Today is really a challenging day for me at the same time a big lesson learnt by me. I am holding ICICI account for more than 5 yrs. I am very much satisfied with ICICI banking system.
One fine day on June 29th 2010 i was busy in starting to my office where my calendar alerts me with few action items for the day. I was completing those task and in parallel i was checking my emails. I received the below email from Customer.firstname.lastname@example.org which is the exact customer care ID of ICICI bank.
I thought they need some survey details and by seeing from address (in hurry) i just clicked on the link in the email which directed me to an another webpage which looks like ICICI bank webpage. It asked my Internet ID,Password,Card#,Grid#, Mobile# etc. I just entered all these details. When entering Grid# something stroked in my mind and i didn't bother. I also checked the URL(looked like an ftp site) on which i didn't felt it's a fake URL. I just submitted the information requested and left office.
After couple of days i received an sms to my mobile stating new payee added and that sms has an URN (Unique Registration Number). As i am out of town my sister saw the message and within 1 hr of that sms arrival, she receives a call to my mobile stating "We are from ICICI head office Mumbai and we have sent one URN please let us know the URN if you didn't say your online ID will be deactivated". As they said head office/deactivation of bank ID she also didn't try to think what is about she just gave the URN :(. When i called her casually she informed me on this and i called bank then deleted the registered payee, changed my online passwords and applied for new card by deactivating the existing card :(.
When i click on the same link which they have sent me on June 29th 2010 i was redirected to some European website :(. As everything happened in 1/2 hour i didn't loose any money. Thank God!
I just posted this to make sure this doesn't happen to anyone. I also visited all my email id's and changed my passwords for safety. Though i address on many security issues @ my work place and advise people on security, due to my hurry i have missed myself on some basic checks. We cannot raise a wall for ourself to everything. People are always running behind us to break the wall.
I would like to thank ICICI bank for having many security measures in money transfers like sending URN,Grid#, PIN verifications etc which made some loop hold and strike us. But still it's our responsibility to keep our credentials safely.
The event which happened for me is known as PHISHING. It's nothing but an act of sending email that falsely claims to be from a legitimate organization. This is usually combined with a threat or request for information: for example, that an account will close, a balance is due, or information is missing from an account.
How to avoid such things?
- Never enter/share your credentials with anyone/anywhere except by directly entering into bank URL's.
- Keep an track of your account activity on everyday basis as it wont take more than 2-4 mins daily.
- If your mobile is handled by any of your family members please ask them not to disclose any of your personal details/your current locations/any sms that sent to your mobile.
- Try to use KeyScrambler kind of add-ons to protect your key strokes
- Change the passwords every 45 days without fail.
- Keep a track of your payee lists every one week at least.