kcharlesds
New member
- Bank Name
- HDFC BANK
- Loss Amount
- 89902
- Ratings
- Opposite Party Address
- ALTINHO MAPUSA BARDEZ GOA
On August 31, 2023, Kenneth Charles D'Souza fell victim to a phishing scam after receiving an SMS from "HDFC Bank" with a fake rewards redemption link. He entered his NetBanking credentials and OTP on a fraudulent website, leading to an unauthorized transaction of ₹89,902 to a suspicious beneficiary ("PAYUBAJAJFI6"). Despite HDFC Bank’s stated security protocols, the transaction was processed without requiring a transaction password nor any OTP was generated to process the Transaction or beneficiary verification. Kenneth promptly reported the issue, and the bank blocked his NetBanking account for security reasons but failed to address his concerns adequately.
Kenneth lodged formal complaints with HDFC Bank (September 1, 2023) and the National Cyber Crime Reporting Portal (Complaint No. 21009230001015) regarding the fraud and potential security flaws. Despite his efforts, HDFC Bank did not provide a resolution. He followed up with a second complaint to the HDFC Mapusa branch on September 18, 2023, raising concerns over inadequate responses and the bank's failure to adhere to RBI guidelines for consumer protection.
To seek accountability, Kenneth filed multiple RTI applications starting December 21, 2023, with the Goa Police and related agencies, requesting details about the investigation, transaction logs, and internal handling of the fraudulent case. He escalated the matter through first and second appeals in February and May 2024 due to unsatisfactory responses, including one to the Goa State Information Commission (GSIC).
Key concerns raised:
Incident Details:
September 18, 2023:
Flowchart: Fraud Incident and Reporting Timeline
HDFC Bank's Negligences:
Victim’s Expertise and Immediate Action:
The victim, Kenneth Charles D’Souza, is a retired public sector banker with 38 years of service. Leveraging extensive IT experience, the victim identified the fraud within seconds and took immediate action. Despite these efforts, the fraudulent transaction occurred, demonstrating vulnerabilities in HDFC Bank’s security protocols. The victim’s proactive measures highlight the systemic issues that could affect others with less awareness or expertise. Notably, the victim has kept the account almost entirely inoperative since the incident to avoid further complications.
Additional Evidence:
HDFC Bank’s internal ombudsman reported to the RBI that the victim had created the fraudulent beneficiary (PAYUBAJAJFI6). However, the victim categorically denies this claim. As an experienced banker with advanced IT knowledge, there was no conceivable reason to create such a beneficiary. This assertion raises critical questions about the bank’s handling of the incident and its adherence to security protocols
Kenneth lodged formal complaints with HDFC Bank (September 1, 2023) and the National Cyber Crime Reporting Portal (Complaint No. 21009230001015) regarding the fraud and potential security flaws. Despite his efforts, HDFC Bank did not provide a resolution. He followed up with a second complaint to the HDFC Mapusa branch on September 18, 2023, raising concerns over inadequate responses and the bank's failure to adhere to RBI guidelines for consumer protection.
To seek accountability, Kenneth filed multiple RTI applications starting December 21, 2023, with the Goa Police and related agencies, requesting details about the investigation, transaction logs, and internal handling of the fraudulent case. He escalated the matter through first and second appeals in February and May 2024 due to unsatisfactory responses, including one to the Goa State Information Commission (GSIC).
Key concerns raised:
- Security Lapses: Lack of verification protocols in processing the transaction.
- Bank’s Inadequate Response: Failure to resolve the case or refund the amount.
- Compliance with RBI Guidelines: Questioning adherence to zero-liability policies for fraudulent transactions.
- Request for Information: Detailed transaction logs, beneficiary creation details, and NEFT timelines.
Incident Details:
- August 31, 2023, 3:10 PM:
- Received an SMS claiming to be from "HDFC Bank" with a fraudulent rewards redemption link.
- Entered NetBanking login credentials and OTP on the fraudulent website.
- Unauthorized transaction of ₹89,902 to beneficiary PAYUBAJAJFI6 was processed without:
- Transaction password.
- OTP for beneficiary approval or transaction verification.
- August 31, 2023 (Same Day):
- Within Appx 5 minutes:
- Reported to HDFC Phone Banking: Promptly reported the fraud and blocked the NetBanking account.
- Within Appx 20 minutes:
- Visited HDFC Mapusa Branch which is 500 metres away from my Residence:
- Personally confirmed account blocking and submitted a verbal and written complaint.
- Complaint was not acknowledged, and staff was uncooperative.
- Visited HDFC Mapusa Branch which is 500 metres away from my Residence:
- Filed Complaints with Crime Branch:
- Submitted two complaints detailing the incident.
- Within Appx 5 minutes:
- September 1, 2023:
- Followed up with HDFC Bank and submitted a hard copy of the complaint at the Mapusa branch.
September 18, 2023:
- After persistent follow-ups and substantial communication via electronic media, obtained an acknowledged copy of the complaints from the HDFC Mapusa branch.
- Filed an official complaint with the RBI Ombudsman, citing negligence by HDFC Bank in handling the fraud.
- December 21, 2023:
- Submitted an RTI application to Goa Police Headquarters to gather information about the investigation and transaction logs.
- February–May 2024:
- RTI Appeals:
- Filed first appeal (February 2024) and second appeal (May 2024) due to unsatisfactory responses from the police and bank.
- Goa State Information Commission (GSIC): Escalated the matter to GSIC for transparency.
- RTI Appeals:
- January 2025:
- Despite persistent follow-ups with HDFC Bank, Crime Branch, and regulatory bodies, the case remains unresolved.
- Receive Fake SMS (Aug 31, 2023, 3:10 PM) ↓
- Enter Login Details on Fraudulent Site → Fraudulent Transaction (₹89,902) ↓
- Immediate Reporting to HDFC Phone Banking → Account Blocked ↓
- Visit HDFC Mapusa Branch (Aug 31, 2023 Afternoon) → Submit Complaint (No Acknowledgment Given) ↓
- Filed Complaints with Crime Branch (Aug 31, 2023) ↓
- Follow-up with HDFC Bank (Sept 1, 2023) → Submit Hard Copy of Complaint ↓
- Follow-up with HDFC Bank (Sept 18, 2023) → Submit Hard Copy of complaint and got acknwledgement ↓
- File RTI Application (Dec 21, 2023) → Request Investigation Details ↓
- Escalate RTI Appeals (Feb–May 2024) → Approach Goa State Information Commission ↓
- Escalate to RBI Ombudsman (Oct 2023) → Receive Unsatisfactory Response ↓
- Case Remains Unresolved (Jan 2025)
- Security Lapses:
- No Transaction Password or OTP Verification: The fraudulent transaction of ₹89,902 bypassed HDFC's standard security protocols.
- Unauthorized Beneficiary Creation: The beneficiary (PAYUBAJAJFI6) was neither created nor approved by the account holder, as falsely claimed by the bank.
- Violation of RBI Guidelines:
- The bank failed to adhere to the RBI Circular RBI/2017-18/15 (dated July 6, 2017) regarding consumer protection and zero liability in fraudulent electronic transactions.
- Inadequate Fraud Detection:
- Transactions exceeding ₹50,000 are expected to trigger additional verification steps, which were not followed.
- Delayed and Insufficient Responses:
- Despite multiple complaints, HDFC Bank did not refund the fraudulent amount or provide a clear explanation of how the transaction was processed without necessary verifications.
- The bank's responses to the RBI Ombudsman lacked critical details and failed to justify their claim of the transaction’s legitimacy.
- Lack of Transparency:
- HDFC Bank did not share detailed transaction logs, call records, or evidence supporting their claim of security compliance, despite repeated customer requests.
- Poor Grievance Handling:
- At the branch level, the staff refused to acknowledge complaints and failed to provide appropriate guidance to the victim.
The victim, Kenneth Charles D’Souza, is a retired public sector banker with 38 years of service. Leveraging extensive IT experience, the victim identified the fraud within seconds and took immediate action. Despite these efforts, the fraudulent transaction occurred, demonstrating vulnerabilities in HDFC Bank’s security protocols. The victim’s proactive measures highlight the systemic issues that could affect others with less awareness or expertise. Notably, the victim has kept the account almost entirely inoperative since the incident to avoid further complications.
HDFC Bank’s internal ombudsman reported to the RBI that the victim had created the fraudulent beneficiary (PAYUBAJAJFI6). However, the victim categorically denies this claim. As an experienced banker with advanced IT knowledge, there was no conceivable reason to create such a beneficiary. This assertion raises critical questions about the bank’s handling of the incident and its adherence to security protocols
