A bank whose domain ID was used to send a fraudulent mail was Thursday directed to pay over Rs 20 lakh to a company that had lost the amount in cyber fraud. The order is likely to come as a relief to victims of phishing emails who have lost money for failing to spot typographical changes in email addresses.
On Thursday, Principal Secretary (information technology) SVR Srinivas directed the IndusInd Bank to pay Rs 20.55 lakh to Prothious Engineering Services. The company’s Andheri-Kurla Road office, which holds a current account with the bank, had on January 9, 2014, received an e-mail from “firstname.lastname@example.org” claiming that the bank was updating their database and needed several details from the company including their current account number, mobile phone number linked to the account among other things.
The company reportedly had failed to spot the typographical error in the mail address — exclusive spelt with an extra ‘e’ — and reverted with the relevant details.
A few days later, the company reportedly received a call from the bank saying one of their cheques for over Rs 13 lakh had been refused due to insufficient funds. The company had then expressed surprise as they had enough funds in the current account. When the company contacted the bank, they found there had been some fraudulent withdrawals from their account.
The company then approached Amboli police, where an FIR was registered against unidentified persons. The company had also approached Srinivas, the adjudicating officer, against the bank seeking the Rs 20,55,000 in addition to other costs.
The bank told the adjudicating officer that the account details of the company had been shared by the company’s employees with the fraudsters and hence the bank was in no way responsible for the losses suffered by the company. The adjudicating officer, however, observed that the fraudulent e-mail that was sent to the company was in the domain name of the IndusInd bank (email@example.com).
“This indicates that either the phishing mail originated from the respondent bank or there was a security lapse in the respondent’s IT system, including its mail servers… (The) complainant was tricked by the use of the domain name of the…bank… the bank cannot be relieved of its responsibility simply contending that the complainant was remiss to ignore the spelling error in the word ‘exclusivee’,” the order issued by the adjudicating officer states.
The order further states money from the complainant’s account was fraudulently transferred to an account in IndusInd bank itself. “…there was an express obligation on the respondent bank to furnish the KYC records of the impugned accounts on record. In the absence of presentation of any KYC documents for the impugned account, it can be concluded that the bank is in breach of security policies,” it said.
Following this, the order observed that a compensation of Rs 20.55 lakh should be paid by the bank to the complainant within one month.
Advocate Prashant Mali, the cyber lawyer for the company, said Rs 20.55 lakh compensation is the result of a fight that started in 2014. “I would have been happier if we were paid the interest and damages or at least the legal expenses incurred,” Mali said.