Message App Banking Fraud

Introduction

With banks reporting instances of 41,000 crores in 2021–22 compared to 1.05 lakh crore the year before, frauds in the banking sector involving values exceeding 100 crores have drastically decreased.

118 fraud instances were reported in private and public sector banks in FY22, down from 265 in FY2020–2020, according to government data.

According to the data, the total number of fraud cases involving over $100 million in public sector banks (PSBs) fell from 167 in FY’21 to 80 in FY’22 while it dropped from 98 to 38 in FY’22 for private sector lenders.

The total allocation has decreased for PSBs from 65,900 crores in FY’21 to 28,000 crores. In FY’22, the decrease for private sector banks is from 39,900 crore to 13,000 crore.

In an effort to combat fraud, the RBI has taken a number of steps, including boosting the Early Warning System (EWS) framework’s effectiveness, fortifying the governance and response framework, improving data analysis for transaction monitoring, and establishing a special Market Intelligence (MI) Unit for frauds.

In cooperation with Reserve Bank Information Technology Private Limited, the Reserve Bank of India (RBI) conducted research on the implementation of the EWS framework in a limited group of Scheduled Commercial Banks during 2021–2022. (ReBIT).

A few institutions also employed machine learning (ML) methods to assess the efficacy of EWS.

ABG Shipyard and its promoters were responsible for one of the worst bank frauds in the nation, totaling $22,842 crore, which the State Bank of India (SBI) announced earlier this year.

This case involved Nirav Modi and his uncle Mehul Choksi, who are accused of defrauding the Punjab National Bank (PNB) of around Rs 14,000 crore by using phoney Letters of Undertaking (LoUs).

The largest bank fraud investigation by the Central Bureau of Investigation (CBI) occurred last month when the agency charged Dewan Housing Finance Ltd (DHFL), its former CMD Kapil Wadhawan, director Dheeraj Wadhawan, and others in a new case totaling 34,615 crores.

According to a group of lenders led by Union Bank of India, the company received loan facilities worth $42,871 crore from the group between 2010 and 2018 through various agreements. Still, it only began making payments on time starting in May 2019.

At various times, banks declared the accounts to be non-performing assets.

The promoters and others were accused by the bank of fraudulently fabricating DHFL’s books, siphoning off and misappropriating a large percentage of the funds, and failing to pay their debts.

Characteristics of banking fraud 

The following traits of BCA banking fraud are present:

1. Pretending to be a BCA representative

Fraudsters frequently pose as BCA officials to make their actions seem credible. They accomplish this in a variety of methods, such as by setting up phony social media accounts that are closely like the official BCA accounts or by dialing a number that closely resembles the BCA’s. They will pose as a BCA representative or a customer service representative. Because of this, we must always verify that the source of the information is an authorized BCA account or contact. Never blindly believe those acting suspiciously who identify as BCA officials.

2. Psychological trickery (Social Engineering)

Social engineering is a technique used by con artists to mentally persuade their targets into obeying orders. Typically, the con artists will convince their victims to act in accordance with the instructions, including clicking on a link that requests private information. Creating fear is one such instance. When suspicious transactions are conducted on the victim’s accounts, the fraudsters will inform the victim, making them unresponsive. They will then seize the opportunity to offer assistance and coerce them into disclosing private information.

Another instance is when con artists promise their victims a gift. The scammers typically promote BCA special programs with enticing incentives like special programmes, discount vouchers, awards, cash back, etc. to further entice the public,promotions, etc. In this approach, victims frequently fall for the ruse, at which point fraudsters demand private information in order to access their victims’ accounts.

3. Obtaining Private Data for Accounts and ATM Cards

Fraudsters typically commit crimes to seize control of bank accounts, steal the money, and carry out illicit transactions without the account owner’s knowledge. To execute out these actions, they require the victim’s banking details. As a result, you should be suspicious of anyone who requests sensitive financial information from you, including ATM card numbers, PINs, OTP codes, CVV/CVC, KeyBCA Appli 1 & 2, etc.

How criminals in India take advantage of SMS forwarding apps to swindle bank customers

Phishing sites are being used in a new phishing attempt that targets Indian banking customers in order to gather victims’ banking passwords and other personally identifiable information (PII). An Android SMS forwarding malware is also downloaded to their handsets after the details are taken. This finding was made by CloudSEK’s Threat Research and Information Analytics, which also found other domains utilizing the same template.

When victims access malicious websites through some means—typically social engineering—the phishing attempt begins. Attackers may send an SMS that appears to be from a bank or other service provider while actually being a link to the website. Usually, they evoke a sense of urgency to prevent consumers from pausing to consider their options before clicking the link. these domains identified by the researchers pose as fake complaint portals.

A malicious customer support app called Customer Soppor Srvice.apk is downloaded to the user’s device once customers enter their sensitive banking information, such as card number, CVV number, and expiration date on a fictitious complaint portal. Users are occasionally offered a phoney customer care ticket and instructed to download the app to follow the status of their grievances. The APP requests two permissions to send and receive SMS when it is installed.

After being installed, the malicious app is used to forward all incoming messages from the victims’ phones to the scammer’s servers. Because they didn’t want to raise suspicion or be discovered, the attackers avoided using Indian bank names or emblems. Neither the Google Play Store nor any other third-party application stores host the rogue software.

Types of banking frauds in India 

The COVID-19-induced lockdowns have greatly increased the adoption of digital payment alternatives. Customers benefit from digital payments since they simplify financial transactions. However, it also gave con artists more opportunities to exploit gaps in the law and deceive consumers in novel ways. The Reserve Bank of India has published a brochure to educate banking customers about frauds involving digital payments. The pamphlet describes how these con artists operate and what security measures customers should take.

1. How do phishing scams operate?

False websites, such as those for banks, e-commerce sites, search engines, and other services, are built by scammers to look legitimate. Scammers use a range of channels, such as SMS, social media, email, and instant messaging, to disseminate links to these websites. Many users click on links without first verifying the Uniform Resource Locator and entering security data such a password, one-time password (OTP), personal identification number (PIN), and other information (URL). Scammers then gather and use this information.

2. How does shinging operate?

When calling or approaching clients in person, over the phone, or on social media, imposters may pose as bankers, corporate executives, insurance agents, government officials, or other people. To gain trust, imposters reveal a few consumer facts, such as the customer’s name or birthdate. Imposters may use a sense of urgency or an emergency to trick or coerce customers into disclosing private information, such as passwords, one-time passwords (OTPs), PINs, and card verification values (CVVs), by, among other things, claiming that they must stop an unauthorized transaction, pay a fee to avoid a fine, or offer an alluring discount. These credentials are then exploited to defraud customers.

3. Scams via online marketplaces

On online marketplaces, con artists adopt the personas of buyers and claim to want to acquire the products from the vendor (s). To win people’s trust, several scam artists pretend to be defense personnel stationed in far-off places. They use the Unified Payments Interface (UPI) app’s “request money” option rather than making a purchase from the merchant and demand that they input their UPI PIN to confirm the request. Every time the seller enters the PIN, money is transferred to the fraudster’s account.

4. Frauds involving unreliable or unconfirmed mobile apps

The RBI claims that con artists propagate specific URLs for software under the guise of pre-existing programs from reputable app stores via SMS, email, social media, Instant Messenger, etc. In order to download unfamiliar or unverified apps onto the customer’s mobile device, laptop, desktop, etc., scammers trick the client into clicking on these links. Once the malicious app has been downloaded, the con artist has full control over the customer’s device.  As well as messages or OTPs that were received before to or during the installation of such apps, these comprise private information saved on the smartphone.

5. ATM card fraud

Criminals that wish to steal information from customers’ cards place skimming devices in ATMs. According to the RBI, “Fraudsters may even install a dummy keypad or a tiny, cunningly hidden pinhole camera to steal ATM PIN. On rare occasions, con artists posing as adjacent customers can obtain a user’s PIN when they enter it into an ATM machine. Then, using this information, a duplicate card is created and a withdrawal is made.

6. Remote access and screen sharing fraud

RBI advises customers to employ the technique if they have been tricked into downloading a screen-sharing app. Using such an app, fraudsters can monitor or take control of a customer’s smartphone or laptop, allowing them access to their financial information. Fraudsters can make payments or execute unauthorized fund transfers via the customer’s online banking or payment apps.

7. SIM cloning or SIM swap

Fraudsters may obtain a duplicate Subscriber Identity Module (SIM) card (including electronic-SIM) for the registered mobile number connected to the customer’s bank account by gaining access to the customer’s Subscriber Identity Module (SIM) card in situations like SIM swap or SIM cloning, according to RBI.

The OTP obtained on such a duplicate SIM is used by fraudsters to conduct unauthorised activities. Fraudsters typically obtain personal information from customers by impersonating phone or mobile network employees and asking for information in the name of incentives like “free SIM card upgrade from 3G to 4G” or “extra perks on the SIM card.”

8. Frauds through search engine results that compromise credentials

Search engines are used by customers to locate the phone number for their bank, insurance provider, Aadhaar update center, and other organizations. Scammers frequently alter this contact information listings on search engines so that they look to belong to the appropriate company. Due to their illegitimacy or unreliability, customers may call the bogus numbers listed as bank or firm contact information on search engines. When customers call these phone numbers, fraudsters ask for their card details to confirm their identity. Customers become prey to frauds when they reveal their security details believing the scammer to be a legitimate RE agent. based on the RBI manual.

9. Fraud via QR code scan

RBI claims that scammers routinely call consumers and use a variety of gimmicks to convince them to utilize their phones’ apps to scan Quick Response (QR) codes. By scanning these QR codes, customers could unintentionally give the scammers permission to withdraw money from their accounts.

10. Fake accounts on social media

Because so many individuals use social media and frequently update their information, it is simple for scammers to obtain information to defraud users. The RBI brochure states that “fraudsters construct bogus profiles utilising information about users of social media sites like Facebook, Instagram, Twitter, etc. Then, scammers get in touch with the individuals’ acquaintances and request cash for things like payments and unexpected medical costs. The use of misleading information by fraudsters is ongoing. Friends are asking for money to cover bills, urgent medical expenses, etc. Fraudsters can also approach users and gain their trust over time by providing them with bogus information. When users reveal sensitive or personal information, scammers utilize that information to threaten or blackmail users into paying money.

Banking fraud via messaging apps has become a significant threat in the digital age. Fraudsters exploit the convenience and reach of messaging platforms to deceive unsuspecting victims, often resulting in financial losses and compromised personal information. Here’s a comprehensive look at this issue:

1. Types of Message App Banking Fraud

a. Phishing:

• Description: Phishing involves fraudsters sending messages that appear to be from legitimate banks or financial institutions.
• Tactics: These messages often contain links to fake websites or attachments designed to capture personal and financial information.
• Impact: Victims unknowingly provide sensitive information, leading to unauthorized transactions and identity theft.

b. Vishing (Voice Phishing):

• Description: This involves receiving calls or voice messages from fraudsters pretending to be bank representatives.
• Tactics: The caller may ask for account verification details or claim there’s an urgent issue needing immediate attention.
• Impact: Providing the requested information can result in unauthorized access to bank accounts.

c. Smishing (SMS Phishing):

• Description: Smishing uses SMS text messages to lure victims into providing personal information.
• Tactics: The messages might include links to fake websites, prompts to call a phone number, or instructions to reply with sensitive information.
• Impact: Similar to phishing and vishing, it leads to unauthorized access and financial loss.

d. Malware Distribution:

• Description: Fraudsters may send messages with links or attachments containing malware.
• Tactics: When a user clicks on the link or downloads the attachment, the malware installs on their device.
• Impact: The malware can log keystrokes, steal login credentials, and access banking apps, leading to account compromise.

2. Common Techniques Used by Fraudsters

a. Spoofing:

• Description: Spoofing involves creating fake caller IDs or email addresses to appear as legitimate entities.
• Purpose: This tactic is used to gain the trust of the victim.
• Outcome: Increases the likelihood of the victim sharing sensitive information.

b. Social Engineering:

• Description: Social engineering manipulates individuals into divulging confidential information.
• Method: Fraudsters may create a sense of urgency or fear, such as claiming that the victim’s bank account has been compromised.
• Result: Victims act quickly and without caution, often leading to disclosure of sensitive data.

c. Use of Authentic-looking Websites and Apps:

• Description: Fraudsters create websites and apps that mimic legitimate banking sites and applications.
• Design: These fake platforms are designed to capture login credentials and other personal information.
• Consequence: Victims believe they are interacting with their bank, resulting in compromised accounts.

3. Preventative Measures and Best Practices

a. Verification of Messages:

• Action: Always verify the authenticity of messages received from banks or financial institutions.
• Method: Contact the bank directly using official contact details provided on their website.

b. Awareness and Education:

• Action: Stay informed about common fraud tactics and warning signs.
• Resources: Use resources provided by banks and cybersecurity organizations.

c. Use of Secure Communication Channels:

• Action: Avoid sharing sensitive information over unsecured channels.
• Tools: Use official banking apps and websites for transactions and communications.

d. Regular Account Monitoring:

• Action: Frequently monitor bank account statements and transaction history.
• Purpose: Detect unauthorized transactions early to minimize potential losses.

e. Multi-factor Authentication (MFA):

• Action: Enable MFA for all banking and financial accounts.
• Benefit: Adds an extra layer of security, making it harder for fraudsters to gain access.

f. Updated Security Software:

• Action: Keep devices and security software up to date.
• Purpose: Protect against the latest malware and cyber threats.

4. Response to Suspected Fraud

a. Immediate Reporting:

• Action: Report any suspicious messages or transactions to your bank immediately.
• Benefit: Allows the bank to take swift action to secure your account.

b. Freezing Accounts:

• Action: Request the bank to temporarily freeze your account if you suspect it’s compromised.
• Purpose: Prevents further unauthorized transactions.

c. Legal and Cybersecurity Assistance:

• Action: Seek help from legal authorities and cybersecurity experts if you fall victim to fraud.
• Support: They can assist in recovering lost funds and securing your information.

d. Reviewing Security Practices:

• Action: Regularly review and update your security practices.
• Reason: Ensures that you are protected against evolving fraud tactics.

Frequently Asked Questions

Scammers frequently utilize text scams, also referred to as “smishing,” to obtain people’s personal information. Scammers stole more than $10 billion from victims in one year alone by sending out 87.8 billion spam text messages [*]. Avoid responding to suspicious texts, clicking on links, or dialing any numbers if you have received them.

It can be a con artist attempting to obtain your money and personal information. How to respond to and report unsolicited text messages is provided below.

Guidelines For Reporting Spam Text Messages

• Copy the message, then send it to (SPAM) 7726.
• Use your messaging app to report it.
• Visit ReportFraud.ftc.gov to report it to the FTC.

A push message is typically a mobile marketing message or an alert of a transaction that occurs in the customer’s bank account, such as a sizable cash withdrawal from an ATM, a sizable credit card payment, etc.

Smishing is when thieves use text message to pretend to be a reputable company and take your personal information, including your Social Security number, usernames, and passwords for online accounts, bank account details, and credit card data.

By launching the Messaging app and selecting the three dots in the top-right corner of the screen on Android, you can also halt spam SMS. Scroll down to the “Enable Spam Protection” setting in the following menu and turn it on.