27-Mar-2022: Messages From the Reserve Bank of India (2)
During the COVID-19-induced lockdowns, digital modes of payments have
seen a lot of traction. Customers benefit from digital payments because they
make financial transactions easier. However, this also invited many fraudsters
to make use of gaps and dupe the customers in different ways.
1. How do Phishing hacks work?
Fraudsters create a phishing website that appears to be a legitimate
website such as a bank's website, an e-commerce website, a search engine, and
so on. Fraudsters distribute links to these websites by SMS, social media,
email, and Instant Messenger, among other methods. Many clients click on the
link without first checking the Uniform Resource Locator (URL) and enter
security credentials such as a Personal Identification Number (PIN), One Time
Password (OTP), Password, and so on, which are collected and utilised by
fraudsters.
2. How does Vishing work?
Imposters acting as bankers, firm executives, insurance agents,
government officials, and others call or approach customers over the phone or
over social media. Imposters disclose a few consumer facts, such as the
customer's name or date of birth, to win trust. Imposters may pressure or trick
customers into sharing confidential information such as passwords, OTPs, PINs,
and Card Verification Values (CVVs) by citing an urgency / emergency such as
the need to block an unauthorised transaction, payment required to avoid a
penalty, or an attractive discount, among other things. Customers are then
defrauded using these credentials.
3. Frauds using online sales platforms
On online sales platforms, fraudsters pose as purchasers and express an
interest in the seller's product(s). Several fraudsters pose as defence
personnel stationed in remote regions to gain trust. Instead of paying the
seller, they use the Unified Payments Interface (UPI) app's "request money"
option and demand that the seller authorise the request by entering the UPI
PIN. Money is transferred to the fraudster's account whenever the seller inputs
the PIN.
4. Frauds due to the use of unknown/unverified mobile apps
According to RBI, fraudsters circulate through SMS, email, social media,
Instant Messenger, etc., certain app links, masked to appear similar to the
existing apps of authorised entities. Fraudsters trick the customer to click on
such links which results in downloading of unknown / unverified apps on the
customer’s mobile, laptop, desktop, etc., Once the malicious application is
downloaded, the fraudster gains complete access to the customer’s device. These
include confidential details stored on the device and messages / OTPs received
before / after installation of such apps.
5. ATM card skimming
Skimming devices are installed in ATM machines by fraudsters who take
data from the customer's card. According to the RBI release, “Fraudsters may
also install a dummy keypad or a small / pinhole camera, well-hidden from plain
sight to capture ATM PIN. Sometimes, fraudsters pretending to be other customer
standing near-by gain access to the PIN when the customer enters it in an ATM
machine.
This data is then used to create a duplicate card and withdraw money from
the customer’s account.”
6. Frauds using screen sharing app / Remote access
RBI warns customers stating the procedure that “Fraudsters trick the
customer to download a screen-sharing app. using such an app, the fraudsters
can watch/control the customer’s mobile / laptop and gain access to the
financial credentials of the customer. Fraudsters use this information to carry
out unauthorised transfer of funds or make payments using the customer’s
Internet banking/payment apps.”
7. SIM swap or SIM cloning
In cases like SIM swap or SIM cloning, “Fraudsters may obtain a duplicate
Subscriber Identity Module (SIM) card (including electronic-SIM) for the
registered mobile number linked to the customer's bank account by gaining
access to the customer's Subscriber Identity Module (SIM) card,” states RBI.
Fraudsters use the OTP received on such duplicate SIM to carry out unauthorised
transactions. Fraudsters generally collect the personal / identity details from
the customer by posing as a telephone / mobile network staff and request the
customer details in the name of offers such as - to provide free upgrade of SIM
card from 3G to 4G or to provide additional benefits on the SIM card.
8. Frauds by compromising credentials on results through search engines
Customers use search engines to find contact information for their bank,
insurance company, Aadhaar updation centre, and other businesses. These contact
details on search engines are frequently modified to appear as if they belong
to the respective entity by scammers.
“Customers may end up contacting unknown/unverified contact numbers of
the fraudsters displayed as bank/company’s contact numbers on search engine.
Once the customers call on these contact numbers, the imposters ask the
customers to share their card credentials/details for verification. Assuming
the fraudster to be a genuine representative of the , customers share their
security details and thus fall prey to frauds.” RBI states in its booklet.
9. Scam through QR code scan
RBI explained how scam through QR code works, “Fraudsters often contact
customers under various pretexts and trick them into scanning Quick Response
(QR) codes using the apps on the customers’ phone. By scanning such QR codes,
customers may unknowingly authorise the fraudsters to withdraw money from their
account”.
10. Impersonation on social media
With lots of people spending time on social media and updating their
details has made fraudsters easy to get details to dupe the people.
As per the RBI booklet, “Fraudsters create fake accounts using details of
the users of social media platforms such as Facebook, Instagram, Twitter, etc.
Fraudsters then send a request to the users’ friends asking for money for
urgent medical purposes, payments, etc.
Fraudsters, using fake details, also contact users and gain users’ trust
over a period of time. When the users’ share their personal or private
information, the fraudsters use such information to blackmail or extort money
from the users.”
Click / Tap HERE to visit the Original Document' Site
