Let's Build a Responsible Cyber Society



What to Do when you receive a Phishing Mail?

Phishing has become so common that every Bank customer needs to set up his own defense mechanism against Phishing. Naavi has been taking up several steps to assist Phishing victims both for taking up complaints. He is also taking steps to create awareness amongst the public to understand the Phishing risks as well as creating awareness amongst Bankers on how they should improve their security measures.

As a part of this endevour to create an "Anti Phishing Action Force" and empower the Netizens to defend against Phishing, Naavi has introduced two new services under Cyber Evidence Archival Center which may be of interest to Netizens. The details are given below....


"Phishing" is one of the most disconcerting Cyber Crimes that is affecting Indian Banking fraternity at present. On the one hand Banks are pushing ahead with technology introduction and Internet Banking has now become a standard service for all Savings Bank customers in Banks. "Mobile Banking" is the next technology advancement which is taking roots.

While Banks are interested in using technology for business promotion, they have not been equally keen in investing for better security. As a result every technology advancement brings in its wake a new series of Cyber Fraud risks which makes Indian Banking weaker than ever before.

Despite our best efforts, "Phishing" will remain a major threat for Bank customers in the near future. In two of the recent Phishing cases that Naavi.org came across, it was found that the victims were ex-Bankers themselves. What this indicated was that even persons whom we expect to be knowledgeable about Banking risks are potential victims of Phishing. The challenge to make every Bank customer aware of the Phishing risk is therefore daunting. However, there is no option but to continue our efforts in this direction.

There have been several articles on "Phishing" published in Naavi.org earlier including the legal aspects and technical aspects. The current Phishing Awareness series of articles is another attempt to fight the Phishing menace.

I refer to the earlier article on "How To Recognize a Phishing Mail". This article tries to discuss what an ordinary Netizen may do when he receives such a mail to mitigate any harmful effects of such a mail.

In case the mail is referring to a Bank in which you donot have an account, the risk is less. However even in that case it is better to consider the "Trojan Risk" indicated below. If however you do have an account in the same Bank, then you have to consider the risk of "Employee Fraud" as explained below and immediately take some preventive steps. In case the account is jointly operated ensure that the other users are also informed of the Phishing mail so that they donot fall victim to the mail.

Trojan Risk

After recognizing that a mail is a Phishing mail, the first risk that needs to be countered is the possibility of a virus or a key logger trojan being planted in the user's computer. One can examine attachments if any and the source code of the mail to identify if any self executing virus is present. It would be better to run an anti virus scan immediately on the mail folder, delete cache files and at the earliest scan the computer. The user should also check if his anti virus is updated and is one of the top three anti virus products in the market. They can check websites such as http://anti-virus-software-review.toptenreviews.com/v2/ for a review of anti virus products. If you intend using your computer for online banking, it is imperative that you invest in installing a good anti virus protection in the system.

Employee Fraud Risk

In case you hold an account in the Bank to which the Phishing mail refers to, then you should consider that the risks are high and immediate action is called for.

It is presumed that if you are reading this article, you would not be one of those who will respond to the Phishing e-mail. Hence we can presume that there is no risk of direct disclosure.

However, it is considered possible that some insiders in the Bank who acquire the passwords of the customers through other means may use the fact of your receiving the Phishing e-mail as a strong evidence to claim that you must have answered the mail and disclosed the account details even if you have not. Normally, immediately after a Phishing complaint, the Bank will ask a routine question to the customer if they had received any mail purportedly from the Bank asking you to respond with your password. An honest customer who has received the mail will obviously say "Yes.. but I have not responded". Bank will still contend that "Our security is perfect. You only should have disclosed the password negligently." There after, it will be your word against that of the Bank and a long legal battle to recover your lost money.

In order to meet this "Employee Fraud Risk", Naavi suggests the following routine and has introduced a service under CEAC (www.ceac.in). This service called CEAC-ITN can be used for all identity theft instances including the Phishing. An extended service called CEAC-VPN is also offered which again can be used for Phishing or any other instance where a Netizen needs to provide a public disclaimer notice at low cost.

The suggested routine is as follows:

1. Send an e-mail to your Bank in the format suggested below with copy to cean.naavi@gmail.com

From: ............ (Name)

Account Number: ....................., Branch.....................

I hereby give notice that I have received the enclosed e-mail which I suspect to be an attempt to deceive me into parting with my password for my Internet Banking access.

The mail was received on ................ at ..................... (time)

I hereby give notice that I have not responded to the mail and shall not be responsible for any unauthorized withdrawals from my account attributed to this phishing attempt.

This notice is being archived with CEAC for records.

This will not only be helpful to prove your innocence later but also protect other innocent victims. This is because your mail will be considered as a notice to the Bank under Section 79 of ITA 2008 and if the Bank does not take appropriate remedial steps, expose them to liabilities under Section 79/85 of ITA 2008.

2. In case necessary, strengthen your defense by

(a) Obtaining a certified copy of your mail from CEAC or

(b) Using the E Mail forwarding service of CEAC.

(c) Using the CEAC-VPN service by placing a notice ont he website.

In case you find that your account has been unauthorisedly debited, file a complaint first with the Bank and then at the nearest Police Station. Ensure that your complaint to the Police will note the Bank as the first accused. Take professional assistance for drafting the complaint if required.

After filing the Police complaint and taking an acknowledgement, file an "Adjudication Application"  for recovery in consultation with experts.

Beware of wasting time in approaching alternate forums though there have been instances of

a) Bank making payment of the defrauded amount without contest. (Eg: Dwarak Ethiraj Vs ICICI Bank)

b) Banking Ombudsman ordering return of money with interest (N.Vidyashankar Vs Bank of India)

c) Consumer Court ordering payment of compensation (Nikhil Futan Vs HDFC Bank)

Readers may recall that in S. Umashankar Vs ICICI Bank, adjudicator of Tamil Nadu has given a well reasoned judgment which would be helpful in fighting any other case of similar nature.

For any other clarification, contact Naavi through e-mail.



October 1 2010

Related Articles:

"How To Recognize a Phishing Mail".

Landmark Judgement in PhishingCase

Award against ICICI Bank-Comments Answered

Another Verdict Goes against Bank in Phishing Case

Beware of Tab-Napping.. A Variant of Phishing

Bank Absorbs Phishing Liability

Organizational Responsibilities for Fraud Prevention

Open Letter to Chairman IBA

The Hindu Business Line : 'phish' goes your money


Comments are Welcome at naavi@vsnl.com