As more cases on PhishingÂ start piling upÂ at different Adjudication offices, Consumer Courts and Banking Ombudsman’s offices in India, there is a need for Indian Banking Customers to be prepared to face a new kind of fraud committed by Bank employees and their associates under the shadow of a Phishing attack.
There are different elements to successfully conducting a Phishing fraud. All the phishing frauds reported in recent years in India consist of money being transferred from the victim’s account to another account some times in the same Bank and some times on other Banks. Sometimes payments are routed to Credit Card payments and mobile recharge.
It is not possible to successfully commit a Phishing fraud without the fraudster or his associate opening accounts in different Banks or having certain mobile payments to be made.
In orderÂ to remain undetected,Â fraudsters need to provide false addressesÂ at the time of opening of bank accounts orÂ when buying mobile SIMs. The fraudsters are therefore in the process of compromising the integrity of KYC employees and weaken the process of KYC in Banks.
RBI does not appear to be punishing KYC violations adequately to imroveÂ the quality fo KYC in Banks.
Whenever a customer of a Bank reports unauthorized transactions in his account, the first question that a Bank asks is if he was in receipt of any “Phishing Mail”. If theÂ answer is in the affirmative, the Bank immediately jumps to state that “If you have received a phishing e-mail and if there has been an unauthorized access, then it is to be presumed that you only should have released the password to a fraudster and hence should bear the liability”.
Even in the instances that the customer insists that he has not responded to the phishing e-mail, it becomes his word against that of the Banks.
When this possibility is seen along with the fact that there is a large scale failure of KYC because the employees are negligent, the possibility that the negligence in KYCÂ being deliberate and induced by at lest some ofÂ Â the KYC staff being hand in glove with the Phishing mafia cannot be ruled out. With more and more Indian Banks being in the radar of Phishing syndicates, the risk of phishing victims falling prey will be on the increase in the coming years.
If RBI analyses all the Phishing cases and identifies the concentration of the cases in different Banks and branches, they would get an idea about the pattern of crimes and whether the Bank employees engaged in KYC check are to be considered as a significant risk.
At the same time, it has become necessary for the market to find some solution of its own to provide a legal shield for those customers who are the recipients of Phishing mails but have not responded to them. (Those who respond need to fight it out for making Banks liable because of security lapses and non compliance of Cyber Laws and that is a separate issue).
CEAC (Cyber Evidence Archival Service) has now structuredÂ a service package to enable victims of attempted Identity thefts to create a defense through a disclosure which is deposited at a trusted thirdÂ party service provider.Â The service which is called Â CEAC-ITN has been introduced by CEAC to provide a shield of protection to the genuine Bank customer who has received a Phishing e-mail and has not responded to it, to keep a record of his public disclosure that he has received the e-mail and has recognized that it is a fraudulent mail and he has not responded to it.
The procedure for filing a request for using of CEAC-ITN service isÂ available here.
This service is a unique service and a first of its kind service in the world.
IÂ hope that public will use of this service which is offered free at this point of time and the judiciary also provides some weightage to the registrations as an indication of good faith.
Naavi of naavi.org