Unless tackled on a war footing, with awareness-building, a crackdown on crime hubs across India, and statutory and regulatory changes, the alarming rise in cybercrime could derail the phenomenal achievements of the fin-tech world in facilitating super-fast financial services. Cybercrime, especially in its latest and most evil avatar, is not limited to robbing victims of their money. It is forcing them to avail instant loans, facilitated by bank apps and transferring the money to fraudsters, thereby crippling victims with long-term debt.
The fact that cybercriminals today are extremely well-versed in the procedures of police and enforcement agencies, can recreate authentic-looking offices, clone websites of regulatory agencies and courts and spoof social media handles, is enough to scare people, especially at a time when media reports often tell us how the police from one state can arrest people in another part of the country, seek transit and jail them in locations where they have no family, support system or resources.
The rise in cybercrime is disturbingly high and the few success stories of police having successfully solved these crimes rarely mention the time and process involved in refunding money to victims. In 2023, the ‘1930 National Cybercrime’ helpline received 13.1 lakh complaints. At a recent press conference, the Mumbai police said its cyber cell received 1.09 lakh calls in 2023 and claims a 95% success rate. This high success is probably in nabbing culprits and does not reflect the extent of money recovered.
Worryingly, victims of cybercrime are not persons with low literacy levels or tech-phobic senior citizens, many of them are tech-savvy individuals working with giant information technology companies. Cybercriminals work by inducing fear and panic through practised mind-games, interrogation techniques, threat of arrest and creation of official-looking documents with the backdrop of authentic-looking police stations or government offices, that leads to a suspension of logic and clarity of thought.
In the coming days, these tactics will be further weaponised through artificial intelligence (AI)-based tools such as voice clones and deep fakes. More than a dozen websites already offer free voice cloning options with accuracy as high as 95% in scores of languages and accents.
What helps criminals trap even tech-savvy people is their lack of awareness about police procedures and laws. Perhaps, this explains why tech centres, such as Bengaluru and Gurugram, have become cybercrime hubs as is evident from the cases below. Consider the similarity in all these cases and the danger posed by the first crime.
Reena’s (name changed) case started as the typical Fedex scam where the caller claimed that a parcel sent to her from Taiwan, containing illegal drugs, passports and a laptop, had been intercepted. Having got the victim’s attention, the call was transferred by the ‘courier agent’ to what was ostensibly an official of the central bureau of investigation (CBI). Although such seamless efficiency is completely alien in government offices, victims are unaware of it. She was convinced that illegal activities across India had been carried out in her name and, for ‘investigation purposes’, she was guided to avail a personal loan of Rs10 lakh on an ICICI app and transfer it to an account specified by the fraudsters on the assurance that it would give her a ‘clearance certificate’ from the cyber police! One could argue that this victim was unusually ignorant and credulous; but it is safe to bet that thousands of others will fall for the same tactics. The exact same modus operandi has worked successfully in so many cases in the past six months alone. This case show how cybercriminals can inflict crippling, long-term damage on victims, unless tackled firmly. Left unchecked, it could affect the use of banking apps.
A techie working for Infosys at Bengaluru lost over Rs3.7 crore in a variation of the Fedex scam. He was threatened with arrest for money laundering by cybercriminals posing as officials of the Telecom Regulatory Authority of India (TRAI) and told that the offences involved carried a 20-year prison sentence. In most cases, the victims are induced to empty their bank accounts, not as a bribe or blackmail, but by claiming that the money will be re-credited to their accounts after ‘audit’ and investigation. In a LinkedIn post, Nandkumar Sarvade, formerly with the Indian Police Service (IPS), who has headed cyber security organisations, says (https://www.linkedin.com/posts/saravade_cybercrimes-mumbaipolice-skype-activity-7137616666791747586-fhw-/ ) that the Skype handle used by fraudsters was vakolamahapolice-gov-in and a fake senior official’s Skype profile read ‘mumbai.cbi.gov.in.’ The victim was also shown arrest warrants pending against him on a fake ‘Supreme Court website’.
Ankit, another Bengaluru-based victim, was duped of Rs13 lakh with the same story that a FedEx parcel containing drugs and passports in his name was intercepted by the customs department. In every case, the victim is forced to get on a Skype call from authentic-looking handles mentioning the names of police station. The psychological play includes staging a fake police station/government office to lend credibility to their threats. It also allows them to display letters, ostensibly from the Reserve Bank of India (RBI), CBI or spoofed websites, in line with the particular narrative. In most cases the online interrogation (possibly a rogue cop) continues for several days while the victim is successfully kept off-balance and told to stay away from social media. In Ankit’s case, he was forced to transfer Rs13 lakh from his own account, share his identification details and also transfer another Rs4 lakh from his wife’s account for ‘verification’. How does transfer of money verify anything? Also, why would he be instructed to stay away from Google searches and not to share the information with anyone for two or three days, while the farce carried on? These questions do not occur to a victim in a state of panic. Ankit only became suspicious when he was asked to break a fixed deposit (FD) and transfer money for ‘verification’. He, finally, stopped taking the Skype calls and realised he had been scammed. He went on to file a police complaint and has got a portion of his money back (Read details of this and other cases here: Fraud Alert: How Not To Become a Victim of the Courier or Delivery Scams and Fraud Alert: FedEx 'Interrogation' Scam; Time To Make Your Passwords Strong and Bigger)
Another Fedex scam victim was a Bengaluru-based businessman who was forced to transfer Rs1.98 crore to cybercriminals in December 2023. He was told that banned narcotics were found in a parcel sent to him; the criminals even forced the victim and his wife to check into separate hotel rooms for ‘interrogation’.
In November 2023, The Economic Times reported a case where cybercriminals exploited lax security systems and process at Axis Bank. The victim received a message with a link about reward points credited to her account. Merely clicking the link led to nearly Rs5 lakh being swept out of her account. In all, she lost Rs41 lakh over 23 transactions after the criminals changed her registered mobile number and broke her FD without such high and unusual activity triggering any alerts in the Bank’s systems.
These examples raise several issues, starting with public ignorance about police investigation procedures and the fact that government agencies often fail to follow procedure and get with illegal arrests, torture and worse. Moreover, many people these days are proud to claim that they have stopped reading the newspapers, which keeps them ignorant of such cases. This explains the regularity with which people succumb to the widely reported ‘Fedex/ courier scam’.
The second issue is collusion. In 2016, when Moneylife Foundation conducted a workshops series titled ‘Police and You’, we first heard from advocate Prashant Mali, a cyber security expert, about Jamtara in Jharkhand being a crime centre for phishing with easy access to burner phones, bank accounts and equipment without being hampered by know-your-customer (KYC) requirements. Is this possible without official collusion? What prevents the government from cracking down and destroying such criminal hubs? Instead, Jamtara has thrived, Mewat (in Haryana) has emerged as a new hub with sextortion as a unique skill and even Kolkata has become a phishing hub, complete with large call centres. They have been made famous by web series titled Jamtara and Mewat, which have also done a lot to create awareness about cybercrime.
Finally, the biggest contributor to escalating cybercrime are our antiquated laws and tediously slow legal systems. Commander Mukesh Saini (veteran), security adviser and former national information security coordinator wrote on LinkedIn (in response to Mr Sarvade’s post) that innovative approaches of cybercriminals makes it “almost certainty that soon courts are going to be overwhelmed by the number of cases.” He points out that every case is cognisable and under current laws; but the proceeds of crime, even if they are impounded, cannot be returned to victims without a process leading to a court order.
He says that urgent statutory and regulatory changes are required to prevent citizens from becoming discontented with the vision of a #DigitalIndia. In my view, Commander Saini has put it rather mildly. Unless checked, people may prefer to revert to old-fashioned cash and physical systems in a country which has no social security, especially for the hard-working middleclass that is the biggest convert to digital systems.
It is not as if the government is unaware about rising cybercrime. In July 2022, the Union government announced a series of steps to combat cybercrime (read here: https://pib.gov.in/PressReleasePage.aspx?PRID=1845321); but these are far from adequate. Without statutory changes in procedures and a war-like crackdown on criminal hubs, the vision of #DigitalIndia could be derailed.
Comments
milindnadkarni
11 months ago
Leave aside Govt bodies, based on my humble assessment, even the largest of corporations do not have a process or approach (which is tried out in real time) to handle cyber attacks. Competence, holistic way of looking at things and coherent manner of putting in place actual approach to deal with this threat is sadly missing.
Forget AI, the bugs and loopholes left in the core applications by their own in house IT and external consultants is a large, palpable and serious threat to cyber security.
During my trip to Tirupati, at the counters where they asked people paying by card or Payment APPS to que up differently, at the counter they asked me to pay cash!! Reason, the counter cashier said, he is facing problems with both. This indicates that we may gradually weer round to cash transactions not withstanding the claims of all the institutions and the government unless people are adequately equipped to deal with the cyber crimes.
Because of these fraudsters vision of Digital India may be derailed and people may prefer cash system.Govt machinery should be augmented and such cases should be investigated promptly and money refunded to victim by police itself.
The only solace in these cyber crimes is that often / probably always, frausters leave a solid footprint for the law enforcement agencies to nab them, if a sincere effort is made in this direction.
I agree as footprints of the Scammers are there such cases are are easier to crack but only if the Govt. Machinery is efficient and prompt.But alas there is a lot to be done in this regard
Fiercely independent and pro-consumer information on personal finance.
1-year online access to the magazine articles published during the subscription period.
Access is given for all articles published during the week (starting Monday) your subscription starts. For example, if you subscribe on Wednesday, you will have access to articles uploaded from Monday of that week.
This means access to other articles (outside the subscription period) are not included.
Articles outside the subscription period can be bought separately for a small price per article.
Fiercely independent and pro-consumer information on personal finance.
30-day online access to the magazine articles published during the subscription period.
Access is given for all articles published during the week (starting Monday) your subscription starts. For example, if you subscribe on Wednesday, you will have access to articles uploaded from Monday of that week.
This means access to other articles (outside the subscription period) are not included.
Articles outside the subscription period can be bought separately for a small price per article.
Fiercely independent and pro-consumer information on personal finance.
Complete access to Moneylife archives since inception ( till the date of your subscription )
Forget AI, the bugs and loopholes left in the core applications by their own in house IT and external consultants is a large, palpable and serious threat to cyber security.