Fraud Tips
  • Personal
  • Business
  • Corporate
  • Private Banking
  • Privy League
  • NRI Services
  • Investors
  • Personal
  • Business
  • Corporate
  • Private Banking
  • Privy League
  • NRI Services
  • Investors

 

Types of Fraud / Categories of Fraud


They spam, scam, and make you clam . Fraudsters come from all walks of life and it is our duty at Kotak Mahindra Bank to make sure that you steer clear of them. Here are the types of frauds that you need to keep an eye out for.It’s our job to make you aware, because we care.

 

Phishing

What is Phishing?

Phishing occurs when a group of cyber criminals create mirror website of the bank in order to dupe the customers. Scam mails are sent which directs user to fake websites wherein user ID and password, Card number, ATM PIN, CVV, OTP is asked for. Once in possession of this knowledge, the scammers misuse it.

How do Scammers do it?

  • Step 1
    The scammers will send a fraudulent email to the recipient’s account, disguised as an official one from the bank.
  • Step 2
    The email would comprise a link and the recipient would be requested to click on the same.
  • Step 3
    The recipient would be required to enter the net banking User ID and Password.
  • Step 4
    The scammers are now in possession of privileged information and can use that to siphon off recipient’s money. 


Tips to protect yourself

In one word – beware.

Here are a few tips that can be handy while detecting phishing.

 

  • More often than not, phishing emails contain numerous spelling errors. These errors may exist not only in the text of the email, but also in the url therein.
  • There is a sense of urgency embedded in the email, if you pay attention to the language used. They urge you to take action NOW or an extreme measure would be undertaken, such as the termination of your bank account.
  • Such emails comprise unusual attachments which are almost always malware, ransomware, or some other form of online threat.
  • Refrain yourself from clicking on the links that come from unknown web terrains. Additionally, do not respond with your personal and confidential information. Remember, Kotak Mahindra Bank or any of its executives will NEVER ask you for such details.
  • Whenever you wish to visit the bank’s website, type out the complete url in the browser, i.e. www.kotak.com. Do not click on any link that has been sent to you with the promise of taking to the bank’s site.
  • Make sure that the website is running in a secure mode. The best way to know it is by checking if there is a padlock symbol on the bottom bar of the browser.
  • Check if the website has a digital certificate.
  • Another thing to check is the url of the page. A website is only secure if its url starts with HTTPS. Most phishing links are not secured and start with HTTP.
  • Another common trick of finding whether or not an email is legitimate is going by your gut and searching the text of the key message, on the internet. If it is a phishing email, you will get multiple hits.


If you have received a phishing email or text message, write to [email protected]

 



 

 

Vishing

What is Vishing?
A combination of ‘Voice’ and ‘Phishing’, Vishing uses Voice over Internet Protocol (VoIP) technology, wherein fraudsters trick customers into providing their personal and financial details over the phone. They do so by pretending to represent real companies like banks.

How do Scammers do it?

 

  • Step 1
    The scammers call the customers through an automated dialer, using a computer modem.
  • Step 2
    When the customers receive the call, an automated voice informs them that an illegal activity has been conducted on their account and they need to call on a specified number to take action accordingly.
  • Step 3
    Once the customers call on the specified number, they are asked for personal details such as name, User Id, password, date of birth, and more.
  • Step 4
    The scammers now have all the confidential information to conduct unsolicited transactions.



Tips to protect yourself
You can escape the net of vishing fraud by following a few tips and tricks.

  • Refrain from calling on any unknown number, no matter how much the urgency of the message.
  • If the caller promises to send you money/rewards or asks you to pay a nominal amount for receiving the credit, do not share your Banking details such as your account number, debit card details, PIN, OTPs however convincing the caller may sound.
  • At times, when you need to contact a company’s customer care, ensure you call the number listed on the company’s official website only.
  • Refrain from downloading any app on the phone if suggested by the caller as this would allow the caller to view the information displayed on your screen device at his end through screen mirroring.
  • In the event of receiving such messages / calls, get in touch with us at [email protected]
  • Do not share your personal and confidential information with anyone over call or message. Kotak Mahindra Bank’s executives will never ask you for such details as they already have it.

Smishing

What is Smishing?
In Smishing, text messages on cell phones are used to trap customers into calling back fraudulent phone numbers or visiting fraudulent websites, or even downloading malicious content, by way of luring information such as winning a lottery, job offers, etc.

How do Scammers do it?

 

  • Step 1
    Who doesn’t like the lure of job offers, lottery money, and the likes? That’s exactly what the scammers would use to entice the customers into parting with their confidential information.
  • Step 2
    Upon receiving the SMS, the customers unknowingly click on the link therein, call the number provided, or download the content loaded with malware.
  • Step 3

Scammers are then in possession of all the private and confidential information of the customers that they use to their advantage.

Tips to protect yourself

There are simple tricks which can help you evade such scamming schemes.

  • Never share your personal information over SMS, email, or any other medium, no matter how authentic the language may sound, or how persistent the tone may be.
  • Copy the content of the message for your reference, then proceed to delete it immediately.
  • In the event of receiving such messages, get in touch with us at [email protected]

Identity Theft


What is Identity Theft?
 
In ‘Identity Theft’, fraudsters attempt to obtain important personal information such as date of birth, passport number, aadhaar details, PAN details etc. to gain access to your bank account, and then carry out fraudulent transactions. 

How do Scammers do it?

 

  • Step 1
    Scammers try to obtain personal information such as mother’s maiden name, date of birth, aadhaar, PAN details, OTP and the likes, over call or even in person, impersonating a bank representative.
  • Step 2
    Upon receiving this information, the scammers misuse it to apply for fraudulent  new accounts. They even carry out transactions through banking channels and transfer funds. 


Tips to protect yourself

Be vigilante – that is the first mantra for saving yourself from getting scammed. For the rest take some cues from the following.

 

  • Never respond to emails that ask for your personal and confidential information such as date of birth, last name, mother’s maiden name, userID, OTP, ATM PIN, CVV, card details, PAN and aadhaar details etc. Kotak Mahindra already has the aforementioned information in its database and would never ask you for it.
  • In case there is someone approaching you in the capacity of a Kotak Bank representative, please verify his identity by asking him to show the relevant id proof. Similarly, be aware of people impersonating bank representatives and calling you.
  • If in case you have divulged any information which has led to your phone number getting deactivated without your consent, get in touch with us immediately.
  • Avoid storing unused copies of your private documents. Shred them once the purpose is served.
  • Never share your official valid documents like passport details, aadhaar, PAN card details, driving licence, voters ID card etc with unknown people over any mediums like whatsapp, email, SMS etc

SIM Swap Fraud


What is SIM Swap Fraud?

SIM swap scam is a type of account takeover fraud. Also known as Port-out Scam or SIM Splitting, it generally targets a weakness in the two-factor authentication and two-step verification wherein, the second factor or step is an SMS or call that is placed to a mobile number.

How do Scammers do it?

 

  • Step 1
    Scammers gather customers’ personal information by practices such as phishing, vishing, smishing, and more, and use the same to get a new sim card issued in the customers’ name.
  • Step 2
    Post this, they get all the requisite information using this sim card, including the OTPs, which they use to conduct fraudulent transactions from the customers’ bank accounts.


Tips to protect yourself

 

  • First thing, do not share your personal and confidential details with unknown people calling from unverified numbers or sending emails and messages from suspicious addresses.
  • If your phone number remains inactive for a long period in time, get in touch with your mobile operator immediately.
  • Never share the 20-digit number at the back of your SIM card.
  • Avoid sharing your phone number on social media and any other website.
  • Check your bank account alerts and statements regularly and report in case of any inconsistent transaction or activity.

International Transfers Scams


What is fraud through International Transfer?

These are the scams which involve an entity or person who’d share a large payment with you in exchange for help in transferring money out of their country. Such scammers usually trick by using sob stories about their money being trapped in banks due to civil wars or coups, often in the countries which are in the news. They will then ask you for your bank account details, which will later be used to siphon off your money. Since these originated in Nigeria, they are also known as Nigerian Scams.

How do Scammers do it?

 

  • Step 1
    The scammer will contact customers via mail or text, or even through social media, and try to entrap you into a sob story which will mostly involve their money being trapped in their home country banks, owing to civil war-like situations. Another common story is that of ‘a large inheritance’ which is difficult to access.
  • Step 2
    Scammers will then ask the customer to share the latter’s bank account and other confidential details so that the former can transfer the ‘stuck money’. They can even ask you to pay the fee and taxes involved in order to aid the process of getting their money transferred.
  • Step 3
    If the customer has fallen into the trap, the scammers will use this newfound information to their advantage. 


Tips to protect yourself

Nigerian scams are less but not unheard of. A few steps of vigilance and you can prevent yourself from falling into the trap.

 

  • Keep your emotions aside when it comes to money matters. This is exactly the trait which these scammers use to their advantage.
  • Never share confidential information such as debit or credit card details or even copies of personal documents, especially with people whom you don’t know well.
  • Avoid up-front and direct transactions or any such arrangement with strangers.

Money Mule


What is a Money Mule Scam?

In Money Mule scams, victims (money mules) are tricked by fraudsters into laundering stolen/illegal money through their bank account/s. Fraudsters contact customers through emails/chat rooms/job websites/blogs and convince them to receive money into their bank accounts in exchange for attractive commissions. After this, fraudsters transfer the illegal money into the account of the money mule. Then, the money mule is directed to transfer money into the account of another money mule. This creates a chain that ultimately leads to the money getting transferred to the fraudster’s account.

How do Scammers do it?

 

  • Step 1
    The scammers contact customers via messages, mails, and chat rooms. They then lure the customers by way of attractive commissions, and get the latter to share bank details and other confidential information.
  • Step 2
    After receiving the requisite information, the scammers then use it to transfer the money from the customer’s account into that of a money mule, an innocent person who has no inkling of the scheme he or she is a part of.
  • Step 3
    The money mule is then directed to transfer the money to the account of another money mule. This starts a chain of fraud.
  • Step 4
    If ever the money mule fraud gets reported, it is always the money mules who get arrested and not the masterminds who cannot be traced.


Tips to protect yourself

 

  • If you get messages that promise lucrative opportunities in the form of jobs, commissions, or lottery, do not respond. More often than not, these are all scam. Think logically and not out of excitement.
  • If the job offered is an international one, be even more cautious. Verify every single detail that you need to before acting on the message.

Juice Jacking

What is Juice Jacking?

Juice jacking is a type of cyberattack involving a public charging port.
Public charging ports are indeed a big help when the battery of our mobile device is drained out, and we don’t have a charger or a power bank; but on the other hand, such ports may also steal all your data and install a malware in your device.
 

How it happens

  • Step 1
    Scammers install malware into a charging port that has been modified by them

  • Step 2
    When you charge your mobile phone or any other device using this modified charging port, the malware is installed into your device, allowing the hackers access to sensitive data via your phone — including contact details, emails, messages, photos, private videos, and sensitive financial credentials.

     

How to prevent Juice Jacking:

  • Carry a power bank as this is the safest and most convenient solution
  • Avoid USB charging at public spots and search for an electrical outlet as electrical outlets don’t allow data to be transferred so you will be safe from malware
  • In a situation where you have no choice but to charge with public charging USB port, you can power off the device and then plug it in. Powering off the smartphone doesn’t allow transfer of data.
  • Try to use a cable that can be used only as charging cable and not a data transfer cable.

     

Cerberus Trojan Threat

What is Cerberus Malware?

Cerberus is a malware (virus) taking advantage of the COVID-19 pandemic. The software impersonates legitimate apps and content related to COVID-19.
 

The malware primarily focuses on stealing banking details like credit card numbers, CVV and more. Additionally, it can use overlay attacks to trick victims into providing personal sensitive information as well and can also capture two-factor authentication details.   

Cerberus also has the ability to take screenshots, hijack SMS text, steal contact lists, account credentials, and more


How does it happen?

Step 1

It usually comes in the form of an SMS, infected email attachments, malicious online advertisements, social engineering and deceptive applications

Step 2

It tricks innocent customers to download or click on the embedded link mentioned in the communication

Step 3

Once downloaded, the software deploys its malicious app on their smartphones.


Stay safe by following these tips

  • Be careful what you download: Cerberus malware relies on social engineering tactics to make its way onto a victim’s device. Therefore, think twice about before you download files, apps, attachments that you receive from unknown senders
  • Click with caution: Only click on links from trusted sources. If you receive an email or text message from an unknown sender asking you to click on a suspicious link, beware and ignore the message altogether.
  • Use comprehensive security: Safeguard your devices with an extra layer of security. Keep your operating systems safe by regularly scanning them for threats with reputable antivirus or anti-spyware software.
  • Keep an eye on messages: Read transaction SMS, pop-ups and descriptions closely – Be careful when clicking on links
  • Verify, verify, verify: Be sceptical of someone offering freebies like cashback or advance payment for a product you may be selling online
  • Double-check: Refer to reputed and official websites for any information
  • Stay current: Always keep your contact details updated with the bank

COVID-19 Phishing Threat

What is COVID-19 Phishing Threat?

The Government of India has warned about a possible phishing attack by cyber criminals with the intent to steal all personal data and financial details including bank account and debit/credit card details, CVV numbers and secret passwords.

A recent CERT report has stated that cybercriminals are expected to undertake a phishing campaign in India's major cities using the suspicious email - [email protected] from June 21, 2020.

The criminals claim access to millions of Indian email IDs where they plan to send emails titled 'Free COVID-19 Testing' that aim to extract personal and banking info from residents of Mumbai, Delhi, Hyderabad, Chennai and Ahmedabad.

How does it happen?

Step 1

It usually comes in the form of an email under the pretext of local authorities in charge of dispensing government-funded COVID-19 support initiatives.

Step 2

It promises news you may be interested — currently information related to Covid-19 — prompting innocent customers to click on the embedded link mentioned in the communication

Step 3

The customer’s safety is compromised if they click on the link, downloading malicious files or ending up entering sensitive personal and financial information

Stay safe by following these tips:

  • Don’t lower your guard: Phishing attacks depend on capturing your interest with official-looking language and logos that may make you lower your guard
  • Click with caution. Only click on links from trusted sources. If you receive an email or text message from an unknown sender asking you to click on a suspicious link, beware and ignore the message altogether.
  • Use comprehensive security.Safeguard your devices with an extra layer of security. Keep your operating systems safe by regularly scanning them for threats with reputable antivirus or anti-spyware software.
  • Keep an eye on messages: Read transaction SMS, pop-ups and descriptions closely – Be careful when clicking on links
  • Verify, verify, verify: Develop a healthy suspicion for email IDs you have not seen before
  • Double-check: Refer to reputed and official websites for any information
  • Stay current: Always keep your contact details updated with the bank

Social Engineering Fraud

Smita was busy cooking a meal for a dinner party at her home. She received a call from her bank asking her to urgently provide personal details since she had failed to complete her KYC on time, failing which her account would get blocked immediately. Since the caller identification app identified the number as her bank’s number, she quickly gave the details and got back to cooking before her guests arrived. By the time her guests left after a very enjoyable evening and she got a chance to look at her phone, the fraudster had withdrawn Rs. 50,000 from her bank and there were several SMS alerts from her bank informing her of the withdrawals.

Even without realising, and having seemingly checked that it was an authentic number that showed the name of the Bank, Smita had become a victim of social engineering fraud.

What is social engineering fraud?

Fraudsters are using new ways to update fake contact numbers similar to the bank’s toll-free number on online platforms and caller identification apps in order to dupe people.

How the fraud happens:

  • Suppose Smita’s bank is called CashBank and its toll-free number is 1800 123 1234. A fraudster obtains a number, 800 123 1234, similar to the toll-free number of CashBank and registers it successfully on the Truecaller app (or any caller identification application) as the toll-free number of CashBank.
  • An unsuspecting customer looking to contact CashBank contacts the fraudster’s number registered on the caller identification app (800 123 1234) instead of the genuine toll-free number of the bank (1800 123 1234).
  • The fraudster attending this call then lures the victim into providing sensitive details such as debit/ card credentials, username, OTP, etc. to access the victim’s account and carry out fraudulent transactions.

Why True caller and similar apps are not reliable when it comes to official entity numbers:

Let’s take an example of Truecaller and see how it works: 

  • When a person downloads the application, the contact information gets stored in the Truecaller database.
  • Truecaller creates its huge database of users as well as the information on the contacts stored in the phonebook.
  • So if X number of users save the same number with ‘XYZ’ as a name then that number is tagged to XYZ. That is how the fake number also came to be recognised as CashBank’s number in Smita’s case.

 

How can this be prevented?

  • Always visit the official website for any entity’s number. For Kotak Mahindra Bank, visit www.kotak.com
  • Avoid using caller identification apps when you want to call any entity such as a Bank, or be careful when you receive a call that appears to come from the Bank.
  • Do not share your sensitive bank and personal details with anyone over a call, even if they claim they are Bank representatives
  • Look for https or the lock icon in the status bar of your web browser. The lock indicates that the site is using an encryption technology to protect your sensitive data

 

Always be aware. It is important not to trust caller identification apps directly. Instead, verify the number on the official website to ensure your safety.

Stay alert, stay safe.

IDN Homograph Attack (Punycode)

What is IDN Homograph?

The IDN (International Domain Name) Homograph Attack, commonly known as Punycode, is an attack where fraudsters create/use a domain or website name that looks similar to an established name.

Characters — i.e., letters and numbers — that look alike are called homographs, thus the name of the attack.

How do Scammers do it?

Fraudsters create domain names that almost resembles a legitimate domain. A common way of doing this is replacing the Latin letters such as “e” and “a” with Cyrillic letters “e”  and “a”.

For example, for Kotak.com, they may use Kotak.com — it's difficult to note the difference in the letter “a” in both instances.

To a user, this difference in lettering may not be obvious because it is a very cleverly designed fraud.


Tips to protect yourself:

  • Regularly update your browsers as your first line of defence against such frauds
  • Always double check the links before clicking. A punycode will look just a little different. If in doubt, type out the URL instead of clicking on a link.
  • When visiting the desired site, check the URL carefully. Look out for minor difference in the characters. Again, if in doubt, type out the URL.
  • Fake websites may contain spelling errors. These errors may exist not only in the text of the website, but also in the URL.


Always be aware:

  • Whenever you wish to visit the bank’s website, type out the complete url in the browser, i.e. www.kotak.com. Do not click on any link that has been sent to you with the promise of taking to the bank’s site.
  • Make sure that the connection to the website is secure. The best way to know it is by checking if there is a padlock symbol. Click on the lock icon in the browser. This will tell you if the website’s certificate is valid and authentic.
  • Do not download attachments received in unsolicited mails or from unknown senders.
  • Refrain from sharing sensitive personal or banking information with anyone. Remember, Kotak Mahindra Bank or any of its executives will NEVER ask you for such details.

 

 

 

If you notice any such discrepancy in any url received via email or text message, write to [email protected]

 

Loan Fraud

What is a Loan Fraud?

Fraudsters issue fake advertisements of quick and easy personal loan offers at very attractive low rates of interest or with easy repayment options or without any security requirement, etc., and lure customers to contact them.

How do fraudsters do it?

  • Step 1: To gain the trust of customers, scammers use email IDs that look similar to email IDs of senior officials of well-known non-banking financial companies.
  • Step 2: Fraudsters also create fake website links that show up on search engines when people try to verify or cross-check information about the loans.
  • Step 3: Once the customers approach the fake loan company, they demand various upfront charges like processing fee, GST, intercity charge, advance EMI, un-hold charges, etc., and abscond without disbursing the loans.

Tips to protect yourself

In one word – beware.

Here are a few tips that can be handy while detecting a Loan Fraud:

  • More often than not, these Loan Fraud emails contain numerous spelling errors. These errors may exist not only in the text of the email, but also in the URL therein.
  • There is a sense of urgency embedded in the email, if you pay attention to the language used. They urge you to take action NOW or you will miss out on the discounted rates, etc.
  • Such emails may comprise unusual attachments which are almost always malware, ransomware, or some other form of online threat.
  • Refrain yourself from clicking on the links that come from unknown web terrains. Additionally, do not respond with your personal and confidential information. Remember, Kotak Mahindra Bank or any of its executives will NEVER ask you for such details.
  • Whenever you wish to visit the bank’s website, type out the complete URL in the browser, i.e. www.kotak.com. Do not click on any link that has been sent to you with the promise of taking you to the bank’s site.
  • Make sure that the website is running in a secure mode. The best way to know that, is by checking if there is a padlock symbol on the bottom bar of the browser.
  • Check if the website has a digital certificate.
  • Another thing to check is the URL of the page. A website is only secure if its URL starts with HTTPS. Most fake links are not secured and start with HTTP.

 

If you notice any such discrepancy in any url received via email or text message, write to [email protected]

 

Online Scams through Online Classified Marketplace

What is a Classified Marketplace Fraud?

Fraudsters create fake accounts on classified websites that are backed up by fake social media accounts to make them look authentic. They connect with customers who post advertisements on the classified sites looking for a product or service, and try to trick them into sharing sensitive financial and personal data.

How do fraudsters do it?

  • Step 1: Scammers create a fake account on popular classified websites (such as OLX). They also create social media profiles using the same fake details in order to appear trustworthy.
  • Step 2: They are on the lookout for people posting their requirement for products/services. They reach out to these customers only via email or SMS, taking care to avoid meeting in person.
  • Step 3: Fraudsters then coax customers to use alternative payment options, such as prepaid cards, UPI payments, Net banking, cryptocurrencies, money-transfer services etc., to pay in advance, and then simply disappear, deleting all traces of their online account on the classified site.  

Tips to protect yourself:

In one word – beware.

  • Do not pay for any goods and services unless you have received the goods and services.
  • Do not reveal any personal or sensitive information such as your Credit Card details or OTPs or PINs.
  • If in doubt, contact the customer care department of the classified company to verify the authenticity of the seller.

 

If you notice any such discrepancy in any url received via email or text message, write to [email protected]

 

Aadhar based Payment Systems Fraud

What is an Aadhaar Based Payment Systems Fraud?

The Aadhaar Based Payment Systems may be vulnerable to the gummy finger fraud method. By using gum/glue, a duplicate of your fingerprint can be made. Fraudsters may use this duplicate fingerprint to make a transaction causing you to lose money.

How do fraudsters do it?

Step 1: A merchant may be using the Aadhaar Based Payment System to authenticate your fingerprint. Your biometric data could be stored on this device. A fraudster with access to this device can use the gummy finger method to create a duplicate fingerprint. If your biometric data is stored on the merchant’s smartphone and it falls into the hands of a scammer, your details become vulnerable.

Step 2: This duplicate fingerprint can then be passed off as yours to make transactions in your name.

Tips to protect yourself:

In one word - beware

  • If you feel that a seller is insisting on payment only after biometric authentication despite other payments available, walk away.
  • Consumers can research a device before purchasing it to make sure its fingerprint sensors are encrypted end-to-end on the device. For eg. Apple uses encrypting technology.

Things to do if you fall prey to such a fraud:

  • Contact Your Bank.
  • File a Police complaint.

 

If you notice any such discrepancy in any url received via email or text message, write to [email protected]

 

Broadband Internet Security Fraud

What is a Broadband Internet Security Fraud?

A scammer may phone you and pretend to be a staff member from a large computer or telecom firm or claim to be a technical service provider. They may tell you that your computer has been sending error messages or that it has a virus. They may mention problems with your internet connection or your phone line and say this has affected your computer's recent performance. They may claim that your broadband connection has been hacked. The caller will then request remote access to your computer to ‘find out what the problem is’. This way they can access all the files and data on your computer. The scammer may also try to talk you into buying unnecessary software or a service to ‘fix’ the computer, or they may ask you for your personal details and your bank or Credit Card details.

How does the fraud happen?

  • Step 1: You receive a phone call out of the blue and the caller claims to be from a large telecommunications, a computer company or a technical support service provider.
  • Step 2: They tell you that your computer is experiencing technical problems and they need remote access to sort out the problem.
  • Step 3: They may ask you to buy software or sign up to a service to fix the computer.
  • Step 4: They may ask for your personal details and your bank or Credit Card details to pay for the repair.

Tips for your safety:

In one word – beware.

  • Never give an unsolicited caller remote access to your computer.
  • Never give your personal, Credit Card or online account details over the phone unless you made the call and the phone number came from a trusted source.
  • If you receive a phone call out of the blue about your computer and remote access is requested – hang up– even if they mention a well-known company.
  • Make sure your computer is protected and regularly updated with anti-virus and anti-spyware software, and a good firewall.
  • If you have fallen victim to a scam, raise a complaint immediately.

 

If you notice any such discrepancy in any url received via email or text message, write to [email protected]

 

SMS spoofing

Fraudsters try to trick customers by sending them an SMS from a cloned mobile number. They may also receive a call impersonating another entity. The pretext on which they may ask the customer to take action could be, among other reasons, as follows:

 

o   Refund/Credit in the account

o   SIM card expiry 

o   SIM card upgrade 

o   KYC not completed

 

They trick the customer into giving them sensitive information — since the Call/SMS appears to come from a legitimate source — and then use that information to withdraw funds or commit fraud. 

 

 

How does SMS spoofing happen?

 

Step 1

The fraudster may initiate the device registration on any UPI app (GPay, PayTM, etc.)

 

Step 2

The fraudster then sends out a spoof SMS creating panic that the customer’s account will be blocked as KYC is pending or the SIM has expired. Along with this SMS, an Alpha Numeric Code is forwarded to the customer (potential victim) stating that the code must be sent to a particular number from the customer’s Registered Mobile Number.  

 

Step 3

By now the customer is tricked and he sends the code to the fraudster assuming the number to be the relevant authority. That’s it — the fraudster’s device (UPI app) then gets linked with the victim’s Registered Mobile Number.

 

What happens next?

 

The fraudsters then tricks the customer into revealing sensitive bank details over a  call, asking for details such as the bank account number., debit card number, CVV, the expiry date etc. They do so by pretending to represent real companies like banks, e-commerce companies etc.

The fraudster is able to see the customer’s bank account details on his own device since now the customer’s Registered Mobile Number is linked to the fraudster’s device. 

 

The victim only realises that he has been tricked when he is intimated about the fraudulent debit when he receives an SMS alert or upon checking his bank statement. Thus, SMS spoofing takes place without the fraudster requiring to have a cloned/duplicated SIM but by simply tricking the customer into forwarding the alphanumeric code to a number shared by the fraudster.

 

Tips to stay safe:

  • Avoid responding to any SMS sent from unknown numbers or email IDs. If the SMS is asking you to take urgent action, then you should visit the official website directly and not click on the SMS link or take any further action like forwarding codes to unknown numbers
  • Don’t get tempted by lucrative offers or messages that create panic. Exercise caution
  • Always get in touch with the service providers on their official contact details available on the company’s website to verify the situation described by the unknown caller
  • Do not click on the URLs mentioned in any ‘password reset’ SMS messages
  • Beware of any SMS about verification codes, especially if you did not request a password reset or sign up to a service that uses two-factor authentication
  • Remember that banks, service providers, and telecommunication companies never ask for personal details through SMS so, do not share sensitive details via SMS