Since the beginning of the pandemic, Barak Valley has witnessed a sharp upsurge in cybercrimes with increasing incidents of banking frauds through phishing and spear phishing. The incident involving Debashish Aditya, a retired officer of SBI, reiterates the sophistication evinced by hackers and should raise multiple red flags with law enforcement agencies.
Mr. Aditya of Silchar had been reportedly having difficulty in paying his BSNL bills from the morning when he received a call from someone claiming to be from BSNL who asked him to pay a sum of 11 through a link which led the victim to a spoofed BSNL payment gateway on rechargecube.in. While the exact process remains shrouded in mystery, what is certain about the timeline is that after making the requisite payment, the hacker had locked him out of his net banking account and immediately thereafter, the hackers had transferred rupees 3.14 lakhs from his account to three different accounts as well as a PayTM account. Realising that he had been hacked Mr. Aditya immediately contacted the bank and filed an FIR with the police. It is not known if the payment link had a backdoor access that allowed the hackers to collect the net banking information or if Mr. Aditya actually shared his details on the phone call with the hackers. The victim had claimed that he felt hypnotised during the call which raises the spectre of the hacker groups using neuro linguistic cues to mesmerise the intended victims. The other question that needs to be answered is how the hackers knew about the victim having problems paying his BSNL bills online.
Sadly, the story does not end here. Three days later, the victim’s wife had logged into the net banking account only to discover that the hackers had, in a brazen display, siphoned off rupees 15.79 lakhs from the account by targeting the fixed deposits against which three overdraft accounts were created. Interestingly, this happened even after an FIR had been registered and the bank had been duly notified.
The incident has also raised question marks against RechargeCube, a fin tech firm which operates in the utility payment space like Mobikwik. While many have openly raised doubts on the credentials of the outfit due to multiple customer complaints, it seems bizarre that a company working under the ambit of RBI would be involved in a cybercrime. Also a trust score of 79 is high enough to say that the company is not a fake outfit. Having said that, an investigation into the mechanics of the hack has to be completed and shared with the public soon in order to exonerate or prosecute the payment site.
In this case, it would also be pertinent to bring in the RBI circular issued on 14 December 2017 that aimed to limit the customer’s liability. The circular fixed the maximum liability of the customer at rupees 25,000 in case the fraud is reported within 72 hours and is on account of third party acts of omission or commission. On the other hand, if the breach is due to the customer sharing account details, the complete liability will lie with the customer. But even here, the customer is liable till such time that he does not inform the bank post which the bank shall be liable. In this particular case, SBI is completely at fault for not restricting the victims net banking account which allowed the hackers to siphon off an additional rupees 15.79 lakhs and in an open and shut case, is responsible for reimbursing the amount to the victim.
The other worrisome trend that is emerging is the increased sophistication of the attacks. Phishing relies on the gullibility and greed of the targeted group. In order to achieve this, the hackers create an elaborate front with a website which resembles well known financial and utility firms and then diverts traffic to these websites through shared links and tries to capture bank data. Operating from Kolkata and Patna, most hacker groups have connections within the utility firms that help them get data on the targets. Mostly the people scammed were those who had meager knowledge of bank processes. But this was obviously not such a case as the victim was a retired banker and should have recognised the playbook. Also the victim claiming to have been hypnotised needs further investigation because if that were true in the least, then this would be the first such case and will open a Pandora’s Box.
Banks and other financial institutions need to double down on established procedures and build consumer awareness. This includes educating the public on never sharing bank data or clicking on unknown links. It is just so basic but yet we find so many people falling for the same scam again and again. And most importantly, RechargeCube has to be investigated as well as penalised for allowing a payment handle like bsnl.rechargecube.in. This happening without any internal oversight is a serious failing on part of the company and cannot be allowed to be repeated.