Every week, I track how fraudsters and cybercriminals from around the world adapt more quickly than regulators and remain several steps ahead of law enforcement agencies (LEAs). But a bigger danger is now emerging: a growing digital trust deficit. This is the widening gap between what citizens expect from digital systems — security, transparency and privacy — and what they actually experience: repeated data leaks, opaque processes and constant cyberattacks. Unfortunately, this loss of trust only makes it easier for cybercriminals and fraudsters to operate.
Last month, a major security finding revealed that more than 3.5bn (billion) WhatsApp accounts were vulnerable to large-scale phone-number harvesting. The discovery came at a time when the Indian government was attempting to mandate the pre-installation of the Sanchar Saathi app on all new mobile devices and via an over-the-air update for existing mobile handsets.
On the last working day of November 2025, the department of telecommunications (DoT) — reportedly acting unilaterally and without meaningful consultation with telecom providers, app companies or consumer groups —
issued directions that fundamentally change how Indians will use messaging apps like WhatsApp, Telegram, Signal and Snapchat. Under the new rules, these over-the-top (OTT) communication platforms must implement continuous SIM-to-device binding, meaning the app will only function if the same SIM used during registration is present and active in the device and it must stop working if the SIM is removed or deactivated.
Together, these developments raise serious concerns for Indian users, especially around data misuse, identity profiling, surveillance and targeted fraud.
The WhatsApp vulnerability, uncovered by researchers at the University of Vienna, showed that the app’s contact-syncing feature could be misused to check up to 100mn (million) phone numbers per hour and identify which ones were active on the platform. Attackers could also access profile photos of 57% of users and the ‘About’ text of 29%. Meta has now introduced rate limits, but the flaw reportedly existed for years, long enough for cybercriminals and data brokers to take advantage.
For Indian users, the threat landscape is even more complicated. One fine day, the Union government ordered SIM binding for apps and later decided to mandate (enforce) mobile manufacturers to pre-install Sanchar Saathi, a government-linked app that tracks SIM cards, devices, and user activity. The move was presented to help users block stolen phones, verify international mobile equipment identity (IMEI) numbers and protect themselves from telecom-related fraud.
Although the stated goal was to reduce phone theft and SIM-related fraud, the compulsory installation — and the fact that users could not delete or disable the Sanchar Saathi app — effectively expanded the government’s ability to collect, centralise and potentially misuse large volumes of data linked to every mobile number.
The government often cites high download numbers for Sanchar Saathi, but many of these come from misleading messages urging people to install the app ‘to avoid being scammed’. Faced with official-sounding warnings, many Indians download it without question — the same blind trust that criminals exploit in ‘digital arrest’ scams.
The official release claimed that the app’s adoption had surged, with 14mn downloads and 2,000 fraud incidents reported daily through citizen participation. It also highlighted a spike of 600,000 new registrations in a single day, describing it as 'an affirmation of faith by citizens'.
Unfortunately, despite these assertions, the app's real-world performance has been inconsistent. Users frequently report issues such as failed registrations, broken SMS verification processes, app crashes and forms that do not accept required data.
This U-turn was more than a policy correction — it exposed just how fragile public trust in digital systems has become. When people are unsure whether a government-approved tool is truly optional or fear their data might be misused, the very basis of 'digital trust' begins to collapse. Ironically, an initiative meant to improve cyber safety ended up deepening the distrust instead.
This is how the digital trust deficit harms ordinary users:
- People grow wary of every new app or update, even when it is completely legitimate, because past experiences have weakened their confidence.
- Official alerts, security tools and warnings stop being trusted, leading many to ignore even genuine protections.
- Vulnerable groups — older adults, first-time digital users and those with limited tech exposure — are pushed further to the margins, making them even easier targets for scams.
- Cybercriminals exploit this fear and confusion. A supposedly ‘government-approved’ app that is switched on by default can lull people into a false sense of safety — or make them so distrustful that they avoid all updates, creating new openings for phishing and fake-app fraud.
In short, mistrust fuels abuse and abuse deepens mistrust — creating a cycle that becomes harder to break each time.
Cybersecurity Is Essential but Not Enough
Strong cybersecurity is still the backbone of digital trust. It safeguards data, financial transactions and personal identities from unauthorised access. For businesses, solid security practices also help build customer confidence, strengthen brand reputation and create a competitive edge.
But today, cybersecurity alone cannot close the trust gap. With artificial intelligence (AI)-driven threats such as deepfakes, spoofing and sophisticated phishing attacks, combined with third-party risks and sprawling digital ecosystems, organisations need to move towards zero-trust models — constant verification, internal checks and no assumptions of goodwill.
More importantly, real trust is built through transparency, ethical handling of data and continuous user awareness, not just technical defences. Even the most secure system can feel coercive if it is opaque or forced on users. Protection without clarity does not inspire trust — it undermines it.
Here Is How You — the Common User — Can Protect Yourself
The digital world is messy and fraudsters are getting smarter. Just remember, your mobile phone number can now map your digital footprint across platforms — and cybercriminals and fraudsters know it. Even without accessing your WhatsApp chats, attackers can weaponise exposed data in several ways: they can launch personalised phishing scams by mimicking friends, banks or trusted brands; impersonate you to family, colleagues or clients using your profile photo and ‘About’ text; run targeted business scams such as fake invoices or chief executive officer (CEO) or managing director (MD) impersonation; cross-link your identity with past Aadhaar, PAN, Facebook or telecom leaks; profile you for fraud, extortion or long-term identity theft; and even exploit centralised datasets — including those connected to Sanchar Saathi — if they are ever breached or misused.
But you can stay ahead by following a few simple habits:
- Treat your phone number and personal details as private, not as public IDs. Share them only when necessary.
- Use strict privacy settings on apps. Set your profile photo, last seen and ‘About’ information to ‘Contacts Only’.
- Don’t trust unknown call-centre numbers or unsolicited links. Always verify through official websites or helplines.
- Pause before clicking, opening or installing anything. Check who sent it, verify the file name to make sure it does not contain a hidden .apk (Android package kit) file, read the permissions and confirm from the official source.
- Don’t rely blindly on caller ID or display names. Both can be spoofed or faked.
- Enable multi-factor authentication (MFA) on all banking, email and social media accounts.
- Keep your phone and apps updated. Older software often contains security gaps that attackers exploit.
- Never share OTPs, MPINs or passwords. Legitimate organisations — especially banks — will never ask for them.
- If something feels urgent, stop and verify. Scammers count on panic and rushed decisions.
- Educate yourself and your family about deepfakes, phishing attempts and AI-driven scams. Awareness is your strongest defence.
The Sanchar Saathi episode should serve as a wake-up call. Cybersecurity tools by themselves cannot rebuild trust — transparency, consent and clear communication must be at the heart of every digital initiative.
Until that becomes the norm, every user has to act as their own first line of defence. In a world of rising threats and constant uncertainty, trust cannot be taken for granted. It must be earned, verified and protected.
Stay Alert, Stay Safe!
