If you are banking online, it's time to be more careful.
The Surat police arrested a person from Mumbai's western suburbs on February 8 for cleaning out Rs 12 lakh from at least eight HDFC Bank accounts of customers in Maharashtra, Uttar Pradesh and Karnataka over the past one year.
A Surat police officer, requesting anonymity, said on Monday that Jitesh Kishan Gavit did this by phishing — an online method of fraudulently acquiring user names, passwords and credit card details by masquerading as a trustworthy entity.
Versova resident DP Vashisth, for instance, was confounded to find last month that Rs 20,000 was deducted from his account. It was transferred to one Paresh Dhaduk's account in Surat by netbanking. The police said Gavit used to transfer money to the account of Paresh, who has withdrawn Rs 79,000 so far. The police officer said clues in the case point to several more accounts being similarly hacked and drained.
The officer said Gavit had revealed during investigation that he was part of a phisher syndicate based in Singapore.
Phishing accounts for losses of US $3.2 billion globally. HDFC had issued its customers an alert asking them to adopt safe banking procedures in December 2007.
"The bank has brought this to the knowledge of the police. They are investigating the case. We are helping them in every manner possible. It will be inappropriate for me to comment on the extent of the damage right now," said Neeraj Jha, corporate communications head for HDFC Bank. "Prima facie it seems to be a phishing attack. But it does not happen unless one gives out one's account details. A customer should not share account details even with a bank employee."
Frauds dispatch requests through e-mails and advertisements on genuine recruitment websites, SMS, newspaper advertisements and even social networking websites.
"These requests would ask you to confirm, update or verify your bank account data. The victim is led to a mirror website where account details are captured by the phishers," the officer said.
The police are also trying to ascertain if Gavit was a money mule who operated from Singapore or a phisher himself. A money mule receives the illegal funds into his account, withdraws it and sends it to the fraudster after keeping his commission.
According to the Indian Computer Emergency Response Team (CERT), phishing attacks have increased from 335 in 2006 to 392 in 2007. Twenty-four per cent of these attacks have been on financial institutions.