Phishing Fraud

Phishing Fraud

What is Phishing?

Phishing is an act undertaken by fraudsters to gain your private and sensitive information through emails that appear to be sent by your Bank. Such fake emails encourage you to click on a link in the email which leads you to a fake website with a similar look and feel as that of the Bank's authentic website. It is designed so, to capture your personal confidential account information such as Customer ID, IPIN, Credit/Debit Card number, Card expiry date, CVV number, etc.

Customers’ email addresses are obtained/purchased by the fraudster through non-trusted sites where the customer would have revealed his email ID by means of casual browsing or shared it on chat rooms, blogs or mailing lists, etc.


How do the fraudsters operate?

  • Fraudsters send spoofed emails, appearing to be sent by HDFC Bank, to large number of recipients with an urgent tone that calls for quick action to verify, update or reveal your confidential account information by clicking onto a link in the email .
  • Once the recipient clicks on the link in the email, he is diverted to a fake website with a similar look and feel of the Bank's original website. The customer is presented a web form to divulge his confidential account information i.e. customer ID, IPIN, Credit / Debit Card numbers, Card expiry date and CVV number, etc.
  • Once the unaware customer reveals his confidential account information on the fake website he may be directed to the authentic website of the Bank to suppress any suspicion arising in the customer's mind. This is how the customer’s identity is compromised .
  • This customer confidential account information or identity credentials are then used by the fraudster to gain access to the customer's account to commit fraudulent transactions


How do you identify a fake / phishing email?

  • The fraudster may use HDFC Bank's email address, domain name, logo, etc to give an authentic look to the fake email
  • Do not rely on the name and source in the "From " field of the email address as it may be easily manipulated by the fraudster to a valid email account of HDFC Bank.
  • Such fake emails will always address you by a generic salutation or address you by "Dear Customer" or "Dear Net Banking Customer" or "Dear HDFC Bank Customer". HDFC Bank's authentic emails will always address you personally by your name e.g. "Dear Mr. Sameer Bedi"
  • Very often, such fake emails are poorly drafted and may have spelling or grammatical mistakes.
  • Such fake emails will always encourage you to click on to a link to verify or update your confidential account information.
  • The links embedded in such fake emails may sometimes look authentic but when you move the cursor/pointer over the link, there may be an underlying link/url to a fake website.


Visual identification of fake/phishing emails

Sample1 (This email was claimed to be from eBay)

Click here for enlarg

Sample2 (Nigerian 4-1-9 Scam)

The Nigerian Scam (also known internationally as "4-1-9" fraud after the section of the Nigerian penal code which addresses fraud schemes) is generally targeted at small and medium sized businesses, as well as charities. The scam starts with bulk mailing/e-mailing of offers asking the recipients to enter into a business or to extend help in getting money transferred in return for huge commission.



Sample3 (Income Tax Phishing Scam )



Sample4

Click here for enlarg

Sample5



How do you identify a counterfeit / fake website?

  • Verify the URL of the webpage (web page address):
    • Most of the counterfeit / fake webpage addresses start with "http://" unlike HDFC Bank's transaction related webpages that warrants customer confidential account information (e.g. internet banking, payment gateway sites for online shopping) would start with "https://" and not http://.
    • Verify the end letter "s" that ensures the security of communication by means of encryption between webpage and the visitor accessing it.
    • HDFC Bank's home page address - http://www.hdfcbank.com is not encryption enabled, as there is no customer confidential account information flowing over it.

  • Check the PAD LOCK symbol:
    • Pad lock symbol depicts existence of a security certificate, also called Digital Certificate for that website. Fake websites would either not have a digital certificate to prove its authenticity or may have invalid digital certificate.
    • Establish the authenticity of the website by verifying its digital certificate. To do so go to File => Properties => Certificates or double click on the PAD LOCK symbol at the upper right or bottom corner of your browser window. E.g. HDFC Bank's authentic Internet Banking website and digital certificate is depicted below







Fake Website



Please follow these simple steps to avoid falling prey to phishing scams:

  • In case of doubt, DO NOT click on any link provided in the email
  • DO NOT give any confidential information such as password, customer ID, Credit / Debit Card number or PIN, CVV, DOB, to any email request, even if the request is from government authorities like Income Tax department or any Card association companies like Visa or MasterCard
  • DO NOT open unexpected email attachments or instant message download links
  • Always check the web address carefully before sharing any sensitive information. Our website address is www.hdfcbank.com and our NetBanking address is https://netbanking.hdfcbank.com
  • For logging in, always type the website address (mentioned above) on your web browser
  • Always check for the Padlock icon at the upper or bottom right corner of the webpage. It must be always ‘On’ during secure transactions
  • Always ensure that you have installed the latest anti-virus / anti-spyware / personal firewall / security patches on your computer or high-end mobile phones
  • Always use non-admin user ID for routine work on your computer
  • DO NOT access NetBanking or make payments using your Credit / Debit Card from shared or unprotected computers in public places like cyber cafes including unprotected high-end mobile phones

What do you do if you have revealed your confidential information by responding to a phishing email or have become a victim of phishing?

  • If you realise soon after revealing your sensitive information such as customer ID, IPIN, etc, about a phishing scam, immediately log on your NetBanking account by typing the URL in the address bar of your web browser, change the IPIN and verify recent transactions in your account. If no fraudulent transactions are observed, forward the phishing email to the bank.
  • If you discover any unauthorised transaction in your account, please call up the PhoneBanking numbers or send an email to support[at]hdfcbank[dot]com to disable internet banking access to your account and visit your home branch immediately to report the matter at the branch for further action. Contact your branch manager and forward the phishing email to fake[dot]email[at]hdfcbank[dot]com


Please Note: HDFC Bank will never ask you to divulge any confidential account information such as passwords, customer ID, IPIN, Credit / Debit Card numbers, CVV number, ATM PIN, etc. over email or a phone call