Monday, June 11, 2012

HDFC Bank Customers - Beware of the Latest Phishing Email

Yesterday I received an email from HDFC Bank (Or so I thought) that said that they have done some security upgrades and as a result I had to do something. I am usually suspicious of such emails and so the first thing I did was check the email id from which the email was sent and it said “Securedbanking@hdfc.com”. Wow, sounds legit as well right???

But, what the email said and what it wanted us to do made me slightly suspicious. Read on to find out how smart and intelligent hackers and spammers have become. The email was so legit that if I hadn’t been careful some moron hacker would’ve got my hdfc bank netbanking id, password and all other authentication information.

What the email looked like:



That looks perfectly legit right? The Logo, the email address etc??

Things that Raised Suspicion:

1. If the bank upgrades its security server, it does not mean that the security information entered by existing users will be lost. I work for a Bank and I know this for a fact. Whenever any upgrade happens on the bank’s side, none of the existing customer information can/will be lost or missed. Even in the remote probability that you are the one-among-the-billion bad luck guy whose information was lost, the bank will call you by phone and ask you to visit the branch to get it fixed. They will NEVER and I mean NEVER send such one-sided emails that ask you to update some info in some random website.
2. Why follow an attached email? Why not place details in the same email?
3. No Bank can suspend services to the customer unless and until there has been legitimate illegal activities on the bank account. Unless you are a smuggler or a drug dealer this “Account being Suspended” cannot be done without proper reasons. Even in such cases, a hard copy letter will be sent to the customer’s residence address with steps to follow which you must do by visiting the branch. Even in this internet-age where everything can be done via computers, banks still expect the customer to visit the branch for certain critical activities and “Our account being on the verge of Suspension” is one of them…
4. The Attachment was not a document or an email as claimed. It was a .html file.


Did I stop?


Of course not. Though I was suspicious, I thought this would be an opportunity to find out how smart hackers have become and most importantly to share such malicious emails with my beloved blog readers…

The Attachment Read as below: (Again with all legit HDFC Bank logo)

Dear Customer,
We are sorry for any inconvenience this may cause you. Please kindly click on “NetBanking Instant Update” below to update your account

NetBanking Instant Update

NOTE: You are strictly advised to match your information correctly to avoid service suspension.

Thank you for banking with us

Online Security Team
HDFC Bank


When I clicked on the link it took me to a page that looked exactly like the HDFC Bank’s net banking web-page. My first reaction was plain and simple “Freaking WOW!!!” see it to believe it…



Can you spot the difference??? The website reads srfeliu.es and not hdfcbank.com…

Ok… I did not stop here. I went ahead and entered 12345678 for the 8 digit customer id in this page. Guess what happened?

It took me to a page that looks exactly like the next page that comes up when you login to your hdfc bank account. To make things interesting the Customer Id field is now “Undefined”. An unsuspecting customer might think that this is because his account is suspended and quickly enter the password and hit continue… I knew this was a fake and so entered some random password and hit continue…



You wont believe what happened next. It took me to a page that asks me to enter my bank account number, my ATM card number, the PIN number, the expiry date and my phone number. All the info that is needed for someone to use your account information right??? I gladly entered some non-sense information in the website and clicked continue…

Remember – no bank will ask you to enter all this information in their website. They already have it. Think this way – if you were a bank and issued debit cards and bank accounts to customers, will you ask them to enter them again and again everytime there is some upgrade in your system? Most importantly why should I enter my ATM pin and card expiry date? All these are red-flags that you must think of before you enter any personal information in any website.



You will never believe what happened next… I was taken to a page with the same stupid URL but looked exactly like HDFC Banks home page, perfect with all those flashing animations on the home page that were added just a few weeks ago… see it to believe it.



Do you know the best part??? If I click on NetBanking and hit the login button in this page, it is taking me to actual HDFC Bank’s internet banking login website. I checked the URL of the page and it read “hdfcbank.com”. if I had entered my details in that page and logged in, the system would’ve let me login because after all it is the actual hdfc bank website and as a customer I would’ve been relieved that after I entered my details the system let me login. But the point here is, the hacker now has all the information he needs to drain our account of all the money we have…

I did not enter my details in that page. I cleared my browser cache and temporary internet files to ensure that even if this random URL had placed some cookies to track my browsing, they will be cleaned up.

If you receive any emails like this (irrespective of the bank you have an account with) please delete them immediately. Do not click on any of the links in the email. Unless you are extra careful & cautious, it is extremely easy for hackers to gain possession of valuable information that can prove extremely costly for us…

Things to check & do

1. NEVER click on links in such emails
2. ALWAYS type the website/URL of your bank in the browser yourself. Be it icicibank or hdfcbank or some tomdickandharrrybank. Make sure you enter it yourself
3. ALWAYS check if the website prefix is https and not http. If you check the URL in this hoax website it is http because getting a security certificate for a hoax website is not that easy. If the website is your banks legit internet banking website, it will have the https prefix
4. NEVER enter your personal information like bank account number, ATM card number, Credit Card number, card PIN numbers, CVV numbers, Expiry dates etc in any website that wants you to enter them for some random confirmation or verification. Even if it is a legit website, they will never ask for your ATM Pin number. Legit payment transaction websites ask for card number, cvv number and expiry date but that is perfectly legal and they will not mis-use the info you enter. So, be careful when you enter such information.
5. ALWAYS update your anti-virus signatures and definitions to ensure that malware and spyware will be caught & taken care of by the anti-virus software before they do any actual damage…

Last but not the least, forward the link to this article to all your friends and relatives who may or may not have an HDFC Bank account. They definitely need to know that such a spam email is doing rounds so that they can safeguard their hard earned money…

Take care!!!

5 comments:

  1. i too received the same Email. Unfortunately yesterday i'm busy other work or else ill be doing all this becoz a month ago i just opened an hdfc account.thank you so much for this information.

    ReplyDelete
    Replies
    1. I am glad that you were fortunate enough not to fall prey to such scams. :)

      well done

      Anand

      Delete
  2. I want to file a complaint against some members of HDFC :
    Mr. Hari OM (Manager),
    Mr. Deepak,
    Ms Priyanka.

    These people are very arrogant and not helpful at all. I request them to settle the bill amount but the response is too bad and they even don't have the correct address of my home. After providing the correct address they again putting someone else address.
    Now they are even not ready to speak in proper manner and not sending any executive to collect the amount.
    Ms Priyanka said to me that why dont you send your friend in their branch? I dont understand these type of conversation.
    And i dont know what the hell she is talking about.
    So many different peoples are calling me from HDFC from their personal contact number.
    I have even filed a complaint against them on their site as well as at Consumer Court site but so far no action has been taken on this case.

    ReplyDelete
  3. Hi Lavanya,
    I understand your frustration but unfortunately there is not much me or any of the blog readers can do about this. You have done the right thing and registered a complaint in the consumer court which is good. You can also try raising this problem with the banking ombudsman.

    Best wishes
    Anand

    ReplyDelete
  4. Anand,

    This is a very helpful post. Thanks for taking the trouble and going thru the pages (it's highly risky though), and let the people know about this scam.

    Thanks,
    Sayan

    ReplyDelete

© 2013 by www.anandvijayakumar.blogspot.com. All rights reserved. No part of this blog or its contents may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the Author.

Google+ Badge

Google+ Followers

Followers

Popular Posts

Important Disclaimer

All the contents of this blog are the Authors personal opinion only and are not endorsed by any Company. This website or Author does not provide stock recommendations. The purpose of this blog is to educate people about the financial industry and to share my opinion about the day to day happenings in the Indian and world economy. Contents described here are not a recommendation to buy or sell any stock or investment product. The Author does not have any vested interest in recommending or reviewing any Investment Product discussed in this Blog. Readers are requested to perform their own analysis and make investment decisions at their own personal judgement and the site or the author cannot be claimed liable for any losses incurred out of the same.