“Phishing” is one of the most disconcerting Cyber Crimes that is affecting Indian Banking fraternity at present. On the one hand Banks are pushing ahead with technology introduction and Internet Banking has now become a standard service for all Savings Bank customers in Banks. “Mobile Banking” is the next technology advancement which is taking roots.
While Banks are interested in using technology for business promotion, they have not been equally keen in investing for better security. As a result every technology advancement brings in its wake a new series of Cyber Fraud risks which makes Indian Banking weaker than ever before.
Despite our best efforts, “Phishing” will remain a major threat for Bank customers in the near future. In two of the recent Phishing cases that Naavi.org came across, it was found that the victims were ex-Bankers themselves. What this indicated was that even persons whom we expect to be knowledgeable about Banking risks are potential victims of Phishing. The challenge to make every Bank customer aware of the Phishing risk is therefore daunting. However, there is no option but to continue our efforts in this direction.
There have been several articles on “Phishing” published in Naavi.org earlier including the legal aspects and technical aspects. The current Phishing Awareness series of articles is another attempt to fight the Phishing menace.
I refer to the earlier article onÂ “How To Recognize a Phishing Mail”. This article tries to discuss what an ordinary Netizen may do when he receives such a mail to mitigate any harmful effects of such a mail.
In case the mail is referring to a Bank in which you donot have an account, the risk is less. However even in that case it is better to consider the “Trojan Risk” indicated below. If however you do have an account in the same Bank, then you have to consider the risk of “Employee Fraud” as explained below and immediately take some preventive steps. In case the account is jointly operated ensure that the other users are also informed of the Phishing mail so that they donot fall victim to the mail.
After recognizing that a mail is a Phishing mail, the first risk that needs to be countered is the possibility of a virus or a key logger trojan being planted in the user’s computer. One can examine attachments if any and the source code of the mail to identify if any self executing virus is present. It would be better to run an anti virus scan immediately on the mail folder, delete cache files and at the earliest scan the computer. The user should also check if his anti virus is updated and is one of the top three anti virus products in the market. They can check websites such asÂ http://anti-virus-software-review.toptenreviews.com/v2/Â for a review of anti virus products. If you intend using your computer for online banking, it is imperative that you invest in installing a good anti virus protection in the system.
Employee Fraud Risk
In case you hold an account in the Bank to which the Phishing mail refers to, then you should consider that the risks are high and immediate action is called for.
It is presumed that if you are reading this article, you would not be one of those who will respond to the Phishing e-mail. Hence we can presume that there is no risk of direct disclosure.
However, it is considered possible that some insiders in the Bank who acquire the passwords of the customers through other means may use the fact of your receiving the Phishing e-mail as a strong evidence to claim that you must have answered the mail and disclosed the account details even if you have not. Normally, immediately after a Phishing complaint, the Bank will ask a routine question to the customer if they had received any mail purportedly from the Bank asking you to respond with your password. An honest customer who has received the mail will obviously say “Yes.. but I have not responded”. Bank will still contend that “Our security is perfect. You only should have disclosed the password negligently.” There after, it will be your word against that of the Bank and a long legal battle to recover your lost money.
In order to meet this “Employee Fraud Risk”, Naavi suggests the following routine and has introduced a service under CEAC (http://www.ceac.in/). This service calledÂ CEAC-ITNÂ can be used for all identity theft instances including the Phishing. An extended service calledÂ CEAC-VPNÂ is also offered which again can be used for Phishing or any other instance where a Netizen needs to provide a public disclaimer notice at low cost.
For more information, visit: http://www.naavi.org/cl_editorial_10/edit_sep_29_2010_phishing_action.htm