Alarmed by the increase in phishing SMS messages asking ‘customers’ to update their permanent account number (PAN) through a short URL or link, HDFC Bank recently clarified that it never sends messages to its customers through an individual number and always uses SMS headers like HDFCBK or HDFCBN. While SMS link fraud is not new, what is worrying is that many persons who are not even customers of the Bank ostensibly receiving the message and opening links. At Moneylife, we have repeatedly said that opening such links can have serious implications for the user. She may end up sharing personal information, including bank details and lose money to fraudsters.
A few months ago, the police arrested some criminals responsible for the ‘pending electricity bill’ fraud. Yet, many mobile phone subscribers continue to receive such fraudulent messages. A retired senior bank official was just about to get duped by these fraudsters when she contacted us to complain about the erratic response from the electricity provider. On further probe, we realised it was an electricity bill fraud and requested the banker to block the numbers immediately.
What should you do to protect yourself from being duped by these fraudsters? First and foremost, what every mobile subscriber needs to understand is that genuine or authentic SMS messages from banks or service providers usually contain a sender ID (consisting of their short name) instead of the phone number of the sender. So, if you receive any SMS from a number asking you to share or update any of your know-your-customer (KYC) information like sharing photo ID, Aadhaar, PAN and email ID, simply delete the message.
Never click on the link in such an SMS.
In a few cases, fraudsters have even used SMS headers that appear legitimate. Such SMS headers are registered with and assigned by a mobile operator; so if you receive a fraudulent message with such headers, you can report it to the concerned telecom company and the Telecom Regulatory Authority of India (TRAI). Details of each SMS header are available on the TRAI website. Here is the link https://smsheader.trai.gov.in/
Other than checking the sender’s number or SMS header, you can also be misled by fraudsters using short URLs in the messages. Sometimes, banks use short URLs, but again, unless you have initiated the transaction, do not open the link. Short URLs are basically a mini version of longish URLs. For example, here is the original URL of an article from Moneylife, https://moneylife.in/article/prateek-gupta-the-big-indian-defaulter-behind-a-500-million-international-commodities-fraud/70001.html. Now, if you want to send or share the article on social media like Twitter or through SMS, where there is a limit on word count, you need to shorten this long URL into something that would fit in the word limit. Using a free URL shortener service, this can be shortened to tinyurl.com/ycxe6r8r.
Cybercriminals use URL shorteners to reduce the link’s word count and hide the original link. And since the original URL is hidden, people end up opening the link assuming that it, indeed, belongs to their bank or service-provider.
In most cases, when you click on the link, malware gets installed on your mobile device (Android), providing access to all information on your device to the criminal gangs. In a few cases, the screen-sharing app may also be installed on the victim’s device. Once the fraudsters have access to your device, they can easily use the information to rob you.
Suspicious apps that may get installed on your mobile could contain remote access trojans (RAT) and device-sharing apps like AnyDesk, which help fraudsters access the device and the entire data. Since the RAT and device-sharing apps remain hidden, the user will never know about their existence.
RAT and the device-sharing apps show the entire activity of the device to the fraudsters in real-time. They can read all your messages, access the entire gallery and even call recordings.
In these cases, the strict rule is never to open any shortened links. In the rarest case, if you want to open the link out of curiosity, visit wheregoes.com or checkshorturl.com. Both websites offer a free tool that tracks the short URL to its destination.
Remember, your bank or any registered financial institutution never sends any SMS nor makes any call from a mobile number. All financial institutions are mandated to use specific SMS headers registered with the telecom operator.
For example, VM-SBIINB is a registered and authorised SMS header of State Bank of India (SBI). However, the Bank may use other SMS headers while retaining its identity ‘SBI’ in the header like BV-SBIPSG, VM-SBIPSG, BZ-CBSSBI.
The typical format and structure of the header with prefixes are as below:
XY – ABCDEF, where X denotes telecom service-provider (TSP); Y denotes licence service area (LSA) and ABCDEF is a header assigned to the principal entity or registrant. (Read: Finally, TRAI Shares Names of Telemarketers and Their Codes!)
Lastly, your bank has all the KYC details you submitted while opening the account. So, it will not ask you to selectively share or update only PAN details. If needed, your bank will ask you to update your entire KYC details by visiting your home branch.
How Not To Become a Victim
• Do NOT click on any link, especially the short URL, shared by anyone via SMS/email.
• Do NOT download any app other than from the authorised app stores (Google Play store).
• Use a good quality anti-virus (several free apps provide good protection) for protection from viruses, malware, ransomware and remote access.