/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
The Indian banking industry especially the top private banks has
kept pace with the use of technology in banking, matching the best of facilities
that international banks offer. This includes providing top of the line
Internet, phone banking and, of course, 24/7 customer care support. However,
much like the many international banks, Indian banks have also been victims of
organized crime like defrauding. There have been several instances of phishing"-wherein
emails purportedly from your bank ask you to enter/update sensitive account
information. With much awareness campaigns through media from the banks, the
instances of phishing seem to have reduced, but the banking industry might be
staring at another more sophisticated form of phishing, known as 'Vhishing',
short for voice-based-phishing.
/vnd/media/post_attachments/c3a6819b3514dbdd98745bf1de67043c58df67e772e304bf8826802d4ebfdfb0.jpg)
What is Vhishing
First, to understand vhishing, let's go through the phone banking process.
When you dial the phone banking number, you are put to an automated system
backed by interactive voice response (IVR) technology. This is a technology that
uses the data entered through the touch pad of telephones to interact with a
database. There is a back-and-forth interaction between the database and the
person entering the data and there is no human interaction involved except the
user. The first step after dialing the number is to verify your identity. For
this, the system asks for your ATM/debit card/credit card number and its
corresponding PIN number. The numbers that you enter are matched against the
banks' database and if you have entered the correct numbers, you go ahead and
select the feature you require, say, 'cheque book request' through further
interaction with the system.
As an anti-fraud professional, I can tell you that every fraud
involves an element of deceit, and plays on the confidence of the user. Vhishing
exploits a customer's confidence in the IVR system. With the help of VoIP
technology, the scamsters setup similar automated systems with much the same
messages and 'flow' of the recorded messages of the real bank's automated
systems. They may, though, introduce few more questions asking for sensitive
information that a real bank may not.
There are two variations to this scam: either you are asked to
call a specific number, or you get a phone call on your number. In case of the
first variation, you get an email, again, purportedly from the bank with text
like: "After three unsuccessful attempts to access your account, your
online profile has been locked. This has been done to secure your accounts and
to protect your private information. Please verify your account and your
identity using our automated account verification number. Call our toll free
number...and follow the instruction." Further, they even play it up by
advising you, "please don't send any information through email as it is
an insecure medium of communication". On dialing the said number, you get
the standard "Welcome to ABC Bank..."And, of course, by the end of the
call, you have handed over your bank account to the scamster!
| Vhishing is a serious threat not only to the customers, but also to consumer perception and confidence when it comes to using phone banking facilities |
In the second variation, the customer gets a call on his phone
number and a recorded message is played assuring him that the caller is from a
bank and the call is to verify the identity of the customer. After this message,
the customer is directed immediately to the automated voice response system.
This is a serious threat not only to the customers, but also to
consumer perception and confidence when it comes to using phone banking
facilities.
The Way Out
So, how do we deal with this? One easy way is to visit the bank's 'contact
us' page and verify the phone numbers. However, even this may not be fool
proof as there are caller-ID spoofing devices that mask the real number and
allow the scamster to display a fake number. So I will give you a simple tip:
enter the wrong pin number when asked for. A genuine system would already have
your PIN in the database, and would say incorrect PIN, but a fake one would not.
Pradeep
Akkunoor
The author is director, Indiaforensic Consultancy Services, a
forensic accounting and fraud investigations firm that helps BPOs and IT firms
manage their fraud risk. He can be reached at pradeep@indiaforensic.com