Fraudsters target net banking users

Thiruvananthapuram: A former call centre employee who checked the status of her bank account online recently was dismayed to find that Rs.7,900 had been transferred to another account without her knowledge.

The 41-year-old woman, who wanted her name to be withheld, told Hindu The that she had received an e-mail purportedly from the customer service centre of the bank on November 1.

The e-mail said the bank’s central server was down and users of its online banking facility were required to re-enter their account details. The e-mail had a link on which she did not click.

She logged on directly to what appeared to be the bank’s web site. She entered her customer identity (username) and password. She also changed her password.

On December 12, she checked her account online and found that she had lost the money. It had been transferred to another account of the same bank somewhere in north India. She contacted the customer service centre of the bank, which denied sending her any such e-mail.

The woman said she later checked the e-mail again and by clicking the link accessed the same web site (supposedly that of the bank) where she had entered her account details earlier. She suspects the fraud committed was an ‘inside’ job. The woman said she used the online banking facility mostly for booking railway tickets.

Circle Inspector E.S. Bijumon of the Hi-Tech Cell, who is investigating the woman’s complaint, said it was a classic case of ‘phishing.’ He said more than 10 such cases, mostly from Ernkaulam district, were reported recently.

It is a method of operation by which online fraudsters ‘fish’ for usernames, passwords and credit/debit card details of (mostly) online banking facility users. They obtain e-mail addresses of potential victims by scouring the Internet.

He said ‘phishing’ attempts were usually in the form of an e-mail appearing to be from one’s bank. Such e-mails had a link which when clicked on would lead the customer to a fraudulent ‘log on page’ designed to capture his or her account details. Such phoney web sites closely resemble those of credible banks. ‘Phishing’ e-mails often prompt customers to confirm, provide or update sensitive information by conveying a sense of urgency (such as a breakdown of their bank’s servers).

The police said the link on the e-mail received by the victim led to a U.S-based server and not the one handling the bank’s online operations. The ‘phishing’ e-mail received by the woman had originated from the same server.

The police said customers should check with their bank before responding to e-mails concerning their accounts.

Some ‘phishing’ e-mails hide Trojan Horse software capable of capturing the customer’s computer keystrokes. Such a software relays captured information back to the sender, enabling them to figure out the user names and passwords of other people.