In a shocking incident, an Axis Bank customer lost her savings of Rs 41 lakh with the bank after fraudsters managed to crack her fixed deposits with the bank.
The incident raises questions about the security of bank FDs as the fraudsters managed to bypass Axis Bank’s processes to change the mobile number and registered email ID of the 47-year-old customer Vedula Padmaja and bypass the two-way OTP authentication to crack the FD. . Interestingly, some of the transactions took place when the customer was at the bank branch.
The customer reported the crime to the National Cyber Crime Reporting Center on October 16 and registered an FIR with Shivajinagar cyber crime cell in Govandi, Mumbai on October 17.
According to the FIR filed by Padmaja, a Burgundy account holder at Axis Bank’s Hyderabad Branch who lives in Mumbai, she had funds in her fixed deposits and savings bank account, which is a premium account that comes with a relationship manager. Fraudsters siphoned off Rs 38 lakh by breaching her fixed deposit and Rs 8 lakh from her savings account in a series of 32 transactions in October. Padmaja managed to reverse transactions of Rs 4.9 lakh but a total amount of Rs. 40.93 lakh disappeared and moved to different bank accounts in the country.
Padmaja also alleged that the negligence of the relationship manager and Axis Bank’s faulty fraud monitoring system were to blame for the theft.
In response to a detailed questionnaire from ETBFSI, Axis Bank’s official spokesperson replied, “The matter is currently under investigation and Axis Bank is cooperating with the investigating authorities to resolve it.”
How a fraud hacked the customer’s account
Padmaja’s ordeal began with a seemingly innocuous SMS received on October 10, 2023, stating that reward points had been credited to Mrs. Padmaja’s Axis Bank account. Believing the message to be genuine, she clicked on the link provided, only to discover that Rs 4,99,999 had been debited from her account. Despite being notified immediately by her dedicated relationship manager about the bank, Padmaja claimed she faced delayed responses and a lack of urgency.
Later, a call from a person who identified himself as Amit from Axis Bank Head Office in Bandra, Mumbai explained the incorrect debit as a result of a software update. Assuring that the amount would be credited back, Amit asked her not to use Axis Bank’s net banking application for a week as the software update was in progress. The bank then credited the same amount that was owed.
Still worried about the debit message, Padmaja checked her savings account balance and found that the balance of Rs 8 lakh was untouched.
However, when she logged into her registered email on October 14, 2023, she noticed three emails dated October 10, 2023, October 12, 2023, and October 14, 2023, all related to her account. from Axis Bank. These emails detailed the transfer of Re 1 from Vedula’s account to her chartered accountant who handled her income taxes.
Since she did not make those transactions, Padmaja immediately messaged the bank’s relationship manager on October 14, 2023, regarding illegal attempts to access her account. She also told the relationship manager on Whatsapp chat that a possible cyber attack was launched on my account and that Axis Bank IT cell should be notified on priority to take necessary steps to neutralize the threat.
“However, despite reading the message as evidenced by two blue ticks, the relationship manager could not be bothered to respond, showing complete apathy to a privileged customer,” Padmaja alleged in her complaint.
Later, she received four emails on October 15, 2023, from 11:00 pm to 11:30 pm regarding the network secure code and adding a beneficiary in her account, Padmaja visited the Chembur branch of Axis Bank on 16- on October 2023. The branch manager stated that there were many transactions between October 10, 2023 and October 16, 2023 through her account. When she said that she did not receive any message/mail for OTP regarding the transactions, the branch manager informed her that the email ID registered to her account was changed from yahoo to gmail and the phone number was also changed. When she checked the bank account, Padmaja said she noticed that an amount of around Rs 41 lakh was withdrawn from my bank account, including in some transactions that took place when she was in the branch.
“Majority of people in India believe that Fixed Deposits are sacred and cannot be touched, but the fraudsters managed to break all my FDs and siphon off the funds to various banks,” she said.
Padmaja also questioned Axis Bank’s role in the entire episode.
She said the relationship manager ignored the warnings and shared the message transactions with the relationship manager as proof.
The customer also claimed not to receive a meaningful response from the bank.
Complaint to RBI Ombudsman
In addition to filing an FIR, Padmaja also moved the Reserve Bank of India (RBI) Ombusdman with two key demands: She asked the RBI to direct Axis Bank to bear the loss of these transactions after her instigation to the relationship manager.
In her complaint, Padmaja highlighted the RBI Consumer Protection circular dated July 6, 2017, which provides that banks must bear any loss to the customer after the customer’s reporting of unauthorized transactions to the bank.
She questioned the bank’s fraud monitoring system, pointing out its alleged failure to detect and prevent unauthorized transactions. “Even taking a hypothetical plea that the unauthorized transactions were my fault, the bank’s fraud monitoring system
should have flagged the transactions because the transactions were significantly out of sync with my regular transaction pattern. Further, change of registered email ID and mobile phone within a short period of time and then such large value transactions is a very high risk indicator which should have triggered the fraud monitoring system and the transactions should have been stopped,” she said.
“This significant change in behavior in a matter of hours should have been immediately flagged by the system. The Axis Bank employees at Chembur admitted that no STRs were generated, which is a complete violation of RBI guidelines, she said.
She emphasized the need for an effective fraud monitoring system and urged the RBI to direct Axis Bank to refund the entire loss incurred due to its inefficient processes.
“In the instant case, the bank has miserably failed to undertake fraud monitoring and thus, the bank may be directed to reimburse the entire loss caused by me due to inefficient processes of the bank,” Padmaja said in her complaint to the RBI.
Timeline | How Axis Bank customer lost Rs 41 lakhs |
October 10, 2023 |
|
October 10, 12 and 14 | Re. 1 from the customer’s account transferred to her CA. Calls to the relationship manager go unanswered. |
October 15th | The customer receives four e-mails about the network secure code and the addition of a beneficiary in his account. Assuming something is wrong, the customer goes to a nearby ATM and changes the debit card’s PIN as a precaution. |
October 16th | Customer goes to Axis Bank Branch and informs about the suspicious emails. The bank official informs her that there were many transactions in her account between October 10 and October 16 and an amount of 20 lakhs was transferred to various banks across the country.
|
What are the RBI guidelines?
The RBI in its guidelines has divided the liability of cyber frauds into two parts (a) Zero Liability of Customer and (b) Limited Liability of Customer.
Under Zero Liability of the Customer, the customer is entitled if the unauthorized transaction occurs when the deficiency is on the bank’s side. Also during third violations where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days after receiving the communication from the bank regarding the unauthorized transaction.
While under Limited Liability of Customer, Customer is responsible for the loss occurring due to negligence of customer, such as where he shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. . Any loss occurring after the reporting of the unauthorized transaction must be borne by the bank.
Also, in the cases where the responsibility for the unauthorized electronic banking transaction belongs neither to the bank nor to the customer, but lies elsewhere in the system and when there is a delay (from four to seven working days after receiving the communication from the bank ). ) by the customer in notifying the bank of such a transaction, the per transaction liability of the customer is limited to the transaction value or the amount.
More than a month has passed and Padmaja is still waiting for the bank to restore her funds. ETBFSI reviewed the complaint she wrote to the RBI Ombudsman, the FIR copy and her conversation.