State Bank of India, one of India's largest state lenders, is warning its users about a certain WhatsApp message that might trick them into sharing sensitive account details.
In a post on Twitter, the bank warned customers about receiving fake messages asking them to share sensitive financial credentials.
"The Bank is aware of certain messages being circulated/forwarded via WhatsApp and social media, to the effect that our esteemed customers are getting messages advising about an OTP (One-Time Password) in respect of a transaction not purported to have been originated by the miscreant," the SBI notice read.
An App Diverts OTP to Scammer’s Phone
The New Indian Express reported how the fraudsters exactly dupe SBI customers via WhatsApp:
It is said that the scammers call the victims and convince them to upgrade their debit/credit card. Once they agree to upgrade, they are asked for their card number, CVV number and the expiry date of the card – all information that makes an online transaction possible.
Thereafter, the scammers send a link via SMS or WhatsApp and customers are asked to click on the link to complete the upgrade.
The link installs a malicious app in the background, without the victim’s knowledge – this app diverts all the OTPs to the scammer’s phone.
Once the app is downloaded on the user's phone, the "upgradation" process is complete.
With all the details of the customer's card and access to the OTPs that the bank usually sends to the customer's phone, the scammer is able to make transactions on his will.
In its warning on Twitter, SBI said that nobody can access an account without the successful validation of the two-factor authentication. However, the process of sending an OTP on the phone number is exactly what two factor authentication is – verifying with phone number. If The New Indian Express report is believed to be true, scammers have bypassed the two-factor authentication.
The bank further warned that customers should not share their details with anyone on the phone.
It further advised people to call a toll-free number (mentioned in the SBI post) in case of any suspected fraudulent activity.
It is appalling how even after all the warnings from banks and well-wishers alike, that a bank would never ask for card details over the phone, fraudsters are still able to easily dupe customers.
(With inputs from The New Indian Express)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)