A new fraud has emerged where the customer is led to install a third-party app, which provides access to the bank account.
A Bengaluru-based former bank official lost Rs 1 lakh after fraudsters gained access to his phone by getting him to download an app that allows for malicious access.
Narayan Hegde, a retired Syndicate Bank officer, was swindled after he installed the AnyDesk app. Hegde was an e-wallet user and needed help in restoring the app on his new phone. He called one of the numbers that showed up after an online search for the mobile wallet’s helpline.
The party at the other end directed Hegde to download the AnyDesk app and asked him to forward a hashed string text that he received. Soon after he did this, money was withdrawn from his account in a series of debits.
When he contacted his bank’s branch, he was informed that the money was transferred to an Aditya Birla Payments Bank account using the Unified Payments Interface (UPI) platform. While five transactions were made to withdraw Rs 1.24 lakh, the fraudsters were successful in debiting only Rs 1 lakh. However, Hegde received alerts for just two of the five transactions.
“Banks shouldn’t make their clients run around and should follow the RBI guidelines to pay up customers when they fall prey to such frauds. Even former bank employees are not spared,” said Prashant Mali, a cyber law expert and a Bombay high court lawyer. He added that the finance ministry should follow up with banks’ management teams for compliance with the RBI guidelines to compensate victims of such frauds.
Incidentally, two days after this incident, the RBI cautioned banks on the “new modus operandi to commit fraud in digital payments”. The banking regulator said that fraudsters were luring victims to download the AnyDesk app from the various app stores. Besides obtaining permissions from the users, it would generate a nine-digit code which, if shared, provided the fraudster with access to the victim’s mobile. The RBI noted that there are other apps similar to AnyDesk that provide remote access to devices. According to the RBI, this modus operandi can be used to carry out transactions through any mobile banking and payment-related apps, including UPI and e-wallets.
“While NPCI is continuously working towards enhancing the security of its products and services from such attacks, this type of fraud can be better prevented by consumer education. The entire ecosystem, including banks and fintech companies, has to work collectively towards creating awareness and educating customers to refrain from sharing their account/card credentials, OTP/PIN and/or giving access to their mobile handsets to unscrupulous persons through such remote screen-access apps,” said Bharat Panchal, head of risk management at NPCI. He added that the UPI platform is fully secure and is also enabled with two-factor authentication. Syndicate Bank did not respond to queries.