Got Phished? You will get your money back!


ICICI Bank has to pay 12.85 lakh rupees to an NRI who lives in Abu Dhabi. Reason for this is the NRI’s 6.5 lakh rupees was stolen from his account through a phishing attack. ICICI has to pay back that amount to the NRI for the interest charges, financial loss and complete lack of involvement in solving the phishing scam. (Read full story here)

You might think this as unfair to ICICI. I think so too. But the point in contention is the customer service more than the phishing attack. There is  nothing which ICICI could do if someone sends you an email under the garb of the bank and asks you for username and password. Because not ICICI not RBI and not even your mother needs to know about your password. That’s the rule 0 of Internet and online banking. What could have ICICI or any other bank done differently?

3 things worked against ICICI :

  1. CCTV which could have caught the perpetrator only have 1 month worth of clippings.
  2. No easy way to differentiate between an ICICI email and a phishing email.
  3. Bank has washed off its hands after crediting back 1.5 lakh rupees – the money left in the phishing company’s bank account – to the NRI.

Yet another thing which surprised me is the speed of justice delivered. This kind of a thing typically takes years to complete. But the turn around time for this is less than 3 years. That is remarkable. This should be a big lesson to all the banks out there who try to avoid customers under their myriad IVR choices and serpentine way of doing things.

If you are not sure what a phishing attack is or just want to look at how it looks like you are in luck. I received an email from Gmail two days ago. It said my account will be closed if I don’t provide by Account, Password, Birth Date and Country. And it has blind carbon copied it to me. I thought, Google should have the courtesy to address the email directly to me instead carbon copying it. The only problem is, it wasn’t from Google. The from address is

That is exactly how a phishing email will look like. If GMail wants to close my account for not providing my password – so be it. 

PS : The title of the post could be misleading. You might not always get your money back. The best option is to not click on these email links and not providing your password.