I never ever thought I could fall for an online scam given I am a deeply technical person with a PhD in Computer Science in Systems and I know how scams occur. But here I fell for one where Rs 49,999 were deducted from HDFC Bank account by a smishing (sms in which a link to a phishing (fake) website occurs to give your info such as KYC credentials) attack for KYC verification. Even though I fell for it due to some really bad contextual timing when it occurred in Sept 2022, I immediately realized I was under attack while the attack was ongoing and reported the matter in 10 minutes to launch an online complaint with HDFC bank nearby physically and then launched a cyber crime complaint immediately, and then got a letter from Police, however in around 2 weeks time, I was told by HDFC that they could not retrieve my money and since I happened to enter sensitive information in website (which is how scams occur always) bank is not liable on fund returns. Later on grievance filing in RBI (Reserve Bank of India - the regulator) I was given the same answer that since information was shared bank is not liable and I can not even appeal against such decisions further in RBI. In this blog post I bring to your notice how bad the accountability situation lies in case of such important aspects where thousands of people in India face such scams on a daily basis and how banks are given a free run from their responsibility due to broad clauses by the regulators such as RBI, which can even be misused by banks for their own benefit.
I live in Amsterdam, Netherlands. In Sept 2022 I was super tired in two days conference when I got a forward message from my mother in India asking to do a KYC for one of the accounts in HDFC that was not actively being used for a long time, but had some money. I even had done a pin re-activation for this same account just two weeks ago, and when I got this message, I thought its a legitimate message since the context was there, it had come from my mother and most important of all it was a really bad time where my mind was super tired with the 2 day conferene hangover and I thought I would just get rid of this KYC thing, because I also had done a similar KYC for another of my financial account in Europe a few weeks ago itself. So it was a lot contextual. I was so tired that day, my mental faculties were not working very clearly, so in the heat of the moment I clicked on the link and saw a HDFC looking website where I entered information for KYC verification. I always check the website URL for any such links, but that day unfortunately I did not even bother to check the URL of the website in the browser because the User interface matched HDFC quite well. After asking info for KYC verification, it generated a few OTPs that my mother passed on to me to enter in the site as well, and she just read the OTPs from the top menu on mobile notification without going in details of the message as she thought I must have checked every thing. It was a multi-stage attack where multiple questions were being asked and steps by steps things were in progress, but after I came to a question page where I realized the question it asked was some thing I had never ever entered I looked at the URL of the website and realized I was under a phishing attack. Mind you, the attackers were still not finished and the attack was planned to let me enter more information to generate more OTPs to withdraw money, but as soon as I realized, I realized I was scammed and asked my mother to immediately go to the bank and register a complaint and check the funds as I realized my account access was blocked by the attacker.
She was told Rs.49,999 was debited and sent to some SBICARDS at 1.10pm IST. I asked my mother to get the account blocked and register a complaint which she did with HDFC immediately. HDFC then asked me to register a cyber crime complaint and also register a FIR. When I tried logging in the Indian cyber crime portal I could not access it. I know from my past experiences many Indian government websites can be down due to bad web infrastructure, so after waiting for around 1 hour when I could not access it, my mother already had reached police station to understand the next steps and police there said I need to register a cyber crime complaint, and on telling them the website was not accessible and how it can be done, they said that's the next step. During the ongoing conversation I realized, the website is actually working in India as Police could access it in India, but it is apparently blocked outside India. I was like what on earth is this nonsense? A cyber crime can occur on any Indian around the world and it should be reported but here the website is blocked? A friend who is expert in security system later told me Indian government has blocked some key websites like this to prevent cyber attacks on them. I was blown away by such weird policies than fixing the security to prevent such attacks and preventing people from launching complaints on it by blocking it in the first place. I accessed the website through VPN and then launched an online complaint.
The Police in the town where my mother was located in the meantime shunned away from their responsibility of registering a FIR saying its not their jurisdictions etc and did lot of nonsense talk including there is no need of FIR and private banks can not ask for a FIR from police and he will not give it etc. My mother finally made them give a letter that she had come to register a complaint for such a crime. HDFC in the mean time was provided with all of these documents including cyber crime complaint, police letter and other details. All of this took place with in a few hours of the attack. The next morning my mother got a call from Cyber crime person who was investigating the case asking some questions who made me think if they actually are trained well enough to handle cyber crimes because by looking at the questions, it was quite evident the expertise was missing completely. Remember cyber crime and local police are two different entities and might not coordinate unless they want to including with banks etc. So there was a complete chaos of authorities who were responsible to track it. My mother even had a call from the fraudster person when the scam was ongoing who told himself to be a representative of HDFC during the attack so we had a mobile number to trace, and local police could have easily tracked it to open an investigation but India being India and police being police, the inspector on duty refused to even accept his responsibility and do anything. I was realizing how India has not changed in all these years in spite of all the shiny things one sees around and how the institutions of public are still mired with incompetency everywhere.
Now since I reported the matter in 10 minutes to HDFC and a complaint was registered within an hour with HDFC I expected the money to traced and refunded because digital transactions though they say money has been transferred takes time to complete always and what you see are only ledger entries in the two parties who are in transaction. Actual money transfer happens by the end of the day in a wholesome manner when accounts are settled or at least in a matter of many hours and not immediately as you might think. Money can be always traced by tracking the payment gateways, and since these transactions are digital it is expected that they can always be traced as long as they are occurring with in a country where local regulatory policies apply for digital footprints to be able to track them within a short span if a fraud is reported.
In the mean time I expected HDFC to question my mother by calling her about the incident during investigation but all she got was a phone call asking only one question that if she shared any OTP. She said she shared OTP with her son, which is myself who entered it in the KYC process that was provided and it was not shared with any one physically etc. HDFC did not ask any other question during investigation process that followed. While registering complaint my mother gave details already, but I expected the investigation from HDFC would raise more questions, but this was the only question.
In the meantime a shadow deposit of Rs 49,999 was done as per the RBI laws by HDFC to our account that was not visible in terms of actual money there, but just as a transaction. Later in a few days we got notification that the money can not be retrieved as HDFC tried contacting SBICARDS, where the transaction showed money went to, and since we shared sensitive information bank is not liable and the money can not be refunded and the shadow deposit was withdrawn. HDFC did not provide any other information in spite of multiple grievances that were raised afterwards seeking more information about what it actually did when the fraud was reported in such a fast manner and the money should be traceable if it acted fast enough.
What followed was a horrible bureaucracy of endless HDFC nonsense of opening grievances and closing them citing same reason without any answers from any one in the chain of hierarchy. Finally I opened a RBI grievance as RBI is the banking ombudsman in India raising complaint against HDFC asking HDFC the questions about how fast they tracked by money after reporting a fraud within 10 min. To my shock RBI forwarded my grievance again back to HDFC against which the complaint was made and HDFC again gave the same reply without giving any details and RBI closed the grievance citing the clause that the sensitive info was shared so bank is not liable and this decision is non-appealable.
I was blown away how bad this entire system was where a banking ombudsman is not questioning the bank about what it did with my complaint but is putting full blame on me without slightest questioning of how fast the bank tried recovering money, because of course if the bank tried contacting for recovery after a few days, the money can not be recovered. Saw some horrible behavior from RBI where it has a broad clause in the favor of banks completely not having any further ability to question banks in such cases, which I believe is giving a free run to many banks who can behave the way they want if a customer reports a fraud even in no time simply because banks can either work in their own times by which a lot of time might have already passed. In the worst case, banks might actually recover money but refuse to admit they recovered it and refund to the customer because they are protected by the RBI clause of liability lies with the account holder freeing banks completely from any accountability of whatsoever happens even if the customer reports a fraud immediately. RBI can not be questioned or complained against for such a bad policy further as I realized in this process as they tell you on your face on questioning them you can go to another forum like court to question us, but we wont change a thing since this is our clause.
In the mean time I hired a lawyer in Pune to send a legal notice to HDFC citing issues observed and demanding a refund. HDFC refuted charges and refused in its reply to the legal notice further even asking money from me for sending a legal notice to HDFC. So much arrogance.. My lawyer then said, the only option left is approach a consumer court to question HDFC because it wont otherwise tell anything because a new appeal in RBI was not possible as well and RBI was also not helping and it looked like HDFC wants to fight it further than just refunding the money which they can easily do because they have insurance on all accounts and Rs 49,999 was a really small amount as usually under 50k Rs amount are immediately refunded by banks in most of the cases.
Some important questions that triggered me in this case is.
1. What is the role of banks in tracking the transactions if a fraud is reported immediately after sharing sensitive information due to which a fraud has occurred because that is the way a fraud occurs as thousands people get links, and messages to get the sensitive information. That's the most common practice for a fraud.
Banks say they never ask for KYC, but just yesterday I got a mail from HDFC asking me to do a KYC again from their official email id. While banks during such frauds claim they do not ask for KYC and other info.
2. Digital transactions should be fully traceable from end to end if a fraud occurs and is reported within no time and there is always money in the system as it has not transferred yet, but it can be tracked only if the banks act swiftly and work hard on highest priority. Why RBI has no clause on the accountability of banks after a fraud has occurred and is reported in no time? Doesn't RBI feel responsible for the right policy when online scams are on rise and are only going to get more sophisticated as the current no liability and no question asked policy is only in bank's favor ?
3. If banks say digital transactions even if reported within no time can not be traced and recovered, who is at fault? A digital system comprises of multiple stakeholders that work on standard protocols that leaves digital foot prints all over the trace, and if banks can not trace it immediately on immediate reporting is there a fundamental flaw in the banking system where the protocols for digital footprint do not have enough information to trace such transactions to recover money by blocking it at different levels such as payment gateways, merchants etc. because it always takes many hours before a transaction actually passes in actual money exchange and before that window closes the transaction should always be traceable given its digital and technical nature where ledger entries are taking place as it goes through.
So if banks say they can't trace or recover is it because they did not act fast enough to trace / recover it or is it because they do not understand how it happened because they lack expertise to track / trace / recover it / or there is issue in the entire system at banks side where the employees responsible for this tracking are not fast enough due to beau acracy of the investigation processes set up in the banks that prevents them from a quick action?
4. Why RBI has no clauses on accountability of banks in such scenarios while it puts the entire onus on the account holder who is already scammed and no one likes to get scammed on purpose as its always a trap from the fraudster. So by not having appropriate clauses to hold banks accountable for their expedite processing of reporting is RBI favoring banks non-accountability and giving them a free hand? because you can not even complaint or appeal against RBI decision which is purely based on a single fact that the account holder shared sensitive information so he is at fault. But what happens after the reporting of fraud and why RBI can not have accountability for that process after a fraud is reported from banks perspective?
Lots of interesting questions in this case that have arrived here and have exposed the entire machinery of the relevant stakeholders who are hiding behind some one sides policies without any accountability or transparency to bring the confidence in Indian banking system and its highest regulator RBI.
Do you have any suggestions how this system can be improved further? Let me know by commenting here.