Prakash Belawadi, an actor and a theatre personality, had the shock of his life when a caller posing as a bank officer asked his wife for the One Time Password (OTP). Belawadi happened to reveal it to her without thinking. It was too late when he realised that his wife had unintentionally communicated to it to the person at the other end of the phone. The result: money to the tune of Rs 90,000 was billed to his credit card.

A screengrab from an animation by the Federal Trade Commission intended to educate citizens about phishing tactics. Pic: Wikimedia Commons

This is called phishing - when the fraud gets access to sensitive information like  credit card details or a password by posing as a trustworthy source, and uses it to dupe people. Just like the rest of the world, citizen of Bengaluru too have been victims of cyber crime. So, how does one deal with it?

How you can identify a phishing attempt

Fraudsters resort to several ways to con people into sharing sensitive information via phone or email. Here are some of them.

Voice phishing

A fraudster calls unsuspecting people over the phone and collects banking details, like debit or credit card number and PIN, or OTPs or passwords.

How to avoid this: Before handing over any sensitive information to any family member, please educate them on dos and don’ts in such situations. Banks never ask for your passwords, OTPs, card numbers etc. Nobody else has the right to ask for it too.

Identity theft

You are working in a media organisation. All of a sudden you receive an email from a reputed company asking you to furnish some information, because you have just been chosen for a top job at the aforementioned company. If you are naive enough to fall for the email, your personal information, passport copy, pan card and other details could reach the hands of fraudsters. This could be used for anything ranging from banking frauds to fake passports and impersonation.

How to deal with it: Always remember, when something is too good to be true, it usually is! Check the reply-to ID and tally it with the web domain and official email ids of the company the mail claims its from. Compare the style, logo etc. If you still have doubts, write back without revealing any information, but seeking for additional information. Play along and you will eventually know if it’s a fraud - you will typically be asked to send personal/professional information, or deposit certain amount to certain accounts.

When you figure out such fraud, alert the original company with the details of the email that you received, so that the company can take action against the fraudsters for impersonation.

Email hacking

An HSR resident’s Gmail account was hacked and his contacts were asked to send money to a bank account through Western Union Money Transfer. Many were fooled into believing it, because the mail said the person was in trouble and had lost everything including his passport and ATM cards.

An example of an email scam. The reply-to ID is different from the actual email ID.

How to deal with it

  • Check the email ids from which you receive such requests very carefully. As a test, hit ‘reply to’ and observe the spelling of the reply-to ID - usually it is almost similar to the id that the request came from, but with very minor, but unnoticeable differences in the spelling. This is created by the hacker and can be operated safely even if the person whose account was hacked takes over the original account.

  • Alert the account owner personally, by phone or in person, so that they reclaim their account by resetting the password.

  • The affected person should send a clarification to all his contacts asking them not to communicate further with the fraudster. Otherwise, well-meaning friends can easily be tricked into sending money.

How to protect your password

  • If you have not already enabled two-step authentication for your email account, please do it without further delay.

  • Make it a habit to change passwords periodically, and to never reveal them to others.

  • Do not put predictive passwords like your own name, names of family members and birthdays etc.

  • Do not leave the computers, laptops or mobiles where you are logged in, unattended.

  • Do not ask websites to remember your passwords; do not click on any suspicious websites or ads.

  • Do not reply to any suspicious email or any form that asks you for your password.

  • Keep your internet devices clean; always browse in private/incognito mode.

  • Install a trusted antivirus to keep spywares, adwares, malwares and keystroke recorders at bay.

Cloning debit / credit cards

A couple that ran an upscale salon in HSR Layout was arrested by the cyber crime police in December 2015 for siphoning off money from their clients’ accounts by ‘cloning’ their credit and debit cards using skimming devices.

How to avoid this: Carry the cash required to pay at the establishments you visit or pay via digital wallet (with ultra low balance in it).

Netbanking hack

If you live in Bengaluru, you can reach out to the Cyber Crime police to file a complaint.

Cyber Crime police station

Local police stations

A teacher in HSR Layout was asleep at home, with his debit card and mobile close by. Between 2 am and 4.30 am, a hacker withdrew money from his account using netbanking. He learnt of the fraud at 7 am, complained to his bank immediately and filed an FIR at the HSR police station. The police are investigating, and the involvement of bank officials is suspected.

How to deal with it: Keep your calm before you proceed to take the required next steps.

  • Withdraw some cash from your account for daily expenses.

  • Contact the bank, speak to them and block your card/s. (They may also block your account). Hence, prior withdrawal is required if this is your primary bank account.

  • Send an email to customer care and get an acknowledgement with a reference number. This email trail is important.

  • Contact your local police station and file an FIR.

  • If they refuse to take your complaint or delay for some reason, file it with Cyber Crime Police Station in the CID Annexe building on Palace Road. Extend full support to them, so they can help solve the case.

The Cyber Crime Police Station takes up cases of debit/credit card frauds above Rs 1 lakh and online scams above Rs 5 lakhs. The other cyber crime cases can be registered with the local police station.

How to secure yourself

Phone

  • The mobile number that you use for banking should be different from the one used on social media, be it Facebook, Twitter, WhatsApp, Viber and Telegram.

  • Use the Google Authenticator App on your phone.

  • Do not share your mobile with strangers or leave it lying around.

  • Never call back on a missed call from an unrecognised international number. Use caller identifier apps, or google for the numbers before you decide to call back.

Banking and cards

  • Never reveal credit/debit card details over the phone.

  • If you are a victim of banking fraud, never delete any SMS that you have received. They could act as proof that you may require later.

  • Keep some emergency cash with you always, instead of relying on debit cards all the time.

  • When using an ATM or CDM (Cash Deposit Machine), if you observe that the person behind can look over your shoulder and see your account details and PIN entry, give a written complaint to the bank’s branch manager with a request to re-arrange the physical location of the kiosk to ensure better privacy. Also drop an email to the bank’s customer care email ID for tracking.

  • For filling petrol, online shopping, buying groceries,etc, use a digital wallet like PayTM Pockets by ICICI bank (which comes with a physical card), instead of using the debit card that is associated with your main account. You can load your digital wallet once a month for routine expenses. This will help insulate your main account; only the amount loaded the digital wallet is at risk.

  • If you see any strange device attached to an ATM kiosk, walk away and drop an email to the bank. The device could be a skimmer (that copies all the card details when you swipe your card). Follow up on the email, till the layout of the ATM / CMD is modified.

  • Do not use your debit card at suspicious establishments.

  • Enable SMS and email alerts for all bank account events, including adding of new beneficiary.

Passwords

  • Use a strong netbanking password and memorise it.

  • Always click the lock and check the website certificate. Fake websites do not have a digital certificate. It is applicable for banking websites too.

  • Do not use the same password that you have set for netbanking, for your email. Do not write down your netbanking password. Never reveal your netbanking details to anyone over phone or email.

  • If you want help with creating a strong password, you could check out www.strongpasswordgenerator.com.

Internet and email

  • Do not connect to public WiFi systems if you care for your online privacy. Remember, there’s always someone watching.

  • Keep an email ID exclusively for banking. This email ID should not be similar to those that you use on social media or other websites.

  • Never click on links or download attachments from strangers.

  • Some fake emails usually contain spelling mistakes or a combination of uppercase and lowercase letters. Learn to spot them.

  • If you get an odd email from a family member or friend, speak to the person on the phone, instead of acting on the directions in the email.

  • If you are a victim of banking fraud, never delete any email that you have received.