Defining Vishing in Indian banks

955

The Indian banking industry especially the top private banks has kept pace with the use of technology in banking, matching the best of facilities that international banks offer. This includes providing top of the line Internet, phone banking and, of course, 24/7 customer care support. However, much like the many international banks, Indian banks have also been victims of organized crime like defrauding. There have been several instances of phishing”-wherein emails purportedly from your bank ask you to enter/update sensitive account information. With much awareness campaigns through media from the banks, the instances of phishing seem to have reduced, but the banking industry might be staring at another more sophisticated form of phishing, known as ‘Vhishing’, short for voice-based-phishing.

What is Vhishing

First, to understand vhishing, let’s go through the phone banking process. When you dial the phone banking number, you are put to an automated system backed by interactive voice response (IVR) technology. This is a technology that uses the data entered through the touch pad of telephones to interact with a database. There is a back-and-forth interaction between the database and the person entering the data and there is no human interaction involved except the user. The first step after dialing the number is to verify your identity. For this, the system asks for your ATM/debit card/credit card number and its corresponding PIN number. The numbers that you enter are matched against the banks’ database and if you have entered the correct numbers, you go ahead and select the feature you require, say, ‘cheque book request’ through further interaction with the system.

As an anti-fraud professional, I can tell you that every fraud involves an element of deceit, and plays on the confidence of the user. Vhishing exploits a customer’s confidence in the IVR system. With the help of VoIP technology, the scamsters setup similar automated systems with much the same messages and ‘flow’ of the recorded messages of the real bank’s automated systems. They may, though, introduce few more questions asking for sensitive information that a real bank may not.

There are two variations to this scam: either you are asked to call a specific number, or you get a phone call on your number. In case of the first variation, you get an email, again, purportedly from the bank with text like: “After three unsuccessful attempts to access your account, your online profile has been locked. This has been done to secure your accounts and to protect your private information. Please verify your account and your identity using our automated account verification number. Call our toll free number…and follow the instruction.” Further, they even play it up by advising you, “please don’t send any information through email as it is an insecure medium of communication”. On dialing the said number, you get the standard “Welcome to ABC Bank…”And, of course, by the end of the call, you have handed over your bank account to the scamster!
Vhishing is a serious threat not only to the customers, but also to consumer perception and confidence when it comes to using phone banking facilities

In the second variation, the customer gets a call on his phone number and a recorded message is played assuring him that the caller is from a bank and the call is to verify the identity of the customer. After this message, the customer is directed immediately to the automated voice response system.

This is a serious threat not only to the customers, but also to consumer perception and confidence when it comes to using phone banking facilities.

The Way Out

So, how do we deal with this? One easy way is to visit the bank’s ‘contact us’ page and verify the phone numbers. However, even this may not be fool proof as there are caller-ID spoofing devices that mask the real number and allow the scamster to display a fake number. So I will give you a simple tip: enter the wrong pin number when asked for. A genuine system would already have your PIN in the database, and would say incorrect PIN, but a fake one would not