A couple months back, I received a phone call from a man claiming to represent my bank. He menacingly asked me to share my debit card details so he could stop my account from being blocked. I panicked for a few seconds, then asked him some probing questions. The caller hung up the phone.
A call to my bank about the security of my account did not provide very reassuring answers. Though my questions saved my account from the fraudster’s prying eyes, not everyone is so lucky. Indian banking customers have lost $1.8 billion to voice phishing alone.
A Challenging Year for the Indian Banking Sector
2016 was full of surprises for the Indian banking sector. Indian banks were hit by a massive financial data breach in which over 3.2 million debit cards were compromised. Banks reacted by blocking millions of debit cards and advising customers to change their ATM personal identification numbers (PINs).
If that wasn’t enough, fraudsters stole $81 million from Bangladesh Bank using its employees’ SWIFT credentials, sending ripples across Asia. The Reserve Bank of India (RBI) reported nearly 12,000 cases of financial cybercrime to the Indian Parliament. But the actual number of attacks may be much higher since, according to experts, 80 percent of cybercrimes go unreported in India.
While the Indian banking sector was juggling with these cybersecurity challenges, the biggest shock knocked on every Indian’s door on the evening of Nov. 8, 2016, when the government demonetized 86 percent of banknotes in circulation to promote the digital transformation of the economy. In the immediate aftermath of the surprise announcement, digital transactions surged by over 300 percent. This made our digital money more vulnerable than ever to cybercriminals.
The Multifaceted Menace of Cybercrime
In terms of cybercrime, India is the third most targeted country in the world, and 58 percent of these attacks target the financial services sector. Attackers employ a variety of techniques to steal financial data from banks and individual consumers. Let’s take a look at some of the most prominent attack methods affecting Indian banking customers.
Phishing is the most common attack vector in India. In 2015, 8.3 percent of global phishing attacks occurred in the country. This technique involves stealing sensitive personal information (SPI) through emails by masquerading as a legitimate entity or familiar person.
Also called vishing, voice phishing is another cybercriminal trick widely used in India. In a voice phishing campaign, fraudsters place unsolicited calls to potential victims and attempt to extract credit card details, PINs, passwords and other SPI. Fake call centers that perpetuate these attacks are growing in volume and sophistication.
India ranks second in cyber attacks conducted through social media. Social media scams increased by 156 percent in the country, with every sixth scam impacting an Indian. Social engineering attackers often use fake social media profiles to lure victims to volunteer SPI, which could be used to commit banking fraud.
ACI Worldwide’s “2016 Global Consumer Card Fraud Survey” ranked India fifth in payment card fraud. According to the survey, 37 percent of respondents in India have experienced card fraud in the past five years.
Card skimming involves attaching a small hidden card reader to an ATM to copy data from the card’s magnetic strip. The scammer can later use this data to clone cards and withdraw money from compromised accounts.
Mobile wallets became hugely popular in India after demonetization. One study predicted a 65 percent risein mobile fraud in 2017 as a result of the change, especially since most mobile wallets have security loopholes that fraudsters exploit to siphon money.
Cybercriminals also produce fake versions of popular mobile wallet apps to dupe users. To add insult to injury, many mobile wallets are uninsured, so users are often liable for lost money.
Cybercriminals commonly target point-of-sale (POS) terminals at retail outlets to steal payment card information by introducing malware. The POS malware intercepts the unencrypted payment data and sends it out to the attacker’s server. India is becoming a top target for POS malware due to the massive surge in the use of payment cards.
Securing Indian Banks
Several high-profile attacks against major financial institutions sent shock waves through the Indian banking sector. In June 2016, the RBI issued comprehensive guidance to help Indian banks implement a cybersecurity framework. The guidance outlined security measures banks should take to fight against cyberthreats and protect their customers. In August 2016, RBI issued a draft notification to ensure zero liability for customers if financial fraud is reported within three days.
Though demonetization heightened the focus on cybersecurity in India, there is still a lot of ground to cover. Banks and mobile wallet companies need to prioritize cybersecurity and implement well-defined processes to help customers easily recover stolen money. Currently, mobile wallet companies are hardly regulated, which leaves customers vulnerable. Recently several major Indian banks announced their intent to buy cyber insurance coverage to help protect their businesses and customers from cyber threats.
Proactively Protect Your Money
The rate of conviction in Indian cybercrime cases is low because of weaknesses in the Information Technology Act 2000. The legal process is also notoriously slow. Though many Indian banks claim to protect customer accounts, it’s not easy to recover stolen money from a bank after a breach. It’s better to exercise caution and follow online security best practices:
- Use a strong password, change it often and never use it across multiple sites.
- Check with your bank to determine whether your account is insured against internet fraud.
- Monitor your account regularly and notify the bank of any unusual activity as early as possible.
- Update your computer’s operating system and software and protect it with a good security solution.
- Do not open suspicious emails or attachments, and do not share your SPI with strangers.
- Exercise caution when clicking on social media links and do not post your SPI on social media.
- Never access online banking from a public computer or over a public Wi-Fi.
- Withdraw money from ATMs located in secure areas and use your card only with trustworthy merchants.
If your account is compromised, report it immediately to your bank and the local police. Swift action can help you minimize the damage and bring the cybercriminals to justice.