My parents are in their late 70s and early 80s. They proudly live an independent and active social life. One Saturday, late evening, my mother got an SMS asking her to complete her bank KYC by clicking on a link else her bank account will be blocked. Since they had issued a couple of cheques, she hurriedly clicked on the link and a real life Jamtara unfolded.
She immediately got a call from someone claiming to be from her bank and said he will extend all help to facilitate KYC updation. He informed her that he will “handhold” her as she follows simple steps. He enquired if she had AnyDesk on her mobile. Since she did not, he said he will “help” her install it. Having gained her confidence, he asked her to login and enter passwords on a website on his computer via AnyDesk, which had her bank’s look and feel. He had also informed her that she will get OTPs which she will need to share, and all will be done. She followed all instructions and the call got over within 15-20 minutes. My mom is an early to bed, early to rise type. Since she was exhausted by the call and it was already too late for her, she went off to sleep without even informing my dad about what had happened.
Next day, she felt very uncomfortable about the entire episode. She narrated the episode to me. Being into banking and financial services, I went into damage control mode. I checked her phone for SMS and my worst fears came true. I could see multiple OTPs, add beneficiary, followed by account debit SMSs. Within the 15-20 minutes he was on call with her, he had gained access to her bank accounts, added two beneficiaries and transferred Rs 1,00,000 from both my parents’ accounts — my mom’s customer ID is linked to my dad’s account to facilitate ease of operations.
I called the bank’s fraud alert contact centre and went through the drill to report the transaction. They requested us to report to the police cybercrime. I reported the crime through their website and received a complaint number. My parents then visited the cybercrime branch to lodge an FIR. They were directed to our local police station where an FIR was filed. On tracking, it was revealed that the recipient bank account had more fund transfers, with multiple withdrawals from ATMs. Lesson learnt, right? So, what to do in cases where you receive such calls or messages?
The don’ts
All official messages from banks or financial institutions always come with a header wherein the bank’s or financial institution’s name appears. Do not click on a link shared via an unauthorised number wherein the bank’s name or financial institutions’ name does not appear
Do NOT share OTP with anyone
DO NOT provide access to your device via AnyDesk or any other such remote access software
The dos
Besides driving a high decibel multimedia campaign, RBI has taken care to issue comprehensive directions to all banks on the redressal mechanism for customers. It has also laid down the roles and responsibilities for the banks as well as for customers.
In case of any financial fraud or breach of service I would suggest following steps:
1 Complete all the protocols viz reporting to your bank (number is always prominently displayed on all bank’s websites), report online on cybercrime website (https://cybercrime.gov.in/) or call 1930 within the golden hour — less than 30 min of the incident. This can help the bank trace the money trail and seek a freeze on the beneficiary’s accounts to prevent the money withdrawal.
2 File FIR at the earliest, at least within 24 hours. Take proactive steps to reach out to the bank’s Nodal officers to facilitate immediate action.
3 Check for any systemic deficiency on the part of the bank vis-a-vis regulations or industry practice.
4 In case of any deficiency, bring it up to the senior / top management and the regulator, persist and pursue the matter to its logical conclusion.
(Salil Datar is a senior banking and finance professional and has more than three decades of experience in banking, neobanking and cross border financial services)
