Credit card rewards point fraud!


Credit cards are one of the most common products among credit facilities offered by banks and financial services companies in India. The population is moving swiftly towards Credit cards from Debit cards because of their credit facilities and numerous reward schemes and promotional schemes, etc.

What are Reward Points?

Reward Points are digital points that a user can gain after making a transaction using their credit card. As it usually goes, the higher the amount you spent the higher the number of reward points you get. For example, if you purchase the latest mobile phone using your credit card, you will earn more reward points as compared to when you, say, buy a pair of normal wired earphones. These reward points can then be redeemed or exchanged for a number of things such as vouchers, products of selected brands, etc.

While these reward points are a benefit for credit card users, sometimes they can be also be used to scam people and stealing their money.

Reward points fraud

Credit card reward point fraud is not a new thing. Many people have fallen prey to this scam. The main thing about this is that, it is not widely known and on top of it, the greed in human nature makes it more harmful to people who fall prey to it.

Modus operandi

Scammers and fraudsters use these reward points to lure in the greedy customer and then make them spill out their credit card details. The scammers generally take advantage of the greedy human nature of the victims. Mass messages are sent out to inform the unaware customers that “Your Reward points worth Rs xxxx will expire soon, take immediate action to redeem the points“. Along with the message, there will be attached a link where the victim will be asked to fill in the credit card details such as their 16 digit card number and other personal details. This information is then directly sent to the scammers where they then make use of this information to scam you.

In a recent case, SBI has issued a warning on its Twitter handle about such reward points fraud and asked them to stay vigilant.

“Beware of reward points messages by fraudsters! Stay vigilant and be safe!” SBI informing its customers wrote on Twitter.

The bank has also asked its customers to not share any sensitive information such as card/PIN/OTP/CVV/password with anyone. The bank has further added that it never asks for any sensitive details from its customers over the phone, SMS, or email.

The bank also posted an announcement which read, “Dear Customer, We have come across some media reports that cybercriminals are sending fraudulent messages to our customers in the name of SBI to lure them to collect reward points by clicking on a fake link and are thus fraudulently collecting customer’s reward points by clicking on a fake link and are thus fraudulently collecting customer’s sensitive information.”

“We advise all our customers not to share sensitive information such as card/PIN/OTP/CVV/password with anyone. Please do not click on the link received through any email/SMS or open attachments/emails from unknown senders. We reiterate that SBI never asks for your sensitive details over the phone, SMS, or email,” the notice read.

A recent case

In a new development, a Delhi-based think tank reveals that several SBI customers were targeted via a phishing attack. In it, the users were spammed with suspicious texts, requesting them to redeem their SBI credit points worth Rs 9,870.

Along with the message was a link, which when clicked takes you to a page where you need to fill a form-‘State Bank of India Fill Your Details’. The form asks for personal information- name, registered mobile number, email, email password, date of birth. It also asks for sensitive financial details like card number, expiry date, CVV, and M-pin. After the form is submitted, the user is directed to a “thank you” page.

CyberPeace Foundation, the think tank, and Autobot Infosec Private Ltd carried out an investigation that revealed multiple details to prove that the entire thing is a phishing attack. Read the whole research document here.

Some of the main findings of the research document were:

  1. The registrant( The person or entity who actually registered the website) organization is Sanjay Bags, and the Registrant state is Tamil Nadu.
  2. The form takes user input without performing basic validation of the datatype. Eg: The Mobile number field should only take numbers but it was accepting alphabets also which shows poor coding practice etc.
  3. The fake website was developed using WordPress version 5.6.1.

How to stay away from this fraud?

  • Never share your card number, card expiry date, CVV, and OTP with anyone over the phone.
  • Always remember that banks or credit card companies will never call, asking you to provide card details and the OTP to redeem credit card points. Usually, rewards points are always credited to your card automatically, when you spend using your credit card.
  • Do not divulge credit card details to anyone over the phone or in person.
  • In case of any unauthorized transaction from your account, inform your bank and block your card immediately.

Stay Satark. Stay Vigilant.

Leave a Reply

Your email address will not be published. Required fields are marked *