'Phishing' is generally an attempt by fraudsters to 'fish' for your personal / financial / investment details via email.
'Phishing' attempts usually appear in the form of an email appearing to be from your invested company. Within the email you are then usually encouraged to click a link to a fraudulent page designed to capture your details. Email addresses can be obtained from publicly available sources or through randomly generated lists. Therefore, if you receive a fake email that appears to be from DSPBR MF, this does not mean that your email address, name, or any other information has been sourced from us.
While some e-mails are easy to identify as fraudulent, others may appear to be from a legitimate source. However, you should not rely on the name or address in the “From” field alone, as this can be easily duplicated. Very often, such phishing e-mails may contain spelling mistakes. Even the links to the counterfeit websites may contain URLs with spelling mistakes, to take you to a fake website which looks like that of your bank.
Some fake e-mails promise a prize or gift certificate in exchange for your completing a survey or answering a few questions. In order to collect the alleged prize, you may be asked to provide your personal information. Fake e-mails may direct you to counterfeit websites carefully designed to look real. Hence such websites may look very similar and familiar to you, but are in fact used to collect personal information for illegal use.
Such e-mails attempt to convey a sense of urgency or threat. Example: "Your account will be closed or temporarily suspended if you don't respond."Or, "You'll be charged a fee if you don't respond."
Although they can be difficult to spot, 'phishing' emails generally ask you to click on a link which takes you back to a spoof web site that looks similar to your mutual fund website, wherein you are asked to provide, update or confirm sensitive personal information. To prompt you into action, such emails may signify a sense of urgency or threatening condition concerning your investments.
The information most commonly sought through such means can be:
- Folio numbers
- User ID / Passwords
- PAN Details
- Address details
- Bank Account Details
- Date of birth
- Other verification parameters
Some fake emails may also contain a virus known as a "Trojan horse" that can record your keystrokes or could trigger background installations of key logging software or viruses onto your computer. The virus may live in an attachment or be accessed via a link in the email.
Never respond to emails, open attachments, or click on links from suspicious or unknown senders. If you're not sure if an email sent by DSPBR MF is legitimate, report it to us without replying to the email.
Counterfeit / Spoofing Website
Website spoofing is the act of creating a website, as a hoax, with the intention of performing fraud. To make spoof sites seem legitimate, phishers use the names, logos, graphics and even code of the actual website. They can even fake the URL that appears in the address field at the top of your browser window and the Padlock icon that appears at the bottom right corner.
Fraudsters send e-mails with a link to a spoofed fraudulent website asking you to update or confirm account related information in the email only and submit. These emails also direct you to fraudulent Web sites and pop-up windows and try to collect your personal information.
This is done with the intention of obtaining sensitive account related information like your User ID, Password, bank details, etc.
One way to detect a phony Web site is to consider how you arrived there. If you type, or cut and paste, the URL into a new Web browser window and it does not take you to a legitimate Web site, or you get an error message, it was probably just a cover for a fake Web site.
Tips To Protect Yourself from Spoofed Websites:
- Check for the Padlock icon: There is a factor standard among web browsers to display a Padlock icon somewhere in the window of the browser. For example, Microsoft Internet Explorer displays the lock icon at the bottom right of the browser window. Click (or double-click) on it in your web browser to see details of the site's security. It is important for you to check to whom this certificate has been issued, because some fraudulent websites may have a padlock icon to imitate the Padlock icon of the browser.
- Check the webpage’s URL: When browsing the web, the URLs (web page addresses) begin with the letters "http". However, over a secure connection, the address displayed should begin with "https" - note the "s" at the end.
Vishing is a combination of Voice and Phishing that uses Voice over Internet Protocol (VoIP) technology wherein fraudsters feigning to represent real companies such as banks attempt to trick unsuspecting customers into providing their personal and financial details over the phone.
A typical vishing attack may follow a sequence such as this:
Tips To Protect Yourself from Vishing
- The fraudster sets up an automatic dialer which uses a modem to call all the phone numbers in a region.
- When the phone is answered, an automated recording is played to alert the customer that his/her account has had illegal activity and that the customer should call the recorded phone number immediately. The phone number is with a caller identifier that makes it appear that they are calling from the financial company they are feigning to represent.
- When the customer calls the number, it is answered by a computer-generated voice that tells the customer they have reached 'account verification' and instructs the consumer to enter his/her PIN on the key-pad. A visher may not have any real information about the customer and would address the customer as 'Sir' and 'Madam' and not by name or the prefix 'Mr....' or 'Ms...'.
- Once a customer enters his/her PIN, the "visher" has all of the information necessary to place fraudulent charges on his/her account. Those responding are also asked for the security details available in the account.
- The call can then be used to obtain additional details such as security PIN, expiry date, date of birth, bank account number, etc.
Report a fraud attempt:
- Be suspicious of any caller who appears to be ignorant of basic personal details like first and last name (although it is unsafe to rely on this alone as a sign that the call is legitimate). If you receive such a call, report it to us immediately by mail it to email@example.com or call us at 1800 200 4499.
- Do not call and leave any personal or account details on any telephone system that you are directed to by a telephone message or from a telephone number provided in a phone message, an e-mail or an SMS especially if it is regarding possible security issues with your account.
- When a contact number is given, you should first check the phone number in your SoA and verify whether the given number actually belongs to the DSPBR MF.
- If you receive an e-mail claiming to be from DSPBRMF regarding updating sensitive account information like PIN, password, folio number, bank details, let us know by forwarding the e-mail to firstname.lastname@example.org or please call us on our Contact Center 1800 200 4499.
- If you notice any spoofed (duplicate/unofficial) DSPBR MF Online website, let us know by writing at email@example.com or please call us on our Contact Center 1800 200 4499.