HDFC's response to my query

P

Pimpom

Disciple
I have an HDFC account and receive emails and SMSes from them from time to time. That's normal. However, there is one mail I keep getting that could be a scam. It's an offer for a free lifetime credit card with zero maintenance fee.

The sender is informations@hdfcbank.net. Note that "information" has an 's' at the end and that the address is .net, not .com. After getting this mail perhaps half a dozen times, I tried to follow the link but my email service provider blocked it as suspicious. I didn't force-open it.

That was the preliminary. My question here is not about the mail itself, but about what you think of HDFC support's response when I queried them about it. I asked them if the mail is genuine or a fake. I described the contents of the email, pointed out the address and also forwarded the mail itself.

After trading emails back and forth several times, their final reply asked me to check the terms & conditions of the card offer. No mention at any time whether the mails are genuine or not. What do you think?
 
You can ignore that email and if you do need any lifetime card better ring heir cc and say you got an email for lifetime card offer. May be then they can take it seriously.
 
its a legit email sender for the bank. got tons of email in my inbox . clicked one of them and leads to the hdfc website
 
1656864977280.png


The domain is legit.
 
While others confirm that the domain is fine, and maybe the OP Pimpom knows this already because he is justified in being suspicious, but there is one more way to validate our trust in a domain.

The HTTPS certificates that a website is of various types, ranging from a basic validation done by the certificate authority (domain validation), to a thorough check (extended validation). The domain hdfcbank.net has extended validation cert from Digicert, as you can find from clicking on the lock symbol to the rest of the URL in most browsers :

1656867659513.png



In theory, this type of certificate will not be given to another organization with a confusingly similar name : e.g. if it is granted to hdfcbank.com, it won't be granted to hdfcbank.net until they are verified to be the same business. This way is not perfect. There are reasons to distrust the certificate authorities, because they have in the past made the mistake of not doing enough validation and granting certificates just because the client was paying a lot, but as a thumb rule this serves as an additional check we can do on domains.

Domains which don't typically deal with money transactions, e.g. techenclave, will generally have basic domain validation certificates, because they are cheap and hassle-free. Techenclave has the free certificate from letsencrypt, and that is perfectly fine for what Techenclave is, banks should never have "Domain Validation" under the "Certificate Type" policy, that is a huge red flag :

1656867935752.png
 
Thanks for the replies. I'm aware that I can apply for a credit card through venues other than the link provided in those emails.

But my point is that HDFC support never addressed my question. They hemmed and hawed and, in the end, just told me to check out their T&C. They never clarified if the emails are genuine or not.
 
Pimpom said:
Thanks for the replies. I'm aware that I can apply for a credit card through venues other than the link provided in those emails.

But my point is that HDFC support never addressed my question. They hemmed and hawed and, in the end, just told me to check out their T&C. They never clarified if the emails are genuine or not.
Click to expand...
That is right, I've noticed a complete lack of security awareness in reps of HDFC Bank, but maybe all banks are like that and I've dealt mostly with HDFC Bank.

E.g. once a lady from HDFC Bank called from an unknown number, and started asking me questions to validate if I'm the account owner. E.g. mother's maiden name, and such crap. I told her that first she needs to prove she's really from HDFC Bank, she couldn't even tell me my last transaction. The lady had no idea why I was not "cooperating".

I knew she was most likely genuine, as there were some KYC related calls going on those days. But the process was rotten.
 
I'm surprised that you actuallly managed to reach HDFC customer support. I tried contacting them, the phone number doesn't connect at all and couldn't find any email address at all.
 
I didn't call. All our communications were by email. To be fair, their response times were not bad - 24 hrs or less each time.

I'm an Indian living in India but a member of one of the many minorities. I don't speak any of the major Indian languages and, while many Indians speak good English, some are hard to understand. That's why I prefer written communications if the option exists. Besides, a written message can be re-examined at leisure for anything that might have ben missed or misinterpreted the first time.

Oh, they do have email support. It just takes a bit of diligence to find them. I sent my query to two addresses: support@hdfcbank.com and customerservices.cards@hdfcbank.com
 
Last edited:
CS will not be able to confirm or deny anything, because they are not qualified (and hence not allowed) to do so, and if they do, they're on the hook for whatever happens. What should be done by HDFC is to put out an advisory on how to identify genuine emails and have reps redirect to it, and if they own hdfcbank.net to declare it as their domain on their main website. Something like what Google does with Ads: https://support.google.com/google-ads/answer/2375460?hl=en
 
Ah, so CS is not authorized to judge the authenticity of the mails. That's a reasonable point. But they should at least have referred the issue to someone who's qualified to do so.

I was interrupted while typing this post by a call from HDFC. The first one spoke in Hindi (I think). There was a lot of background noise - the room acoustics were terrible, lots of people talking, keyboards click-clacking. It was a sea of sound. When I asked her to speak in English, she put me on hold. When they came back, I couldn't tell if it was the same person or another one. They sounded the same. I literally couldn't tell if she was speaking English or something else. I asked her to repeat herself two or three times but still couldn't pick out anything other than the words 'credit card'. She too had a hard time understanding me.

At the same time, my maid was pestering me regarding something that urgently required my attention, and my landline was ringing. So I hung up. It was a bit rude of me, but there was no point in continuing the conversation. In my experience, Axis and SBI people are much better. So far I haven't interacted with ICICI CS. The only ones I've spoken with are local people who speak my language.
 
Pimpom said:
There was a lot of background noise - the room acoustics were terrible, lots of people talking, keyboards click-clacking. It was a sea of sound
Click to expand...
This is my experience with most customer care these days. In the past couple of years, I've never had a call with a cc rep where the background noise wasn't overpowering. I feel like most companies do it deliberately so that people don't engage much with customer care. Otherwise a decent noise cancelling mic should be easily affordable for these companies and will take care of 70-80% of the noise.
 
I had an incident where a lady called my wife offering HDFC Aura or something card, 25% Cashback (Yep twenty Five percent) on online purchases & lifetime free, asked to send the documents on whatsapp.
When she informed me I checked the HDFC website, the card did exist but the T&C were opposite as there was an annual fee and cashback was a mere 1%, when we asked the lady to send a mail from her official mail, she said she's on third party payroll will send via gmail, doesn't have an ID card.

Blocked her lol.
 
montsa007 said:
asked to send the documents on whatsapp.
Click to expand...
This is a BIG red flag. Never send your personal identifiable info on whatsapp or any unofficial communication channel ever.
Also a tip, if sending on mail or other official channel perhaps even offline, always cross-out/cancel the document and write for what purpose it's exactly for so that it may not be misused for some other purpose.
 
enthusiast29 said:
This is a BIG red flag. Never send your personal identifiable info on whatsapp or any unofficial communication channel ever.
Also a tip, if sending on mail or other official channel perhaps even offline, always cross-out/cancel the document and write for what purpose it's exactly for so that it may not be misused for some other purpose.
Click to expand...
I know nothing over whatsapp,
thanks for that crossing out tip, will keep it in mind.
The most recent scam I saw is on FB "Pencil packing job" lol
 
Pimpom said:
I have an HDFC account and receive emails and SMSes from them from time to time. That's normal. However, there is one mail I keep getting that could be a scam. It's an offer for a free lifetime credit card with zero maintenance fee.

The sender is informations@hdfcbank.net. Note that "information" has an 's' at the end and that the address is .net, not .com. After getting this mail perhaps half a dozen times, I tried to follow the link but my email service provider blocked it as suspicious. I didn't force-open it.

That was the preliminary. My question here is not about the mail itself, but about what you think of HDFC support's response when I queried them about it. I asked them if the mail is genuine or a fake. I described the contents of the email, pointed out the address and also forwarded the mail itself.

After trading emails back and forth several times, their final reply asked me to check the terms & conditions of the card offer. No mention at any time whether the mails are genuine or not. What do you think?
Click to expand...
Same thing with me. I have got multiple emails from this id and I reported HDFC on this,but not yet received any responses
 
Back
Top