Cyber Security - Personal Banking

We take all necessary measures to keep you and your information protected.

	Secure Platform: Strong authentication & authorization controls are implemented for all our digital banking applications for your secure access. We follow the ‘security by design’ approach to provide you secure access and protected platform to perform financial transactions.
	Session Layer Security: Secure channel of communication is implemented on all our banking services to prevent unauthorised interception of your activity on our digital platform. 256 bit encryption is implemented on all traffic to secure the transactions performed over internet. Customer's login session is logged out after some idle time to protect against misuse.
	Login Security: Captcha is implemented to prevent you from Brute Force Attacks/Botnet attacks. One Time Password (OTP) is sent to your Registered Mobile Number (RMN) as a 2nd Factor of Authentication (2FA) for login to Internet Banking (INB) application. Virtual Keyboard is provided for logging to your net banking in order to prevent from key logger attacks.
	Profile Security: Access to privileged pages for carrying out privileged activities such as Adding Beneficiary, changing user profile etc. is controlled through a Profile Password. Alerts are sent every time you access your profile section.
	Transfer Security: All NEFT/ RTGS transactions other than quick transfer are performed only after addition of beneficiary and within the transaction limit defined by you. Transfer to a newly added beneficiary can be performed after a cooling period of up to 4 hours.
	Notification: OTP is sent to RMN as a 2FA for transactions carried out through Internet Banking site/YONO. Text messages over Short Message Service (SMS) are sent for transactions carried out in the account through INB/YONO. All activities happening in your account are promptly notified to you through SMS or Email alerts.
	Mobile Security: SIM binding and device binding has been enabled on YONO and YONO Lite apps. Anti-tampering is implemented to prevent un-authorized changes to mobile apps.
	End To End Security: End to End encryption is implemented to keep your data confidential and invisible to everyone within the Bank as well. Your credentials are hashed and protected with industry standard encryption to maintain secrecy.
	Transaction Monitoring: Robust solutions, systems, and processes are deployed to monitor the safety of your accounts. Our security team is deployed 24/7 to monitor, analyse and detect any abnormal activity, indicating a potential breach, security incident or malicious attempts to the system.
	Customer Care: 24*7 customer services are provided to customers to raise any issues and get quick redressal.

To report any cyber incident, please email at report.phishing@sbi.co.in or call cyber crime helpline number 1930. For more information, visit https://cybercrime.gov.in/. 

Let us fight Cybercrime together and Stay #SafeWithSBI

Let us fight Cybercrime together and Stay #SafeWithSBI

Phishing

Phishing is a technique of fraudulently obtaining private information like login ID and Password, Debit / Credit Card details, PIN, Date of Birth, and Mobile Number etc. This is one of the most common type of social engineering attack. Most Phishing scams endeavour to:

• Obtain personal information such as names, bank account details (User ID, Password, OTP), PAN, Aadhaar etc. by using shortened or misleading link.
• Incorporate threats, fear, and a sense of urgency with phishing message/ email to manipulate the user into responding quickly.

Typical example of Phishing attacks:

• SBI customer ‘Mr. Arun’ receives an SMS from random number, stating that his Debit card will be blocked unless he updates his KYC details immediately by following the link given in the SMS for ex. hssp://8ef628b4602c.ngrok[.]io/sbibank.
• He instantly acted upon the SMS and clicked on the link to update his KYC.
• The webpage which appeared on clicking appeared to be an SBI website however, it was a fake website. Mr. Arun did not notice the error in the address bar (URL) of the fake website and failed to pay heed to the banks advisory on not clicking on links received from unknown sources and entered his INB credentials (Username and password) along with OTP to login into his INB account.
• The website redirected him to the next page where he also shared his mobile number and profile password.
• Arun’s entire sensitive information now got compromised which enabled the fraudster to execute transactions in his account.

Best practices to avoid Phishing attacks

• Do not click on unknown hyperlinks or mail attachments.
• Check the veracity or authenticity of the sender.
• Check the URL to confirm whether it is a legitimate website.
• Check for typos and grammatical errors in the body of the mail.
• Always remember, the bank never asks for your personal information.
• Be wary of tempting offers.

Watch to Know more

To report any cyber incident, please email at report.phishing@sbi.co.in or call cyber crime helpline number 1930. For more information, visit https://cybercrime.gov.in/. 

Let us fight Cybercrime together and Stay #SafeWithSBI

Vishing

Vishing is the voice form of Phishing where frauds take place over phone calls. It is an act of using telephone to trick the user into surrendering private information that will be used for fraudulent purposes. The scammer usually pretends to be from a legitimate entity and tries to befool the victim by luring or threatening him.

Typical Examples of Vishing attacks

• OTP/CVV Fraud - Criminals attempts to dupe bank customers into revealing OTP/CVV or read it by accessing their smartphone by inducing the customer to download remote access apps such as Quick support, AnyDesk, TeamViewer etc.
• Lottery Fraud - Fraudsters make a call stating that you have won a huge lottery. To receive the lottery money, you will be asked to submit your personal details by following a link leading to a fake website. You may also be asked to transfer some token money as acceptance of the offer. Once you submit your details and try to make payment through those websites, all your personal information and financial details are stolen.
• Income TAX Refund Fraud - Cyber criminals targets bank customers through phone calls luring them to receive Income Tax refunds and are thus fraudulently collecting customer’s sensitive personal details.
• KYC Fraud – Cyber criminals are calling customers asking them to click on a link to update their KYC details. Such calls come with a threat if the KYC is not updated, then the account will be blocked.

Best practices to avoid Vishing attacks:

• Always verify the caller’s identity.
• Do not install any unknown software in your smartphone/computer on the advice of strangers.
• Do not respond to unsolicited sales, marketing, or outreach messages.
• Do not share OTP, ATM PIN, CVV over the phone.
• SBI will never ask for your bank account details, Debit / Credit Card details, CVV number etc.

Watch to Know more

To report any cyber incident, please email at report.phishing@sbi.co.in or call cyber crime helpline number 1930. For more information, visit https://cybercrime.gov.in/. 

Let us fight Cybercrime together and Stay #SafeWithSBI

Smishing

Smishing uses cell phone text messages to lure users in a similar fashion like Phishing. They take the form of text messages that claim to be from legitimate entities and are often used in combination with other techniques to bypass inbuilt protections. They might also direct victims to malicious websites on their phones.

Typical Examples of Smishing Attacks

Best practices to follow to avoid Smishing attacks:

• Be suspicious of any text messages containing urgent request for personal or financial information.
• Do not share any sensitive information over text messages.
• Do not click on any links on the SMS.
• Please call the bank for help or refer to the information only on the official website of the bank.

Watch to Know more

To report any cyber incident, please email at report.phishing@sbi.co.in or call cyber crime helpline number 1930. For more information, visit https://cybercrime.gov.in/. 

Let us fight Cybercrime together and Stay #SafeWithSBI

Mobile Security

Smart Phone and app-based services are now being used increasingly to conduct banking transactions through your mobile devices. While this is extremely convenient, you need to follow the best practices mentioned below in the use of mobile phones while doing financial transactions.

Best Practices for Safe Usage of Mobile Phones:

• Strong passwords/biometric permission should be enabled on your phone.
• Keep your SIM card locked with a PIN to avoid misuse. In case of loss or theft of the mobile device; contact your service provider to block the SIM card immediately.
• Your bank account number or PIN should never be stored on the mobile phone.
• Get an anti-virus software installed on your mobile and keep it updated.
• Regularly monitor the permissions of critical apps installed in your mobile phones and keep a track of unnecessary and unused apps.
• Never use Banking apps on jailbroken or rooted devices.
• Avoid connecting phones to public wireless networks.
• Report the loss of your mobile phone to the bank to disable PIN and access to the bank’s account through Mobile Banking app.

Watch to Know more

To report any cyber incident, please email at report.phishing@sbi.co.in or call cyber crime helpline number 1930. For more information, visit https://cybercrime.gov.in/. 

Let us fight Cybercrime together and Stay #SafeWithSBI

Digital Arrest Scam

The National Cyber Crime Reporting Portal (NCRP) has recorded numerous complaints about scams involving cyber criminals posing as officials from Law enforcement Agencies. These scammers use intimidation, blackmail and “Digital House Arrests” to deceive victims.

Overview of the "Digital House Arrest" Scam:

This scam involves fraudsters impersonate Law Enforcement officials and falsely claim to investigate crimes, using digital tools and fake setups to intimidate victims into transferring money to avoid fabricated legal troubles.

How the Scam Works:

• Scammers use fake police stations and uniforms to appear authentic, making video calls through platforms like Skype, Telegram, or WhatsApp.
• They falsely claim to have discovered illegal items, such as drugs or fake passports, in a parcel addressed to the victim.
• Sometimes, they assert that the victim is involved in money laundering and an arrest warrant has been issued.
• Personal details like Aadhar, PAN, and SIM information are misused to threaten victims with fabricated legal cases and arrests.
• Victims are forced into sending money to resolve these fictitious issues and may be forced to stay on video calls, experiencing a "digital arrest," until they transfer money.

Advice to customers :

• Verify the Caller : Always check the caller’s identity by contacting the relevant law enforcement agency using official contact details published on their official website.
• Protect Your Information : Do not share personal or financial information over phone or video calls unless you are sure of the caller’s legitimacy.
• Do Not Send Money : Avoid sending money based on such calls or threats.
• Report Suspicious Calls : Report any suspicious calls or scams to your local cyber police authorities immediately.
• Seek Help : Report incidents to the cybercrime helpline number 1930 or visit www.cybercrime.gov.in for assistance.

Fake Investment Scam

The Reserve Bank of India has flagged a rising trend of fake investment scams facilitated through social media platforms like WhatsApp, Telegram and fake apps.

Overview of the Fake Investment Scam:

In this scam, fraudsters create fake investment groups on platforms like WhatsApp and Telegram, presenting themselves as financial experts. They attract victims with free stock tips and opportunities, then manipulate them into using fake trading applications. Once victims invest, they face difficulties withdrawing their funds, and the scammers vanish with the money.

How the Scam Works:

• Scammers add victims to multiple fake investment groups, where they hype up a fictitious star investor and lucrative opportunities.
• Victims receive free stock tips and investment advice, which initially seems promising.
• Scammers direct victims to download a fake trading application, designed to look legitimate but is used to steal funds.
• Some tips benefit group members to build trust, encouraging more investments.
• When victims attempt to withdraw funds or express doubts, their accounts are disabled, the group is shut down, and the scammers disappear with the money.

Advice to customers:

• Verify Investment Opportunities: Always research and verify investment opportunities through credible financial advisors and institutions.
• Be Cautious with Apps: Avoid downloading investment apps from unknown sources. Use only trusted platforms such as Google Store or AppStore to download apps.
• Do Not Share Personal Info: Do not share personal or financial information with unknown contacts or groups online.
• Avoid Unsolicited Tips: Be wary of unsolicited investment tips and offers from social media groups or unknown sources.
• Seek Assistance: For help or to report incidents, contact the cybercrime helpline at 1930 or visit www.cybercrime.gov.in.

Operation of Bank Accounts and Money Mules

• a. In a money mule transaction, an individual with a bank account is recruited to receive cheque deposits or wire transfers and then transfer these funds to accounts held on behalf of another person or to other individuals, minus a certain commission payment. Money mules may be recruited by a variety of methods, including spam e-mails, advertisements on genuine recruitment web sites, social networking sites, instant messaging and advertisements in newspapers. When caught, these money mules often have their bank accounts suspended, causing inconvenience and potential financial loss, apart from facing likely legal action for being part of a fraud. Many a times the address and contact details of such mules are found to be fake or not up to date, making it difficult for enforcement agencies to locate the account holder.
• b. It has been brought to our notice that “Money mules” can be used to launder the proceeds of fraud schemes (e.g., phishing and identity theft) by criminals who gain illegal access to deposit accounts by recruiting third parties to act as “money mules.” In some cases these third parties may be innocent while in others they may be having complicity with the criminals.
• c. In order to minimise the operations of such mule accounts our Bank has to follow the guidelines on Know Your Customer (KYC) norms /Anti-Money Laundering (AML) standards/ Combating of Financing of Terrorism (CFT)/Obligation of banks under PMLA, 2002. We are, therefore, required to strictly adhere to the guidelines on KYC/AML/CFT issued from time to time and to those relating to periodical updation of customer identification data after the account is opened and also to monitoring of transactions in order to protect ourselves and our customers from misuse by such fraudsters.

We, therefore, appeal and seek cooperation from our esteemed customers for regular updation of KYC and other customer identification data to fight against such fraudsters and prevent such money mule transactions.

Do’s and Don’ts On Cyber Security

• Do’s and Don’ts on Cyber Security – English
• Do’s and Don’ts on Cyber Security – Hindi
• Do’s and Don’ts on Cyber Security – Bengali
• Do’s and Don’ts on Cyber Security – Gujarati
• Do’s and Don’ts on Cyber Security – Kannada
• Do’s and Don’ts on Cyber Security – Marathi
• Do’s and Don’ts on Cyber Security – Oriya
• Do’s and Don’ts on Cyber Security – Tamil
• Do’s and Don’ts on Cyber Security – Telugu
• Do’s and Don’ts on Cyber Security – Malayalam
• Do’s and Don’ts on Cyber Security – Punjabi

Cyber Fraud - Be Scam Safe

Cyber Security Awareness Booklet- 2023

To report any cyber incident, please email at report.phishing@sbi.co.in or call cyber crime helpline number 1930. For more information, visit https://cybercrime.gov.in/. 

Let us fight Cybercrime together and Stay #SafeWithSBI