CERT-In warns of scammers trying to use a novel phishing attack for fraudulent transactions
Multiple customers of the State Bank of India in the city have lost money from their accounts in suspected phishing attacks over the past two days.
While one customer has filed a complaint with the city cyber cell of having lost ₹65,000, another customer complained that he lost ₹40,000. In Thalassery, ₹38,000 was withdrawn from a customer’s bank account, with the method used in all of them bearing striking similarities.
R. Pradeep Kumar, one of the complainants, who works as a system administrator in an eye hospital, said that he lost the money despite never sharing any OTP number or using an ATM to withdraw money in recent times.
“I have been unable to access the SBI Yono online application for the past two days. Since part of a loan amount for house construction got transferred to my account two days ago, I have been trying to check the balance. At around 2 p.m. on Saturday, I received several OTP messages in my phone, which was followed by a message showing that ₹20,000 was withdrawn. I soon called up the customer care to block the card, but by that time, the person had withdrawn a total of ₹65,000. From checks I conducted, I came to know that the money was withdrawn somewhere from Jharkand,” says Mr. Kumar.
He says it is mysterious that someone was able to withdraw that much amount of money from an account when there are daily withdrawal limits.
K. Jibin, the second complainant, who works at the Secretariat, says he was also unable to access the online application and had received a message asking him to update the KYC details immediately if he did not want his account to be blocked.
“I logged in to the link provided, which looked exactly like the SBI website, and provided my PAN number as asked. Within minutes, I got a message that ₹20,000 was withdrawn. By the time I called up and blocked the card, ₹20,000 more was withdrawn,” said Mr. Jibin.
A customer from Thalassery, who lost ₹38,000, also faced a phishing attack similar to Mr. Jibin’s, in which she received a link and provided her PAN number. Mr. Kumar says that more people, who may not be tracking the messages related to their accounts regularly, could have lost money in a similar manner. SBI officials were not available for comment.
The Indian Computer Emergency Response Team (CERT-In), the federal technology arm to combat cyber attacks, had recently warned that scammers were targeting banking customers in India using a novel phishing attack to collect sensitive information such as internet banking credentials, mobile number, and OTP, to carry out fraudulent transactions.
The malicious actors have abused a cross platform application to host phishing websites impersonating internet banking portals of Indian banks, according to the advisory issued by CERT-In last month.