Don’t become a victim of phishing next time you download an app on your phone

  • It’s dangerous to assume that all apps available on Apple or Google app stores are legitimate and safe
  • Here’s what can you do to protect yourself from phishing apps

It’s common to receive WhatsApp messages warning against downloading certain apps that can steal your information or clean out your bank account. While we usually dismiss them as rumour or fake messages, there are certainly some apps that could harm you. In an alert issued on 14 February, the Reserve Bank of India (RBI) warned banks and payment system operators about an app called AnyDesk, which was allegedly being used by fraudsters to gain access to data from customers’ phones, which would in turn be used to make unauthorised transactions to pilfer money from their accounts.

Here’s what can you do to protect yourself from phishing apps.

Increasing fraud

RBI cited growing instances of fraud using the Unified Payment Interface (UPI) platform as the main reason for the issuance of the warning against AnyDesk. According to data on the National Payments Corp. of India website, between April 2018 and January 2019, the UPI platform saw 388 crore transactions worth over Rs. 6.4 trillion. As transactions rise, so do instances of fraud.


In December 2018, a Noida-based UPI user reportedly lost Rs. 6.8 lakh from his State Bank of India savings account. Over two months, seven transfers were made from his bank and he didn’t receive any alerts, finding out only when he visited the bank branch to make a withdrawal.

While in some cases, people might be vulnerable to fraud for no fault of their own, in some situations scammers rely on lack of awareness among people. The modus operandi in the case of AnyDesk being used for phishing was to call customers posing as a bank representative and ask them to download the app on their phone. Once the app was installed, “an app code (nine-digit number) would be generated and once the fraudster inserts this code, he would ask the victim to grant permission. Post this, the fraudster will get full access to the victim’s device," the RBI circular stated.

Don’t trust blindly

Contrary to what many think, it’s dangerous to assume that all apps available on Apple or Google app stores are legitimate and safe. “Not all apps found on Play Store or App Store are legitimate. Before downloading any app, go through reviews and do your research on the developer. Register for SMS banking so that you get updates of all your banking transactions. This helps report fraudulent transactions quickly," said C.S. Sudheer, founder and CEO of IamCheated.com, a site that registers and addresses consumer complaints for online fraud.

You can also end up exposing your device to malware unwittingly. “While available anti-virus software can minimise attacks, there are other apps such as gaming apps, which have embedded viruses that can sometimes go undetected. Also, apps like AnyDesk, which are used to access machines to provide support and help to people remotely, can be misused to gain access to financial apps on a person’s mobile," said Mandar Agashe, founder and vice-chairman, Sarvatra Technologies, a banking technology solution company.

Educate yourself

AnyDesk, the app highlighted in the RBI alert, is a remote sharing app that can be used to share your screen with a remote computer and is used widely by organisations to facilitate co-working and software repair. There are many similar softwares like TeamViewer that are also widely available and used. In this case, a seemingly harmless and legitimate app was used for malicious purposes by fraudsters. So it’s not enough to steer clear of suspicious websites or apps. You must understand the purpose and functioning of an app before downloading it.

“Phishing is one of the most common ways in which individual computer accounts get compromised. The only solution to this problem is education. Computer users should educate themselves on the best practices to detect suspicious emails or web links and avoid clicking on them," said Prasanna Mulgaonkar, cyber security expert and CEO, Cloud Raxak, a cloud security compliance company.

Be careful never to share sensitive information like account details or OTPs or access codes with anyone. Keep in mind that your bank will never ask for these details. While it might seem obvious to some of us that sharing app codes and giving permissions to a caller just because they claim that they represent your bank can be a huge risk, with more and more users entering the digital transactions space, awareness and education are key to protect yourself, as well as older family members who are especially vulnerable.