A couple months back, I received a phone call from a man claiming to represent my bank. He menacingly asked me to share my debit card details so he could stop my account from being blocked. I panicked for a few seconds, then asked him some probing questions. The caller hung up the phone.

A call to my bank about the security of my account did not provide very reassuring answers. Though my questions saved my account from the fraudster’s prying eyes, not everyone is so lucky. Indian banking customers have lost $1.8 billion to voice phishing alone.

A Challenging Year for the Indian Banking Sector

2016 was full of surprises for the Indian banking sector. Indian banks were hit by a massive financial data breach in which over 3.2 million debit cards were compromised. Banks reacted by blocking millions of debit cards and advising customers to change their ATM personal identification numbers (PINs).

If that wasn’t enough, fraudsters stole $81 million from Bangladesh Bank using its employees’ SWIFT credentials, sending ripples across Asia. The Reserve Bank of India (RBI) reported nearly 12,000 cases of financial cybercrime to the Indian Parliament. But the actual number of attacks may be much higher since, according to experts, 80 percent of cybercrimes go unreported in India.

While the Indian banking sector was juggling with these cybersecurity challenges, the biggest shock knocked on every Indian’s door on the evening of Nov. 8, 2016, when the government demonetized 86 percent of bank notes in circulation to promote the digital transformation of the economy. In the immediate aftermath of the surprise announcement, digital transactions surged by over 300 percent. This made our digital money more vulnerable than ever to cybercriminals.

The Multifaceted Menace of Cybercrime

In terms of cybercrime, India is the third most targeted country in the world, and 58 percent of these attacks target the financial services sector. Attackers employ a variety of techniques to steal financial data from banks and individual consumers. Let’s take a look at some of the most prominent attack methods affecting Indian banking customers.


Phishing is the most common attack vector in India. In 2015, 8.3 percent of global phishing attacks occurred in the country. This technique involves stealing sensitive personal information (SPI) through emails by masquerading as a legitimate entity or familiar person.

Voice Phishing

Also called vishing, voice phishing is another cybercriminal trick widely used in India. In a voice phishing campaign, fraudsters place unsolicited calls to potential victims and attempt to extract credit card details, PINs, passwords and other SPI. Fake call centers that perpetuate these attacks are growing in volume and sophistication.

Social Engineering

India ranks second in cyberattacks conducted through social media. Social media scams increased by 156 percent in the country, with every sixth scam impacting an Indian. Social engineering attackers often use fake social media profiles to lure victims to volunteer SPI, which could be used to commit banking fraud.

Card Skimming

ACI Worldwide’s “2016 Global Consumer Card Fraud Survey” ranked India fifth in payment card fraud. According to the survey, 37 percent of respondents in India have experienced card fraud in the past five years.

Card skimming involves attaching a small hidden card reader to an ATM to copy data from the card’s magnetic strip. The scammer can later use this data to clone cards and withdraw money from compromised accounts.

Mobile Fraud

Mobile wallets became hugely popular in India after demonetization. One study predicted a 65 percent rise in mobile fraud in 2017 as a result of the change, especially since most mobile wallets have security loopholes that fraudsters exploit to siphon money.

Cybercriminals also produce fake versions of popular mobile wallet apps to dupe users. To add insult to injury, many mobile wallets are uninsured, so users are often liable for lost money.

Point-of-Sale Malware

Cybercriminals commonly target point-of-sale (POS) terminals at retail outlets to steal payment card information by introducing malware. The POS malware intercepts the unencrypted payment data and sends it out to the attacker’s server. India is becoming a top target for POS malware due to the massive surge in the use of payment cards.

Securing Indian Banks

Several high-profile attacks against major financial institutions sent shock waves through the Indian banking sector. In June 2016, the RBI issued comprehensive guidance to help Indian banks implement a cybersecurity framework. The guidance outlined security measures banks should take to fight against cyberthreats and protect their customers. In August 2016, RBI issued a draft notification to ensure zero liability for customers if financial fraud is reported within three days.

Though demonetization heightened the focus on cybersecurity in India, there is still a lot of ground to cover. Banks and mobile wallet companies need to prioritize cybersecurity and implement well-defined processes to help customers easily recover stolen money. Currently, mobile wallet companies are hardly regulated, which leaves customers vulnerable. Recently several major Indian banks announced their intent to buy cyber insurance coverage to help protect their businesses and customers from cyber threats.

Proactively Protect Your Money

The rate of conviction in Indian cybercrime cases is low because of weaknesses in the Information Technology Act 2000. The legal process is also notoriously slow. Though many Indian banks claim to protect customer accounts, it’s not easy to recover stolen money from a bank after a breach. It’s better to exercise caution and follow online security best practices:

  • Use a strong password, change it often and never use it across multiple sites.
  • Check with your bank to determine whether your account is insured against internet fraud.
  • Monitor your account regularly and notify the bank of any unusual activity as early as possible.
  • Update your computer’s operating system and software and protect it with a good security solution.
  • Do not open suspicious emails or attachments, and do not share your SPI with strangers.
  • Exercise caution when clicking on social media links and do not post your SPI on social media.
  • Never access online banking from a public computer or over a public Wi-Fi.
  • Withdraw money from ATMs located in secure areas and use your card only with trustworthy merchants.

If your account is compromised, report it immediately to your bank and the local police. Swift action can help you minimize the damage and bring the cybercriminals to justice.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…