Digital Fraud And Shared Responsibility
A leading English daily reports that the share of suspected fraudulent digital transaction attempts originating from India increased 28.32% over the 12 months ending March, 2021 compared with the previous 12 months. Even losses from fraudulent identities have increased.
Why is this so?
Chaos caused by the global COVID-19 crisis, a changing e-commerce landscape, the advent of new marketplace platforms, payments moving online, increasingly digital banking services, new consumer expectation, more sophisticated fraud tactics, unclear legal jurisdiction of cross-border fraud and technological advancements are all reasons.
Digital transactions have certainly made our life easier, but is our money safe? With cutting-edge technology, operating bank accounts and making fund transfer is now easy. However, should we be worried about online scams that we routinely hear about? Can our accounts be compromised to frauds like phishing, smishing and more? Are our banking systems fool proof to these scams?
Most of us are not technology savvy. Hence, do we even realise when we receive a text message or an SMS or an e-mail that it could be fake? There are several ways to fool and rob money. Some fraudulent practices include Identity Theft, Phishing, Cloning, Smishing and Vishing. Our mobile number is common to all these. Access to the mobile phone, knowingly or unknowingly, opens gates to a financial fraud.
The text messages that we receive could be “phishing” scams via SMS. It is called Smishing since SMS messages are used. It is similar to catching fish by throwing bait into the water. It is used to lure or part with personal or financial information.
The smishing messages are disguised, where the scamsters impersonate government agencies, banks, or other companies, lending authenticity for their actions. Most times, you are asked to provide usernames, passwords, credit and debit card numbers, PINs, and other sensitive information. If instead of SMS messages if someone calls you for similar details posing as a bank official, it is called Vishing. They will promise to transfer money directly to your account, under some lottery scheme or as prize money. The message typically may say, "Your A/C can be credited with Rs 1,00,000. Enter your details & check now". They may provide a link and you may be asked to click on it. Believe me, if you click on this link, your account will be milked dry.
We also receive a message routinely, from various agencies and banks that say “government agencies, banks, and other legitimate companies never ask for personal or financial information” Treat this as serious message and never click on any links or suspicious messages you may receive in SMS. Do not even ask the sender to stop contacting you. If you reply, it means that your phone number is active and you read such messages. Clicking the link will only infect your mobile with a virus or malware designed to steal your personal or financial information stored on it.
Further, it will trigger more messages in future. It’s better to delete such SMS immediately, after reporting to the bank or to the customer care number mentioned on the reverse side of the card.
When you receive an e-mail and if you happen to click on the link, verify the URL on the site it leads to. Check if there is ‘s’ at the end of ‘https://’ on the URL indicating it is a secure site. Also check if there is a Padlock symbol at the upper right or bottom corner of your browser window which ensures a security certificate for that website. Above all, remember the proverb "Curiosity killed the cat".
As per the data released by RBI, the country was hit by over 50,000 bank frauds in the last decade. The ICICI, SBI and HDFC Banks have all reported number of cases. Of the total 53,334 cases of frauds reported during 2008-09 and 2018-19 fiscal years, involving a massive Rs 2.05 lakh crore, 6,811 were reported by the ICICI Bank, involving Rs 5,033.81 crore.
We must be extra vigilant while using credit and debit cards especially at ATMs, hotels or malls where card swiping machines are used. Scamsters can clone the card, a process of copying card details using technology or software and transferring it to another card. Devices that allow one to do cloning are called skimmers. A mobile repairer can also clone if he is into such practices. Now one needs an ATM PIN to actually withdraw money even if one clones a card. How then is the PIN captured? Simple. There is generally a camera installed near the keypad to capture the same.
There is another way of cloning called SIM swap. The scamsters manage to get a new SIM card issued against a registered mobile number through the mobile service provider. After this, they will receive an OTP on the fake SIM card and start withdrawing funds from the bank account. Whatever be the mode, they are all identity thefts.
Though most of the banks keep improving the security measures, is it really only up to us to follow basic security rules? Shouldn’t banks bear some of the cost? Is
phishing problem not a shared responsibility? Why should only the customer suffer? Does their responsibility end after sending a warning message? Should it not be a shared responsibility between the customers, banks and the businesses?
However, the challenge is detecting fraudulent transactions even as we assume that the bank’s security systems were in place and operational, the fraudulent website and fraudsters, are all outside the bank’s systems. Unfortunately, the banks seem to be alerted to the scam only when customers notify them of suspicious transfers.
The RBI issues periodically the “Master Direction on Digital Payment Security Controls” and updates them the last being in 2020. Though there are guidelines that say financial institutions “should actively monitor for phishing campaigns targeting the financial institutions and its customers”, or that “Immediate action should be taken to report phishing attempts to service providers to facilitate the removal of malicious content or alert its customers of such campaigns and advise them of security measures to adopt to protect against phishing.”, there is a lot missing than said.
Can these guidelines form a basis on which legal liabilities are determined? For the record, no reported cases were ever brought to the courts based on a breach of these guidelines. Should we relook at the laws stipulating greater responsibility on the parts of banks to address phishing?
Even if the Banks security was proper, are systems outside the bank that monitor them adequate and functioning? If this were to be done effectively, would it amount to mimicking bank’s websites and monitoring personal mobiles and SMS systems? Does it become a privacy issue?
There are AI algorithms to monitor. Would using them affect banking confidentiality? Should we let go traditional rules-based risk assessment and instead use machine learning-based approaches, which can better recognize and combat digital fraud? This can distinguish between a good customer and a fraudulent one behind the transaction unlike with rule-based systems which can crash when data sizes are large. Whatever be the security followed, it is necessary that the users are adequately educated and are responsible enough to follow the guidelines.
The author is Former Chairman, AICTE and Adj Prof. NIAS
