus operandi of “KYC frauds”.

What is KYC?

Know Your Customer (KYC) is a process used by various businesses,

particularly financial institutions, to verify the identities of their customers.
KYC is important because it serves as a safeguard against identity theft,
terrorist financing, money laundering, and financial fraud. Reserve Bank of
India (RBI) has made KYC mandatory to ensure the integrity and security
of financial transactions. It helps businesses, especially financial institutions
like banks, to have a better understanding of their customers.
How is KYC done?

The following details of customers are collected to complete the KYC

process.
Legal name
Identity proof
Correct permanent address as per identity proof
The legal status of the entity or person.

How does KYC fraud happen (also linked to Identity theft)?

There are instances of fraud related to KYC where criminals exploit this
process. They use fake SMS messages or fraudulent calls to impersonate
bank representatives, with the aim of collecting personal information from
customers. The fraudsters may provide the customers with the phishing
link, or 10-digit mobile number or convince them to give access to them
digital device, through which they intend to get hold of customer’s
personal details to get unauthorized access to their banking accounts to
steal money. Many innocent people have lost their hard-earned money to
this fraud in recent times and still continuing.

What is KYC?

Know Your Customer (KYC) is a process used by various businesses,

particularly financial institutions, to verify the identities of their customers.
KYC is important because it serves as a safeguard against identity theft,
terrorist financing, money laundering, and financial fraud. Reserve Bank of
India (RBI) has made KYC mandatory to ensure the integrity and security
of financial transactions. It helps businesses, especially financial institutions
like banks, to have a better understanding of their customers.
 Modus Operandi - In case of fake calls

Here's how the fraud takes place in a series of steps:

Source Credit- AmBank Group

Fraudsters impersonate bank or e-wallet representatives and call the

victim, urging them to update their KYC immediately to prevent
account blockage.

They claim that the KYC process can be completed online to

maintain an active account and request the victim to download a
specific mobile app onto their device.

Once the app is installed, the fraudsters ask the victim to share a
code and grant certain permissions, granting them access to the
victim's digital device.
The caller then instructs the victim to transfer a small sum of money
from their bank account, enabling them to access the One-Time
Password (OTP) sent to the victim's digital device.

Sometimes, callers ask the victim to share their CVV (at the back of their
debit / credit card). This is the last security of our card. If you give away
this number publicly, you’ll lose all your money.

After the victim transfers the money, the caller gains access to their
password and other critical details. This information is exploited to
conduct fraudulent transactions and deplete the victim's bank account.

Source Credit- https://bit.ly/3FvMOgn

 Modus Operandi - In case of fake Messages

Source Credit- SBI- https://bit.ly/3Q62M5U

Victims receive a message from a mobile number containing an

unknown link or a 10-digit mobile number, with the pretext of updating
their KYC.

If the victim clicks on the provided link in the message, they are
directed to a fake website that mimics a legitimate bank's site.

Here, they are prompted to enter their bank username, password, One-
Time Password (OTP), and other sensitive information.
Alternatively, if the victim calls the number provided in the message,
they are encouraged to share personal details such as their account
username, password, account number, and OTP.

The fraudster uses the acquired information to gain unauthorized

access to the victim's bank account and carries out fraudulent activities.

Source Credit- HDFC- https://bit.ly/3FDTXeB

Safety tips for safeguarding against such cyber frauds

Avoid clicking on links from unknown or unverified sources. It's safer not
to interact with such links.
Never share sensitive information like your mobile number, account
number, passwords, OTPs, CVV or ATM PIN with anyone.
Bank officials / financial institutions / any genuine entity never ask
customers to share confidential information such as username /
password / card details / CVV / OTP.
Genuine institutions do not conduct KYC updates via phone calls or by
sending links to customers.
Download only original apps from authorized app stores and websites.
Avoid downloading third-party apps.
If you encounter any such issues, report them immediately to the
specific bank authorities.
File an online complaint regarding any such fraud on the government
portal www.cybercrime.gov.in for further investigation and action.
 2 Phishing / Smishing / Vishing

Source Credit- RBI- https://bit.ly/49b7V5c

Phishing is a type of hacking where attackers use fraudulent emails,

websites, or messages to deceive users into revealing sensitive
information like passwords or credit card details.

Phishing is mostly of the following types-

1. Email Phishing
2. Smishing
3. Vishing
Email Phishing: Attackers send deceptive emails that appear to be
from trusted sources, such as banks, government agencies, or popular
online services. These emails often contain links to fake websites that
request sensitive information.

Smishing: Phishing attacks conducted via text messages or SMS.

Scammers send text messages with links to malicious websites or
request sensitive information through SMS.

Vishing: This involves voice-based phishing, where scammers call

individuals and impersonate legitimate organizations to obtain personal
or financial information over the phone.

Modus Operandi- Phishing

Source Credit- Stay Safe Online- https://bit.ly/3S9zGVX

Source Credit- Stay Safe Online- https://bit.ly/3SfffHk

Source Credit- Stay Safe Online- https://bit.ly/3tNBKsu

 3 Unified Payments Interface (UPI) / QR code scam

Scam Type 1

Many of us sell products on online platforms.

Fraudsters, pretending to be from the Army (so that you are

convinced that they are genuine) show interest in your product.

Instead of “sending money” to you, they use “request money” option

through UPI app.

Most of us fail to notice this and approve the request.

Immediately the fraudsters are able to pull money out of our bank
account.

Source Credit- Times Of India- https://bit.ly/46KNbjo

Scam Type 2

Fraudsters usually register themselves on online selling sites and

develop a nice rapport with other users on the platform.

Then they say they have a mobile phone to sell and post an image and
spell out a price.

The buyer falls for it and is willing to take the item.

The fraudster posing as an Army employee (they may even show you a
fake ID card) and will share a QR code to pay advance/token amount,
usually through GPay, PhonePe, PayTm or other online sources .

Source Credit- Quora- https://bit.ly/409UwpY

 In return, you receive a courier receipt indicating that the mobile has
been couriered.

At this stage, the connection goes cold and when the phone does not
arrive, the buyer tries to call the seller, there is no response.

Source Credit- CyberForensics- https://bit.ly/3SeJgqn

Precautions

One should be careful while making financial transactions for online

products.
Always remember, to receive money there is no need to enter your
PIN / password anywhere.
If UPI or any other app asks you to enter your PIN to complete
transaction, it means you will end up sending money instead of
receiving it.
Be cautious while scanning any QR codes using payment apps.
Best option is to ask the buyer to meet you in person while picking up
the object and pay you then and there.
4 Fake Apps / Screen sharing app / Remote access

Fraudsters manage to access your mobile device, laptop, or desktop

when you download unfamiliar or unverified mobile applications.

Once this malicious application is downloaded, the fraudster can gain

full access to the device.

In some cases, fraudsters convince individuals to download screen-

sharing apps, allowing them to watch or control your mobile or laptop,
ultimately obtaining access to your financial credentials.

Subsequently, they use this access to make payments using your

internet banking or payment apps, exploiting your financial information
for fraudulent purposes.

Source Credit- Times Of India- https://bit.ly/3QwjpJf Source Credit- Times Of India- https://bit.ly/3s3ZgkB
 5 ATM card skimming

Fraudsters install skimming devices within ATM machines to illicitly

capture data from your card as you use it.

To obtain your Personal Identification Number (PIN), they may-

Pre-install a dummy keypad or use small pinhole cameras that are

cleverly hidden from plain sight or

Pretend to be other customers standing nearby & gain access to your

PIN as you enter it.

The data collected, including your card information and PIN, is then
used to create a duplicate card, allowing the fraudsters to withdraw
funds from your account.

Source Credit- Northwest Community Credit Union- https://bit.ly/472ueIA

Precautions

Verify to ensure that there is no extra device attached near card

insertion slot or keypad of ATM machine while making transaction.

Cover the keypad with your hand while entering your PIN.

Do NOT enter the PIN in the presence of any other person standing
close to you or share the card with anyone.
 6 SIM swap or SIM cloning

Since most of your account details and authentication are linked to your
registered mobile number, fraudsters target your SIM card. They aim to
either gain unauthorized access to your SIM card or obtain a duplicate SIM
card that allows them to conduct digital transactions using One-Time
Passwords (OTPs) received on the duplicate SIM.

Fraudsters often pose as telephone or mobile network staff,

contacting the customer under the disguise of offering a free upgrade
from 3G to 4G or providing additional benefits for the SIM card.

By doing so, they aim to extract personal information and details from the
customer, which they can then use to either compromise the original SIM
card or facilitate fraudulent activities using a duplicate one.

Precautions

Never share credentials pertaining to SIM card.

You should immediately get suspicious, if you don’t have mobile

network in your phone for considerable time in a regular environment

Contact Mobile operator to ensure that no duplicate SIM is being

issued for your SIM.
 7 Juice Jacking

In this type of cyber theft, when you connect your mobile to an unknown or
unverified charging port, it opens the door for unknown apps or malware to
be installed on your device.

These malicious apps or malware can grant fraudsters control over your
mobile, providing them with access to and the ability to steal sensitive data,
including emails, SMS messages, and saved passwords.

This makes juice jacking a significant security risk when charging devices in
public places. Many times we connect to Airport or unknown WiFi to save
our mobile internet data pack and access the internet or download videos.
This is another way in which fraudsters may hack on to our smartphones
and steal private data

Precautions

Always avoid using public / unknown charging ports / cables.

Avoid using Airport WiFi- use your mobile internet instead

Source Credit- DMI Finance- https://bit.ly/475nslj

 Importance of Being Vigilant during banking / digital transactions

Prevention: Being vigilant is the first line of defense against banking

frauds. Recognizing and avoiding potential threats can help prevent
financial losses.

Protection of Personal Information: Vigilance helps protect your

personal and financial information from falling into the wrong hands.

Early Detection: Vigilance allows for the early detection of fraudulent

activities. Prompt reporting of suspicious incidents can help authorities
take action.

Security Awareness: Staying vigilant enhances your awareness of

cybersecurity best practices. This knowledge can be applied to
protect your financial assets.

Reducing the Impact: Vigilance can reduce the impact of banking

frauds by preventing them or limiting their consequences.

In conclusion, the impacts of banking frauds in India are significant, and

being vigilant is of utmost importance to prevent, detect, and mitigate
these risks. It's essential for individuals and businesses to adopt strong
cybersecurity practices and promptly report any suspicious activities to
protect their financial well-being and maintain trust in the banking system.