General > Cyber Security

Cyber Security

Social engineering is the term used for a broad range of malicious activities accomplished through psychological manipulation of user and tricking them to make security mistakes or give away sensitive information.

e.g. Phishing, Vishing, Tailgating, Spear Phishing etc are some examples of social engineering.

Fraudster uses various techniques to pick up on victim’s greed or curiosity to lure them into trap to steal information or planting malware.

Baiting can be done using Physical media or Online

Modus Operandi:

  • Physical baiting is typically carried out using malware infected pen drive, which are placed by fraudster in strategic areas where potential victim is certain to see them. The bait has an authentic look. Victims pick up the bait out of curiosity or greed and insert it into a computer/Mobile, resulting in automatic installation of malware on the system.
  • Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.

Precautions to be taken:

The most effective preventive method against a baiting attack is awareness.

  • Don’t click on links given in advertisements or from untrusted sources.
  • Don’t connect any unknown storage media into system, if required then scan/ format before connecting in to system.
  • Use anti-malware software in computers/Mobile.
  • Disable autorun feature for pen drive.

Scareware is a type of malware tactic used to manipulate victims into downloading or buying potentially malware-infested software.

Modus Operandi:

  • Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself.
  • Scareware is also referred to as deception software, rogue scanner software and fraud ware.

Precaution to be taken:

  • Never click on malware notifications popping up in browser.
  • Keep your browser updated.
  • Avoid/stop accidental downloads by cancelling the process if clicked
  • Always use genuine antivirus software.

Pretexting is an attack in which the attacker creates a scenario to try and convince the victim to give up valuable information, such as a password.

Modus Operandi:

The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.

Precautions to be taken:

  • Never share sensitive information by email, phone, or text message.
  • Think whether and why someone really needs the information requested from you.
  • Verify requests for valuable information by going directly to a company or source through a different means of communication.

Phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.

Modus Operandi:

  • Third-Party Websites can be created by Fraudsters similar to genuine website such as bank or e-commerce Websites.
  • Links are circulated through Email/SMS/Social Media.
  • Unsuspecting Customers use the same link to enter secure credentials.
  • These credentials are then captured by Fraudsters and misused.

Precautions to be taken:

  • Never click on unknown links.
  • Delete emails/SMS immediately to avoid access in future.
  • Verification of website should be done especially once there is requirement for entering financial or secure credential or personal identifiable information.

Spear phishing is a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents.

Modus Operandi:

  • A spear phishing attack involve use of email containing specific information about target individual such as name designation, address etc. These social engineering techniques used convinces victim to follow the instruction given in mail as required by fraudster for infecting the system or stealing data

Precautions to be taken:

  • Avoid clicking any link in mail.
  • Always check the details of sender
  • Secure your personal information
  • Keep your system security up to date

Vishing is a cybercrime that uses the phone to steal personal confidential information from victims. Often referred to as voice phishing, cyber criminals use savvy social engineering tactics to convince victims to act, giving up private information and access to bank accounts.

Modus Operandi:

  • Fraudsters contact customer through telephonic calls posing as bankers/insurance agents/government officials, etc., and ask them to confirm credentials by sharing details such as name, date of birth etc, to gain confidence.

Precaution to be taken:

  • Bank officials never ask customers to share confidential information such PIN, CVV, OTP, Password, card details.
  • Never share any secure credential over phone.

A smishing text is a text message sent to your phone worded in a way that makes you feel comfortable sharing personal information

Modus Operandi:

  • Fraudsters send SMS posing as bankers / insurance agents / government officials, etc., and ask you to confirm credentials by sharing details such as name, date of birth etc. to gain confidence.

Precaution to be taken:

  • Avoid clicking on links received in sms
  • Bank officials never ask customers to share confidential information such as PIN, CVV, OTP, Password, card details.

SIM Swap means the process of replacing an existing SIM with a new one or moving the existing SIM to the new SIM.

Modus Operandi:

  • Fraudsters gain access to the SIM card or obtain duplicate SIM card for carrying out digital transactions using OTP received on such duplicate SIM.

Precautions to be taken:

  • Never share credentials related to SIM card.
  • Lock your bio-metric using My Aadhaar App or UIDAI Website or by sending SMS to 1947 in prescribed format to prevent unauthorised EKYC
  • Be cautious if you are not getting mobile network in your phone for considerable time. Contact mobile operator immediately to ensure that no duplicate SIM is being issued for your SIM.

Juice jacking is a type of cyber attack which uses corrupt Mobile charging station to infect Phones and Tablet which use the same cable for charging and data transfer (such as USB cable)

Modus Operandi:

  • Mobile charging Port can be used for Transfer of Files.
  • Juice jacking is a type of cyber fraud, where, once your mobile is connected to unknown / unverified charging ports, malicious software are installed and fraudsters can access your sensitive data and misuse it.

Precautions to be taken:

  • Always avoid using public unknown charging ports or cables.
  • Always use your own power bank or charging USB cable for charging your phone.

Lottery fraud is an online fraud with an intent to rob off your hard-earned money by deceiving you into believing that you have won a lottery.

Modus Operandi:

  • Fraudsters send email or make phone call informing you that you have won a huge lottery.
  • To receive the amount, fraudsters asks the victim to confirm his/her identity by verifying through bank account / credit card on their website from which data is captured by fraudsters
  • Since the requested money is very small percentage of the lottery / prize, the victim falls into the trap of the fraudster and make payment.

Precautions to be taken:

  • Never make payments or share secure credentials for lottery calls / emails.
  • Always be suspicious when you come across such unbelievable lottery or offers.

Job frauds are a sophisticated fraud, offering fictitious job opportunities to job seekers. This type of fraud is normally done through online services such as bogus websites, or through unsolicited e-mails claiming to be from known companies or brands

Modus Operandi:

  • Fraudsters create Fake Job portals and lure victims to enter their sensitive information for registration. On entering the details, the account is compromised.
  • Fraudsters also pose themselves as officials of a reputed company and confirm selection after doing fake interviews and request money in lieu of it.

Precautions to be taken:

  • Genuine company offering job will never ask for money.
  • Never make payments on unknown job portals.

Fraud or fake app is an app that’s created to mirror a legitimate app available in the App Store or Play store. The scammers’ goal is to create an app that people will mistake for the actual popular app and download to their phones

Modus Operandi:

  • Fraudulent links for such applications are shared through E-mail/SMS/social media etc.
  • Once the malicious application is downloaded, the fraudster can gain access to the device.

Precautions to be taken:

  • Never download application from unverified / unknown sources.
  • Always download from Google Play Store or Apple App Store only
  • Don’t download app which is not necessary
  • Read the review and rating of app before downloading
  • Check the number of downloads for the app before downloading. An app with large number of downloads should only be downloaded.

Skimming is a method of obtaining personal data from ATM, debit, or credit cards while they are used at an ATM machine or a merchant location.

Modus Operandi:

  • Fraudsters install skimming devices in ATM machines & steal data from your card
  • Fraudsters use the data to create duplicate cards & withdraw amount from customer’s account.

Precautions to be taken:

  • Cover the keypad with your hand while entering your PIN.
  • Never enter the PIN in the presence of any other person standing close to you

Social Media frauds – Online fraud appears in many forms. It ranges from email spam to online scams.

Modus Operandi:

  • Fraudsters create fake account on popular social media platforms like Facebook, Instagram etc.
  • Fraudsters also gain trust over a period of time and can use your Personal information for blackmailing.

Precautions to be taken:

  • Do not make online payments to unknown persons.
  • Never share personal and confidential information on social media platforms.
  • Do your due diligence before accepting friend request.

A one-time password (OTP), also known as one-time pin, is a password that is valid for only one login session or transaction, on a computer system or other digital device

Modus Operandi:

  • Fraudsters lure victims through various social engineering techniques.
  • Fraudster calls the victim, convince them to share the OTP received in their mobile and carryout unauthorised transfer/transaction in the account.

Precautions to be taken:

  • Never share OTP/PIN Numbers/Personal Sensitive information in any form to anyone.
  • Always keep a tab on SMS/Emails to ensure that no OTP is generated without your knowledge.

Internet Banking Safety Tips

  • Create strong Banking passwords (both log-in password and transaction password) after your first log-in, and thereafter change regularly (at least once in a month).
  • Monitor your account activity regularly by checking your balances and statements online. This helps you to detect fraudulent transactions, if any, quickly. The earlier a fraud is detected; the lesser will be its financial impact.
  • Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
  • Always remember to logout, once you have completed an online session.
  • Enable multi-factor authentication for signing-in for secure use of internet banking.
  • Never respond to any email that requires you to confirm, upgrade, renew or validate your account details or card details, even if it appears to have come from your bank.
  • Do not share your Login Password & OTP (online transaction password), with anyone for secure internet banking.
  • It is safer to type your bank URL in the address bar of the browser than clicking on links given in an email. There are instances of fraudsters sending emails with fraudulent website links that are designed exactly like the bank’s original website. Once you enter your login details on such a website, they may be used to access your account and steal your money.
  • While logging on, check for 'https://' in the URL and ensure that it is your bank’s authentic website.
  • Use antivirus software to avoid any malware in system.
  • Don’t use Public system to login to internet banking as there may be Key logger, malware etc. If you have to login in from such places, make sure you use Virtual Keyboard, clear the cache and browser history.

Device Security

  • Set up a Pin/password to access the handset menu on your mobile phone
  • Install an effective mobile anti-malware/anti-virus software on your smartphone and keep it updated
  • Keep your mobile's operating system and applications, including the browser, updated with the latest security patches and upgrades
  • Password-protect your mobile device to protect against unauthorized access. Set up a Pin/password that is difficult to crack
  • Never leave your mobile phone unattended
  • Turn off wireless device services such as Wi-Fi, Bluetooth and GPS when they are not being used. The Bluetooth can be set up in invisible mode
  • Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
  • If you have to share your mobile with anyone else or send it for repair/maintenance
    • Clear the browsing history
    • Clear cache and temporary files stored in the memory as they may contain your account numbers and other sensitive information
    • Block your mobile banking applications by contacting your bank. You can unblock them when you get the mobile back
  • Do not click any URL in message that you are not sure about
  • Do not save confidential information such as your debit/credit card numbers, CVV numbers or PIN's on your mobile phone
  • Do not part with confidential information received from your bank on your mobile
  • Avoid using unsecured Wi-Fi, public or shared networks
  • Do not use "jailbroken" or "rooted" devices for online banking. Jailbreaking or rooting a device (the process of breaking into the phone's built-in operating system to control it outside the vendor's original intention) exposes the device to additional malware and gains administrative or privileged access of OS

Application Security

  • Never download and install applications from untrusted sources. Install apps downloaded from reputed application market.
  • Always download apps from official app stores such as Google Play Store and Apple App Store
  • Always verify app permissions and grant only those permissions which have relevant context for the app’s purpose
  • Always remember in settings, do not enable installation of apps from “untrusted sources”.
  • If possible, maximize the security features by enabling encryption, remote wipe and location tracking on device

Mobile Application Security

  • Log out from online mobile banking properly after you have completed your transactions and close the App.
  • Be aware of shoulder surfers. Be extra careful while typing confidential information such as your account details and password on your mobile in public places
  • In case you lose your mobile phone, please call our 24-hour Customer Care to disable the Mobile application
  • Never disclose personal information or online banking credentials via e-mail or text message as these can be used for identity theft

ATM precautions:

  • Memorize your PIN. Do not keep your card and PIN together.
  • Do not share your PIN or card with anyone.
  • Do not take the help of strangers for using the card or handling cash.
  • Always press the 'Cancel' key before moving away from the ATM.

 

Credit card, Debit/ATM card and Pin and password safety measures

  • As soon as you receive the consignment carrying your card, ensure that the card in the envelope has your name, and that it is spelt accurately.
  • Always keep your card in a safe place, just as you would take care of cash and cheque books.
  • Destroy the PIN mailer after memorising the PIN and/ or change the PIN after the first usage.

 

Report Fraud

 

If you are a victim of online fraud, reach out to the National Cyber Crime Reporting Portal at www.cybercrime.gov.in or call the helpline on 1930 or call Bank’s helpline on  1800222244.

Always remember:

 

  • Do not click on any links in the e-mail received from an unknown person
  • Do not share any confidential/sensitive information with anyone.

If you have received any phishing/suspicious e-mails, please report it to [email protected]

#SabkoBataoo :: To report any Cyber Crime Dial 1930 or visit www.cybercrime.gov.in