I have this instinctive tendency to fill out anything that is presented in official format. And I got on with it right away…
The e-mail looked authentic, and even carried the ICICI Bank logo; the message called for action, and I was close to getting conned online. They call it phishing – pronounced ‘fishing’. The idea is to fish for sensitive information from unsuspecting customers. The e-mail said my bank account information needed updating “…as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website”. The sender: firstname.lastname@example.org!
Do banks have such an entity on their staff? The so-called ICICI risk officer clothed his message in software mumbo-jumbo such as the bank was in the process of “updating 128-SSL Secured Server to 256-Encrypted SSL Secured Server”. The operative part was that I needed to fill out my online account user name and password; credit/debit card number, and transaction log-in code on a web page. It sounded very officious, and demanded compliance – “Failure to update your records will result in your account suspension”.
I have this instinctive tendency to fill out anything that is presented in official format. And I got on with it right away. But then I couldn’t lay my hands on my ATM pin. As I tried to recall where it was, I re-read the e-mail to ensure that I understood the bank’s requirement, just in case they wanted any other info that I should look for in my papers. That was when I noticed that the mail was addressed to Mysore Blog Park. For, by some trick in my settings, all MBP mail automatically finds its way to my Gmail Inbox. Which explains why I missed the recipient’s e-mail ID.
The point is MBP doesn’t have a bank account. Why, then, should the bank send such a mail? That was when the word ‘spam’ came to my mind. I had read about the online con, but hadn’t experienced it before. A closer look at the message strengthened my suspicion. The text of the e-mail message had a couple of grammatical errors. And then the mail was sent during a weekend. I know of no bank that would send such routine mail to customers on a Sunday.
When I brought this to the notice of a bank official the next morning, he recognised it as spam right away and promised to act on it. A few hours later, out of curiosity, I tried to access the website linked to the spam mail, to find a phishing alert from the browser. It read, “Internet Explorer has determined that this is a reported phishing site and such sites impersonate other sites and attempt to trick you into revealing personal or financial information”.
Subsequently, I got another mail, this time ostensibly from HDFC Bank, addressed to MBP, with similar grammatical errors. The message, however, was more creative. The e-mail said the bank’s online security team in recent weeks had observed, “Multiple logons on your internet banking account, from different blacklisted IP’s”. To enable the bank to put in place an extra verification procedure, the account holder was required to update your records on or before 48 hours.
The menace in the message was clear, though you may quibble over its phrasing. How does one update records ‘on’ 48 hours?
Read Comments (3)