The compulsive need to distance socially and stay at home has led to a huge fillip in digital payments and transactions. However, the surge has also presented an opportunity for malicious actors to engage in more cyber frauds.
Indian economy has been rapidly moving to digital payments post demonetization and wide acceptance of the popular UPI mechanism of payments. It has led to a surge in grocery shopping, bill payments, purchase of financial products and even investments in various asset classes such as stocks and mutual funds through digital channels. The potent combination of convenience and compulsion has enabled to overcome any inertia that customers used to feel towards digital transactions.
Banks have also created more flexible and scalable technology architecture and the API Economy has enabled them to collaborate with niche fintech solution providers to offer new-age digital solutions for their customers.
Has this led to online banking frauds?
With technology expanding from an organizational perimeter to the current borderless banking operations, the attack on financial systems and transactions has seen a rise. Is it due to the absence of a robust cybersecurity infrastructure? Is it due to lack of awareness and errors on part of customers which the banking systems could have not prevented?
While awareness can address (to a certain extent) the common mistakes that a customer might make, the malicious actors in cyberspace have innovated new ways of getting customers to part with their money. They have often taken advantage of contextual situations – this could include last date for ensuring KYC requirements are completed or even using themes such as COVID-19 to get customers to act in the way they want.
Let’s look at some common frauds and entry points for malicious actors.
Internet Banking/ Credit card fraud
You receive a call. It says please provide the details sent to you on SMS. The caller claims he/she is from the bank. The details can then be used to wipe out your bank account or swipe your credit card. The pretext used could be that your KYC needs to be done immediately or your bank account will be blocked.
Its important to make users aware that they should not share sensitive information such as PIN, Passwords, card details or log-in details with anyone. More important is to make them aware that the bank or its officials will never ask for such details under any circumstances. The bank may also want to tell them that their account won’t be blocked unless the bank sends them a notice for a said period, with a caveat if required.
Credit cards could also be prone to attacks due to the facility to not use a PIN for transaction below a minimum limit. It would be ideal for credit card users to not enable automated transactions or transactions without an OTP validation on their credit card. Every swipe should be accompanied by a PIN to validate and authenticate the transaction and online transactions should only go through with an OTP based validation that is received on the user’s mobile phone.
Phishing and Vishing
It’s a common practice to send emails with embedded links which seek your payment details. Customers need to ensure that these emails are from the right entity. Phishers would create identical URLs and design the pages almost identical to the entity they are trying to copy. The customer must be immensely prudent and observant. They must check if the link has an https prefix and if the URL is correct before sharing any information or making a transaction.
Vishing involves calling users by claiming to be from a bank or a reputed company and then making the users share personal information such as card numbers and inducing them to do a transaction. Users must be made aware that the company and the bank will never ask for personal information and they must be continually educated about the risk of entertaining such calls from people posing as officials from their organization.
A few other security tips
There are a few steps which the users might want to take to avert risks. It would be wise to not store username, password combinations on the browser or any digital avenue which can be accessed by the public. It would be good to keep it on your phone in a password protected document. All your login credentials must be available in a password protected document which you can access when required.
A user must also ensure that most of his transactions go through atleast a two-factor authentication process – the second factor could be an OTP received on their mobile or a secret question to which only they know the answer.
Users must also refrain from using public networks or public Wi-Fi to make a transaction. They must use their Wifi at home or office which is protected and secured.
How can the risk be minimized?
There are two parts to this. The organization and the individual.
Organizations such as banks should send regular and periodic communications to enable users to know how to act and prevent cyber frauds from happening to them. These organizations should also make the interesting and engaging campaign through reference cases (without naming the impacted customer) and create short videos to explain the concept better instead of sending a mandatory email.
Customer should not delete or ignore the emails and SMSes that such organizations send. They must read and understand it. And under no circumstances should they partake with their personally identifiable information or OTPs received on the phone. If they try and use secure networks while making transactions and carefully check the URL of interfaces before engaging on the web, most of these frauds can be prevented.
Subsequently, many people will gain the required confidence to use digital/ online payment mechanisms and it will enable us to accelerate our journey towards becoming a cashless economy.