The call that can make you a pauper

The next time you get a call on your mobile phone and are told that the Telecom Regulatory Authority of India (TRAI) is about to disconnect your phone, or that a package in your name has been found containing porn or fake passports, do not respond.

Callers may tell you they are from the police, the ED, the CBI or the NCB, they may say that drugs have been discovered in parcels addressed to you. Do not press any number, do not click on any link, do not even confirm your own name. There’s ‘digital’ India for you — where you can be scammed, spammed or slammed (with a prison term) over a phone call.

In the first six months of 2024, the sum total of losses from financial fraud reported on the cybercrime portal of the home ministry and the ‘1930’ helpline stood at Rs 11,269 crore. This figure does not include cases registered separately by state police cybercrime cells.

The Indian Cyber Crime Coordination Centre (I4C) under the Union home ministry (MHA) has projected that Indians are likely to lose over Rs 1.2 lakh crore over the next year due to cyber fraud. As many as 4,000 ‘mule’ or fake bank accounts are apparently being identified daily.

In just three months (March-May 2024), I4C cryptocurrency worth Rs 5.5 crore was purchased by mule accounts and laundered outside the country. As many as 18 ATM hotspots for fraudulent cash withdrawals were identified within the country, as were the use of debit cards of accounts in Dubai, Hong Kong, Bangkok and Russia for cash withdrawals from ATMs overseas.

The ministry of external affairs claims to have rescued 250 Indians from Cambodia, where they had been offered employment and then forced to commit online fraud. Scam compounds have also been recently identified in Azerbaijan.

The range and scale of cyber fraud is wicked. Recently, online tickets — priced between Rs 2,500 and Rs 20,000 — for concerts in Delhi by British band Coldplay and Punjabi singer Diljit Dosanjh were snapped up in minutes.

Soon after, various links appeared on the net offering tickets at amped up prices. Scores of fans actually bought these tickets — ranging from Rs 10,000 to Rs 50,000 — only to realise they’d been had when they were denied entry into Jawaharlal Nehru Stadium, already full up with 30,000 legitimate ticket holders. Some estimates suggest the cybercriminals earned a lot more than the concert organisers themselves!

“The golden age of cybercrime began in the post-Covid era, and is likely to continue for decades,” says cyber law expert Pavan Duggal. Cybercrime typically involves data theft, ransomware, phishing attacks, sextortion, hacking of mobile devices and computers as well as unauthorised withdrawals from bank accounts.

With increasing concerns about mobile and computer hacking, cybersecurity expert Amit Dubey offers a different perspective. He explains that cybercriminals don’t just hack your devices — they hack you, manipulating your behaviour to gain access. Once they compromise you psychologically, you end up doing exactly what the criminals want.

A striking example of this sophisticated fraud is the ‘digital arrest’, which Ruchika Tandon, associate professor of neurology at the Sanjay Gandhi Post-graduate Institute of Medical Sciences in Lucknow fell victim to.

Tandon received a phone call informing her that a parcel in her name, allegedly containing fake passports and drugs, had been seized and an FIR filed against her. She was instructed to contact a police station via Skype. On call, she was taken through an elaborate set-up resembling a police station, where an officer in uniform spoke to her. Next, she was presented in what appeared to be a courtroom, and informed that she was being placed under ‘digital arrest’. She was directed to keep her phone camera on throughout. Any attempt to contact others, she was told, would result in physical arrest.

This fake legal process went on for hours. She was ordered to pay Rs 2 crore as surety to get released on bail. She was given just enough time to visit her bank, withdraw her fixed deposits (FDs) and transfer the funds. After the money was transferred, she was told she was being released on ‘bail’ and was free to go. It was much later that she realised she had been conned. And Tandon isn’t the only one, a journalist with TV channel Aaj Tak also fell for the same trick.

The most shocking case involved Vardhman Group’s chairman and managing director S.P. Oswal. He, too, was ‘digitally arrested’ and ended up paying Rs 7 crore before discovering the deception. Despite having a legal team at his disposal, Oswal was manipulated to the point where he couldn’t reach out to any of his lawyers.

Former UP inspector-general of police D.K. Panda reportedly lost Rs 381 crore in an online trading scam. If true, this would be one of the largest amounts ever lost by an individual to cybercrime in India.

It is a global crisis. Investor Warren Buffett considers cybercrime to be the greatest threat facing humanity today — greater than nuclear weapons. According to estimates by Canadian cybersecurity company eSentire, cybercrime worldwide is expected to reach a staggering level of $9.5 trillion in 2024, even as India (the third-largest economy globally after the US and China) struggles to achieve a $5 trillion economy by 2027.

Cyber fraud involving fake investment opportunities is as rampant as recovering monies lost is rare. WhatsApp groups that appear to be legitimate investor communities — where members share stories of high returns on their investments — are used to recommend an app, prompting others to install it and start investing. Initially, users see their investment growing, but when they attempt to withdraw large funds, the app stops functioning and the money is lost.

Cybercriminals move swiftly, often transferring money across multiple bank accounts before converting them into bitcoin, making it very difficult to track and reclaim the funds converted to cryptocurrency.

Banking regulations maintain that if a complaint is filed with the bank within three days of an unauthorised withdrawal, the bank is required to reimburse the full amount. However, this applies only if the loss is due to a banking error.

In most cases, the fault lies with the account holder, making recoveries few and far between. Banks themselves are not immune to cyber fraud. Cybercriminals recently defrauded a private bank in Mumbai of Rs 40 crore. Despite prompt action taken by the bank, only Rs 32 crore was recovered. Losses claimed nationally amount to over Rs 1,750 crore.

The National Cyber Crime Reporting Portal reported that as many as 740,000 cases of cybercrime were reported between January and April 2024. There was a surge in May, with 7,000 complaints of cybercrime on an average filed daily across the country.

Both government agencies and experts put the onus on citizens becoming more aware and vigilant. Duggal emphasises the need for significant improvements in India’s legal framework, legislation and special courts. However, even he points to the difficulties faced by law enforcers when booking cybercriminals operating from Thailand, Cambodia, Myanmar and other countries, and the problem of legal assistance arriving too late.

The good news is that government agencies seem to know exactly how the fraudsters are operating, from where and through which banking channels. The bad news is that they don’t seem to know how to protect you. You’re on your own on this one.