What is phishing?
Phishing is a general term for e-mails, text messages as well as websites fabricated and sent by criminals to customers.They are designed in such a way which looks like they have come from well-known and trusted businesses, financial institutions and government agencies, with an ill-intent to collect personal, financial and sensitive information. It’s also known as brand spoofing. If you should ever receive an email that appears to be suspicious, do not reply to it or click on the link it provides. Simply delete it. To report a suspicious email that uses SBI’s name, you can report to us immediately at report.phishing@sbi.co.in.You can read more about Phishing here.
Be aware of methodologies in a ‘Phishing’ attack?
- Phishing attacks use both social engineering and technical subterfuge to steal customers’ personal identity data and financial account credentials
- Customer receives a fraudulent e-mail seemingly from a legitimate Internet address
- The email invites the customer to click on a hyperlink provided in the mail
- Click on the hyperlink directs the customer to a fake web site that looks similar to the genuine site
- Usually the email will either promise a reward on compliance or warn of an impending penalty on a non-compliance
- Customer is asked to update his personal information, such as passwords and credit card and bank account numbers etc.
- Customer provides personal details in good faith. Clicks on ‘submit’ button
- He gets an error page
- Customer falls prey to the phishing attempt
Best practices to avoid Phishing attacks – Do’s and don’ts in sharing of personal information
Dont’s:
- Do not click on any link which has come through e-mail from an unexpected source. It may contain malicious code or could be an attempt to ‘Phish’.
- Do not provide any information on a page which might have come up as a pop-up window
- Never disclose via text message any personal information, including account numbers, passwords, or any combination of sensitive information that could be used fraudulently
- Never provide your password over the phone or in response to an unsolicited request over e-mail
- Always remember that information like password, PIN, TIN, etc are strictly confidential and are not known even to employees/service personnel of the Bank. You should therefore, never divulge such information even if asked for.
Do’s:
- Always logon to a site by typing the proper URL in the address bar
- Give your user id and password only at the authenticated login page.
- Before providing your user id and password please ensure that the URL of the login page starts with the text ‘https://’ and is not ‘http:// ‘.The ‘s’ stands for ‘secured’ and indicates that the Web page uses encryption.
- Please also look for the lock sign at the right bottom of the browser and the Verisign certificate
- Provide your personal details over phone/Internet only if you have initiated a call or session and the counterpart has been duly authenticated by you
- Regularly update your computer protection with anti-virus software, spyware filters, e-mail filters and firewall programs
- Regularly check you bank, credit and debit card statements to ensure that all transactions are legitimate
- Please remember that the bank would never ask you to verify your account information through an e-mail
As a general rule, be suspicious when receiving any unsolicited incoming communication/phone call asking your personal or financial information or asking to update them on a site. Contact your Bank directly through official channels available to verify authenticity of those calls.
What to do if customers have accidentally revealed password/PIN:
If a customer feels that he has been phished or he has provided personal information at a place he should not have, he can carry out the following immediately as a damage mitigation measure:
- Please lock your user access immediately byclicking Here
- Contact your bank/financial institution or credit card company
- Contact your local police
- Always report phishing to phishing@sbi.co.in
- Check your account statement and ensure that it is correct in every respect
- Report any erroneous entries to the bank
- Use the other compensatory controls provided by the bank like setting the limits for demand draft and trusted third parties to zero, enabling high security, etc to minimize the risk
Website links for further details:
";