What is Phishing?

Phishing is an act undertaken by fraudsters to gain your private and sensitive information through emails that appear to be sent by your Bank. Such fake emails encourage you to click on a link in the email which leads you to a fake website with a similar look and feel as that of the Bank's authentic website. It is designed so, to capture your personal confidential account information such as Customer ID, IPIN, Credit/Debit Card number, Card expiry date, CVV number, etc.

Customers’ email addresses are obtained/purchased by the fraudster through non-trusted sites where the customer would have revealed his email ID by means of casual browsing or shared it on chat rooms, blogs or mailing lists, etc.

How do the fraudsters operate?

• Fraudsters send spoofed emails, appearing to be sent by HDFC Bank, to large number of recipients with an urgent tone that calls for quick action to verify, update or reveal your confidential account information by clicking onto a link in the email .
• Once the recipient clicks on the link in the email, he is diverted to a fake website with a similar look and feel of the Bank's original website. The customer is presented a web form to divulge his confidential account information i.e. customer ID, IPIN, Credit / Debit Card numbers, Card expiry date and CVV number, etc.
• Once the unaware customer reveals his confidential account information on the fake website he may be directed to the authentic website of the Bank to suppress any suspicion arising in the customer's mind. This is how the customer’s identity is compromised .
• This customer confidential account information or identity credentials are then used by the fraudster to gain access to the customer's account to commit fraudulent transactions

How do you identify a fake / phishing email?

• The fraudster may use HDFC Bank's email address, domain name, logo, etc to give an authentic look to the fake email
• Do not rely on the name and source in the "From " field of the email address as it may be easily manipulated by the fraudster to a valid email account of HDFC Bank.
• Such fake emails will always address you by a generic salutation or address you by "Dear Customer" or "Dear Net Banking Customer" or "Dear HDFC Bank Customer". HDFC Bank's authentic emails will always address you personally by your name e.g. "Dear Mr. Sameer Bedi"
• Very often, such fake emails are poorly drafted and may have spelling or grammatical mistakes.
• Such fake emails will always encourage you to click on to a link to verify or update your confidential account information.
• The links embedded in such fake emails may sometimes look authentic but when you move the cursor/pointer over the link, there may be an underlying link/url to a fake website.

Visual identification of fake/phishing emails How do you identify a counterfeit / fake website?

• Verify the URL of the webpage (web page address):
  • Most of the counterfeit / fake webpage addresses start with "http://" unlike HDFC Bank's transaction related webpages that warrants customer confidential account information (e.g. internet banking, payment gateway sites for online shopping) would start with "https://" and not http://.
  • Verify the end letter "s" that ensures the security of communication by means of encryption between webpage and the visitor accessing it.
  • HDFC Bank's home page address - http://www.hdfcbank.com is not encryption enabled, as there is no customer confidential account information flowing over it.
• Check the PAD LOCK symbol:
  
  • Pad lock symbol depicts existence of a security certificate, also called Digital Certificate for that website. Fake websites would either not have a digital certificate to prove its authenticity or may have invalid digital certificate.
  • Establish the authenticity of the website by verifying its digital certificate. To do so go to File => Properties => Certificates or double click on the PAD LOCK symbol at the upper right or bottom corner of your browser window. E.g. HDFC Bank's authentic Internet Banking website and digital certificate is depicted below

Fake Website

Please follow these simple steps to avoid falling prey to phishing scams:

• In case of doubt, DO NOT click on any link provided in the email
• DO NOT give any confidential information such as password, customer ID, Credit / Debit Card number or PIN, CVV, DOB, to any email request, even if the request is from government authorities like Income Tax department or any Card association companies like Visa or MasterCard
• DO NOT open unexpected email attachments or instant message download links
• Always check the web address carefully before sharing any sensitive information. Our website address is www.hdfcbank.com and our NetBanking address is https://netbanking.hdfcbank.com
• For logging in, always type the website address (mentioned above) on your web browser
• Always check for the Padlock icon at the upper or bottom right corner of the webpage. It must be always ‘On’ during secure transactions
• Always ensure that you have installed the latest anti-virus / anti-spyware / personal firewall / security patches on your computer or high-end mobile phones
• Always use non-admin user ID for routine work on your computer
• DO NOT access NetBanking or make payments using your Credit / Debit Card from shared or unprotected computers in public places like cyber cafes including unprotected high-end mobile phones
  
  

What do you do if you have revealed your confidential information by responding to a phishing email or have become a victim of phishing?

• If you realise soon after revealing your sensitive information such as customer ID, IPIN, etc, about a phishing scam, immediately log on your NetBanking account by typing the URL in the address bar of your web browser, change the IPIN and verify recent transactions in your account. If no fraudulent transactions are observed, forward the phishing email to the bank.
• If you discover any unauthorised transaction in your account, please call up the PhoneBanking numbers or send an email to support@hdfcbank.com to disable internet banking access to your account and visit your home branch immediately to report the matter at the branch for further action. Contact your branch manager and forward the phishing email to fake.email@hdfcbank.com

Please Note: HDFC Bank will never ask you to divulge any confidential account information such as passwords, customer ID, IPIN, Credit / Debit Card numbers, CVV number, ATM PIN, etc. over email or a phone call

What are Money Mules?
By phishing or other means of customer identity theft, the fraudster harvests customer NetBanking credentials i.e. customer ID and IPIN with a motive to transfer money from customer account to another account holder of the same or different bank. The beneficiary account holder is referred as a "Money Mule". The beneficiary becomes accomplice unknowingly by social engineering techniques employed by the fraudster.

How does the Fraudster operate?

• These fraudsters generally operate from across a country other than where the fraud is to be committed to keep themselves away from local law enforcement agencies. They either maintain anonymity or use fictitious identity to commit these frauds.
• Fraudsters launch their attack using social engineering techniques by contacting the prospective money mules either by sending emails, in chat rooms, job search websites or through internet blogs.
• Fraudsters lure the prospective money mules to share their bank account details by telling them a fake story and convincing them to receive money in their accounts. Fraudsters also offer a part of their money or commission and persuade them to unknowingly act as money mules.
• Fraudsters then transfer money from the bank customer account whose Internet Banking customer ID and IPIN / password has been harvested either by means of phishing or through other means of identity theft.
• Money Mule is then directed by the fraudster to retain commission and transfer balance money either through wire transfer or to an account of another money mule by means of online transfer or cash deposit thereby forming a chain of fraud.
• Such money transfers would ultimately lead to funds transfer into fraudster's account thereby maintaining anonymity.
• When such frauds are reported the money mules become the target of law enforcement agencies as their bank accounts are used and their identity is established.

How do you protect yourself from becoming a money mule?

• The fraudster may cook different stories, however his motive will be to convince you to share your bank account details, receive money and act as per his directions.
• Do not respond to email from strangers asking you for your bank account details.
• For any overseas job offer, confirm the identity and contact details of the company offering the job to you. They may have hosted a company website to make it look authentic, but there may not exist any company at all in reality.
• Do not get carried away by attractive offers or prizes.

Samples of Fraud emails:

Hello !

My name is Morgan Smith Bryant, I am an artist with my wife Susan Morgan, We own SUS Art World in London (United Kingdom), I live in United Kingdom with my two kids, four cats, It is definitely a full house, I have been into art work since I was a little child that gives me about 23 years of experience, I majored in art in high school and took a few college art courses, Most of my work is done in either pencil or airbrush mixed with color pencils.

I have recently added designing and creating artwork on the computer, I have been selling my art for the last 3 years and have had my work featured on trading cards, prints and in magazines. I have sold in galleries and to private collectors from all around the world, I am always facing serious difficulties when it comes to selling my art works to American and India, they are always offering to pay with credit cards only which is difficult for me to cash here in London United Kingdom. Also, i'm setting a large factory and estate in India.

I am looking for a representative in the India who will be working for me as a petite worker and I will be willing to pay 10% for every transaction, which wouldn't affect your present state of work. Someone who would help me receive payments from my customers in the india mean someone that is responsible and reliable, because the cost of coming to the state and getting payments is very expensive and time consuming, I am working on setting up a branch in the India for now I need a representative in India who will be handling the payment aspect for my company.

These payments will be made via bank transfer only and they would come to you in your name if you are willing to assist as a representative, so all you need to is to open a new account with ABC bank India where my customers in India and United States can be transferring money to you. After deducting your 10% you will then wire the rest to my contractor in India. If you are interested ,i want you to open an account with ABC bank India and forward all the banking information to me including your international passport first three page,birth certificate and election card to me.

The only problem which I have is trust, but I have my way of getting anyone that gets away with my money mean the Federal Bureau of Investigation ( F.B.I) branch in Washington gets involve. It will not cost you any amount, you are to receive payments from customers for my company which will be sent to you into your ABC bank account.

Sincerely.

Morgan Smith
SUS ART WORLD.

NB: All charges will be deducted from the money, so you are rest assured that you wouldn't spend a dime out of your personal money.

If you are interested, please get back to me as soon as possible via email with the following listed information below:

#Your full name:
#Your full home address,
#Your age,
#Occupation and as well your
#marital status, and your,
#direct contact telephone number,
#Drivers License / International Passport

Thanks for your assistant and God bless,