Phish And Chips!

Ruzbeh Raja is an Information Technology Consultant with over 20 years of experience in the IT industry. He is also a Visiting Professor of Law in the University of Mumbai. In keeping with increasing cyber-crime incidents, Parsi Times presents a series on Cyber Security Awareness for your online safety and benefit.


What is Phishing?

Phishing is the art of scamming someone, usually by pretending to be someone else. It is done by impersonating or pretending to be a trusted person or from a trusted organization, like a Bank or Electric Company, etc. Phishing can be done through phone calls or SMS or email or even through the postal service. With the widespread use of computers, mobile phones and the internet, it has become easier to impersonate people and fake their identity.

There have been an increasing number of victims of Phishing scams, who have lost lots of money – getting wiped out of their bank accounts. When people are distracted or concentrating on some other work or worried about some problem, they tend to lower their guard and fall prey to Phishing scams. In the chain of computer usage, human beings are the weakest link. The weakness lies in the human mind and also in the way we have been schooled and brought up. We regularly teach children not to talk to or accept food from strangers, and yet we easily give out important personal information to various unknown mobile Apps and services, which we use daily.

 The following are answers to a few pertinent queries for you to be better informed about such scams:

Query: A senior person once said that she received a phone call from a scammer and just in that one call, their entire bank account worth lakhs of Rupees was emptied. Is that possible?

It is extremely unlikely that their bank account was emptied with just a phone call. Only in very high-profile attacks (like the Pegasus spying case), and in Hollywood movies, do such things happen. Most likely, your friend is not telling you the whole story. They have skipped out the part where they shared their ATM PIN number or Net Banking Password or such other details with the attacker. In India, it is not possible to transfer more than Rs.5,000/- without multiple safety measures. These safety measures are called Factors of Authentication and in India you require at least 2 Factors of Authentication to withdraw more than Rs.5,000/-. (see below)

Query: Is Internet Banking and Phone Banking safe in India? Should I disable my Debit Card?

Many people wrongly believe that Indian Banks do not have adequate safety measures for customers and that is why there are so many cyber frauds and phishing scams. That is not true. The Indian banking system is one of the safest and efficient banking systems in the world and has numerous safeguards to prevent cyber-fraud and phishing.

To withdraw or transfer more than Rs.5,000/- in a single transaction in India, you need to have a combination of at least 2 out of these options:

Something you KNOW Something you HAVE Something you ARE Environment Info.
Password One-Time Password Finger Print IP Address
PIN Number Debit Card Retina Scan Screen size
Passphrase Credit Card Face Recognition Location/ GPS Coordinates
Pattern 3-Digit CVV Number (behind Debit/ Credit Card) Photograph Browser Version
Verification Call from Bank Operating System Verification


 To withdraw money from an ATM, you require a Debit Card (Column B) + PIN Number (Column A). Sometimes you require a Debit Card (Column B) + PIN Number (Column A) + OTP (Column B).

At the Petrol Pump, you require Debit Card (Column B) + PIN Number (Column A)

For Online Transactions through Net Banking, you require Password (Column A) + Transaction Password (Column A) + OTP (Column B)

For Mobile Banking App Transactions, you require App Password (Column A) /or Fingerprint (Column C) + UPI PIN (Column A) + OTP (Column B)

Some Net Banking Apps work only if you’re located in India by tracking your Location (Column D) and even if someone enters the correct password, to do any transaction, you get a Verification Call from your Bank (Column B).

 Query: Even after so many safeguards, how come we hear of so many cyber frauds and scams on a regular basis?

The victims of cyber fraud are usually targeted by threatening them with some dire consequences or playing upon their emotions. In the next article, we will see some classic examples of how these frauds take place and what could have been done to avoid such scams from the perspective of the victims.


Query: Which laws punish Phishing in India?

The Indian Penal Code 1860 deals with Cheating and Impersonation. The Information Technology Act 2000 has specific sections which deal with Cheating by Impersonation using a computer. Persons guilty of section 66D shall be punished with imprisonment for a term which may extend to three years and shall also be liable to fine which may extend to one lakh Rupees. Although there are also some provisions for recovery of your money, in Phishing scams, it is difficult to do so if the victim has shared their PIN or Password with the attacker.

Other Terms:

SMishing: When you receive an SMS from someone pretending to be the Electricity Company or Loan provider or your bank. It is Phishing done through SMS.

Vishing: When a scammer uses their Voice for Phishing, either through a phone call or by fooling any security system which uses Voice Recognition Technology.

 Spear Phishing: If you see how tribal people use Spears to catch fish in lakes and rivers, the same way scammers pick out a single high-profile target, like the CEO of a bank, Founder of a large company, Ministry Official or Military Personnel. They continuously target these people using different methods to extract confidential information or take over their computers to do some greater harm.

Leave a Reply