Kartik Bhat, a resident of Shivneri Nath Pai Nagar in Mumbai was browsing his phone on February 26 when he received an SMS claiming to be from HDFC bank. The message said his account would be suspended if he didn't update his KYC information using a link provided in the message.
It was Sunday and Bhat was due to pay his son's college fees the next day. Fearing that his account may be blocked which could delay the payment, he hastily clicked on the link. It landed him on a webpage that looked like HDFC bank’s online banking log-in page.
Bhat proceeded to enter all his account information— his account number, net banking password, mobile number, as well as his PAN and Aadhar details. Within minutes, his entire account balance was wiped out.
“Money transferred INR 15,975 from HDFC Bank account number to account number ****3920,” an SMS sent from the bank to Bhat read.
Bhat was a victim of a phishing scam.
Over the past week, many HDFC bank customers have fallen victim to this exact same scam. They have all received fraudulent text messages containing links that claim to update their KYC and PAN details. In Mumbai alone, more than 40 cases of money fraud have been reported in a week including a popular TV actor, Sweta Menon, NDTV reported.
Once a customer clicks on the link, it takes them to a webpage that asks for account details. If the customer adds in those details, they get an OTP. Once the OTP is entered on the site, the fraudsters sweep away the money in the bank account. The phishing website has a different URL than HDFC's official website. The URL of phishing website was -- https://rb.gy/nhbb9g while HDFC's URL is https://www.hdfcbank.com
Menon told media that she learned about the scam only after she lost some thousand rupees after filling details in the website that looked like an HDFC one. "I entered two OTPs after clicking the link. One was about PAN OTP and other was KYC. Immediately I received two money transfer notifications and I realized that it was a scam," she told TOI.
How The HDFC Phishing Scam Works
Phishing is a cybercrime in which fraudsters create replicas of official websites and then a target is contacted by email, SMS, or telephone to lure them into providing their personal information like banking information, card details, and password.
In the parliament session in August 2022, the government informed parliament that over 9 lakh incidents of phishing and vishing were reported in India between 2020-22.
Bhat was also asked to share all these details. And while he was filling it out, a beneficiary account was added to his account by sending him SMS that reads, “You have added/modified a beneficiary Kyc update to HDFC bank netbanking, for online transfer funds through NEFT/RTGS/IMPS.”
The page next asked him to enter the OTP that he was texted. “I entered the OTP without realizing it was about money, all my money got debited,” he told BOOM.
Bhat blames the bank for facing this fraud. A few days ago, he had gone to the branch to get his KYC updated. However, due to some technical glitch, the confirmation remained pending. “I would not have clicked the link if I would have been updated by the bank. I lost my money because of it,” he said.
The KYC process is mandatory for bank customers to verify their identity and in recent years, fraud KYC cyber cases have witnessed a significant rise. Cyber cells record new cases of online fraud every day and try to solve them and recover money. In some cases, the criminals are tracked and the money is also recovered. In many instances, victims never get their money back.
Speaking to BOOM, Shubham Singh, a cyber security expert who works closely with government investigation agencies said phishing scams are very prevalent in India because it is very easy to create any kind of fake website which will look similar to any official website. He said there are so many default grids available online to do so.
“Cyber scammers use social engineering to manipulate people, especially in festival seasons by sending messages like KYC pending, offers, shopping sites, etc and all those links are phishing pages to get credentials of users,” he explained.
Singh said cyber crimes are rising on a daily basis, and the law enforcement department is providing technical training to tackle them. “The main problem is that cybercriminals target people from different states because they know it's difficult for police to catch them by visiting their states,” he explained.
What Are The Officials Doing?
A senior official from HDFC bank, who wished to remain anonymous, said that they are unaware of how the fraudsters are operating the HDFC mirror website to deceive customers and extract money.
“It is impossible to add anyone as a beneficiary before a period of thirty minutes and we have no idea how they are operating this mirror website. Instant money can only be deducted from a customer's account if they make an e-commerce transaction,” he said.
Bhat reported his loss to the nearby Pant nagar police station and also informed his bank about the fraudulent transaction he had experienced.
Madhu Chibber, the head of corporate communication at HDFC bank, told BOOM that the bank has been constantly advising its customers to be cautious of such fraudulent messages. She added that the bank never asks for any OTP or personal details from its customers, and its website is secure and cannot be breached. She further explained that these phishing websites only work if the customers themselves willingly share their personal information.
To raise awareness among its customers, HDFC bank has established a team who shares videos and other information online to keep customers informed about such frauds. “We are working closely with government security agencies and have an internal security team that works with law enforcement to address such issues,” she said.
Chibber explained that the fraudsters don’t target customers of HDFC bank only but other banks as well.
According to Bhat, “When I checked where the amount was transferred, it showed that your money had been transferred to IDFC bank Kolkata branch VIP Road. It was a savings account. I tried to verify the name of the account holder but I couldn't get more details.”
BOOM contacted the Pant nagar police station in Mumbai regarding Bhat's complaint. The Station House Officer said, “We have forwarded the complaint to Rudrapur's cyber cell and they are investigating the matter.”