Google Search As a Vishing Tool: Big Cyber Security Challenge For Bank Customers

1) Satyendra Sharma

Senior Manager (IT), Cyber Crime Monitoring Cell, Fraud Risk Management Division, Head Office, Punjab National Bank, New Delhi  India

2) Prof. Triveni Singh IPS

Superintendent of Police, Cyber Crime , Uttar Pradesh Police, Lucknow ,India

Abstract- Vishing is a big concern in the banking sector around the globe. Vishing is a cyber crime committed over phone wherein fraudsters dupe the bank customers and steal their money using online banking. The information of every sector including banking is easily accessible at Google search. Although cyber criminals are using vishing technique since a long time for duping the bank customers but nowadays, they are using new technique for committing vishing type of cyber fraud. Cyber criminals search the bank branches/merchants/payment intermediaries to which they want to target using Google search and update their fake mobile number by logging Gmail account. In case of banking/online shopping related problem, bank customers contact to the concerned bank branch/merchant/payment intermediary over fake mobile number which is obtained through Google search and fraudster get the secret financial information of the customer through vishing technique and commits cyber fraud. Vishing is rising day to day and the main cause of this is the unawareness of basic banking cyber security among customers of the bank. Without awareness of basic banking cyber security, bank customers can not protect their money in bank account if they are availing any type of online transaction facility. 

1. INTRODUCTION

Vishing is a type of cyber crime wherein cyber criminals steal the secret financial and personal sensitive information of the bank customers over the phone line using social engineering. Vishing is the combination of Voice and Phishing. This means phishing using voice over telephone. Voice over Internet Protocol (VoIP) is also used for vishing. Moreover, fraudsters also use fake caller ID for giving the appearance that calls come from the trusted sources.

In Vishing technique, visher calls to the bank customers, claim that he is from the bank and demands secret banking information of the customers for resolving their issues and fraudulently receives the credit card/debit card numbers, CVV, expiry date of card, bank account number, PIN, online banking user ID, password and OTP etc. for making online transaction. 

Voice + Phishing = Vishing; the telephone version of phishing. In this scenario, you receive a phone call from a criminal posing as an authentic business or agency in an attempt to fool you into providing personal information. A five minute identifies theft.  Vishing can occur via voice email, VoIP (Voice over IP), landline or cell phone. These criminals are hard to track down as they have even spoofed caller ID numbers to hide their identities. So while it “looks” like you’re getting a call from your bank, you aren’t. Be sure to verify who it is that you are talking to on the other end, never provide personal or payment information over the phone if you are unsure, and don’t be afraid to tell them you’ll call back after you validate the proper number for the business.

Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone. The victim is told to call a specific telephone number and provide information to “verify identity” or to “verify KYC”.  

Phishing is technique of getting personal and secret banking details from the bank customers by deceptive means. In phishing, cyber criminals, send a website link to the people through email for stealing their personal sensitive and secret banking information. When bank customers click on the phishing link, a web page opens which demand banking details of the customer like credit card/debit card number, personal identification number (PIN), expiry date of card, card verification value (CVV), mobile number, online banking user ID and password etc. 

II MODUS OPERANDI

The article is based on the analysis of Google search and various cyber crimes cases registered in the cyber crime cells across Indian Territory and cases reported in various banks across India. Google search is the key focus area in this article. Cyber criminals update the name and mobile number in Google search by logging their Gmail account. When bank customer searches contact number of the concerned bank branches/merchants/payment intermediaries for enquiring or resolving the problem, he calls on the mentioned fake mobile number which has been updated by the fraudsters. Consequently, Cyber criminal gets the sensitive financial and secret information from the bank customers in fraudulent manner over phone line for resolving their problem and dupe the bank customers by debiting their bank account.

Banks/merchants/payment intermediaries always provide genuine contact numbers at their respective website so that customers can easily access that numbers for establishing communication with banks /merchants/payment intermediaries in case of any related issue. But due to unawareness of phishing and vishing like scam, bank customers are easily duped by the cyber criminals.

The analysis of searching contact details of bank branches/merchants/payment intermediaries located in different cities of India have done using Google search and found that the suspected mobile numbers have been updated by the fraudsters using Google search by logging their Gmail accounts for duping the bank customers. Without logging through Gmail account, update is not possible and any Gmail account holder can easily update the details at any time. On the basis of such type of Google search, many bank customers have been duped by fraudsters across India.

The modus operandi is given as under:

• Cyber criminals search the bank branches/merchants/payment intermediaries at www.google.co.in to which they want to target using Google search.
• Thereafter, they click on the link ‘Suggest an edit’, then select ‘Change name or other details’ and login using Gmail account and update their mobile number for committing the fraud.
• In case, bank customers search the contact number of bank branches at www.google.co.in, the fraudster’s mobile number displays in Google search.
• When customers call on that fake mobile number for any query or issues related to their bank transactions/online shopping, then fraudster ask the personal and financial sensitive information of bank customers like debit card/credit card number, expiry date, CVV, OTP, internet banking credentials, UPI PIN etc for committing cyber fraud through various types of digital payments technology.
• In various cases, fraudster sends link of Google Form to the victim for filling and submitting the same wherein fraudster demands the debit card/credit card number, expiry date, CVV, internet banking credentials, UPI PIN etc.  
• When victim submits the aforesaid details through Google Form, fraudster requests victim to install remote accessing app like Anydesk, Team Viewer Quick Support etc. in his mobile phone and share the device ID/ ID number.
• Once fraudster accesses the mobile phone of victim bank customer, he starts to do electronic transactions using credentials provided by victim through Google Form. As mobile is remotely accessed by the fraudster, he easily get the OTP for completing the transactions and immediately delete such OTP so that victim is not able to see such debited transaction SMS.

III SUGGESTIONS TO PREVENT VISHING CYBER FRAUD

• Never share your sensitive financial details like debit card/ credit card number, expiry date, CVV, ATM PIN, OTP, UPI PIN, online banking ID and password to anyone.
• Never install the remote accessing apps like Anydesk, Team Viewer Quick Support etc. in your mobile phone.
• Do not forward any SMS/message from your mobile phone on the request of unknown caller. 
• Do not click on any suspicious link.
• Do not submit debit/credit card and other banking credentials through Google Form.  
• Government with the help of banks should educate the bank customers to protect from such type of cyber crime.
• Banks should implement risk based score for all types of financial transactions and each transaction should be monitored automatically without manual intervention. It will definitely help to mitigate banking cyber fraud.
• On the basis of risk score, suspicious transactions should not be processed without the consent of customer.

IV CONCLUSION

Banking cyber crimes are increasing day to day across the world. Cyber criminals are using a variety of technology for committing banking cyber fraud wherein vishing is playing an important role for fraudsters. Banks are also strengthening electronic banking security but in comparison to the different type of modus operandi used by cyber criminals, banking cyber security is not enough strong. This is the reality.

At present, cyber criminals are using new type of vishing technique for duping the bank customers for which they are using Google search as a tool. Many complaints have been reported in the Banks across India and lots of complains have been registered in the cyber crime cells of various state police. Using this technology, lots of bank customers have been duped by the cyber criminals through card not present transactions, internet banking, mobile banking and also through unified payment interface (UPI) transactions.

Consequently, a huge number of bank customers are suffering from vishing type of cyber fraud on regular basis. Banks should make their electronic banking security more strong so that money of bank customers can be secured in their bank account. It is found that the fraudsters are continuously adopting vishing technique for committing banking cyber fraud. 

 To avoid such type of cyber crimes, customer education programme on banking cyber security awareness may be beneficial to the customers who are availing any type of online banking transaction facility. As discussed in this article paper, risk based score for online transactions may be helpful to mitigate the banking cyber fraud.