Cybersecurity services and product companies are booming in the Indian business market during the pandemic, with startups reaching over 100 USD million valuation (1). However, ordinary people are still suffering from fraudsters as they can easily access their digital wallet, internet banking, and recently created UPI identity. There are no solutions for such frauds since there is no Central authority to respond to cybercrime.
Even when state police handle cybercrime-related matters, scammers are still sitting miles away, sometimes even outside the state or union territory and many times outside the country. So what can an individual do if he has been duped online or harassed by scamsters via encrypted VOIP calls?
While the Ministry of Home Affairs has set up a national portal to report such crimes, it still falls within the state police domain (2). And there is no to little coordination between police authorities across state lines of India. While the police of that state could shield the local Mafia and the police where the crime occurred would have little to no authority over the matter.
Another problem is tracing money resources for vishing crimes since scammer use bank accounts of people who are neither aware of the entire operation nor agree to such scams for a share.
The Netflix series Jamtara (3) was one of the classic examples of organized vishing crimes. However, there is plenty of other Jamtara like towns in India.
Another type of such attack is lotteries schemes, where scamsters send videos on WhatsApp and people are tricked into calling an unknown WhatsApp number.
When users call such numbers, they request users for an initial deposit to collect the lottery amount, usually requiring an initial payment of around 25000 INR to 30000 INR.
According to open-source intelligence analysis, such criminals’ location is remote villages in Maharashtra, Bihar, Chhattisgarh Jharkhand, and West Bengal. These fraudulent then target users of another state (4).
Since there is no Central cybercrime coordinating corresponding agency in the country, resources with the state police departments are also limited.
It is a concerning fact since organized cybercrime is mushrooming in the nation exponentially (5).
Fear and Greed
Fraudsters use fear and greed as the primary triggers to bait victims. With the coronavirus pandemic already causing a surge in fear, extended lockdown messages seem to have worked wonders for scammer, with even the most knowledgeable and cautious falling prey to online frauds.
The evolved methods in committing e-frauds leaves victims baffled. A user with a digital wallet would believe that he is completing KYC while criminals are siphoning out his bank account balance. The same scenario is with debit card scams. There is still some opportunity to protect or limit the damage with credit cards.
However, the present systems are ill-equipped to recover the criminal spoils once the money leaves the victim’s bank account.
Hence prevention is the best cure in such cases since each scam relies on the victim taking the bait. The scamster’s first bite is a victim responding to a vishing or phishing attack. The second is a test run for payment. The first payment scale is always a small sum. If the victim makes the payment, they would demand further for more enormous sums. If a victim resists, they use the classic modus, threatening them with forfeiting earlier payments.
When dealing with online platforms, always check for ‘HTTPS’ and the padlock. Another verification step includes certificate ownership. Users must check all three and not only one since criminals are now finding ways to fabricate and circumvent checklist safeties.
Even with email, the user can get an indication of fraud after checking the full email id. The email id usually has a general service provider’s user name, but they are not issued by the organization. For example, a bank id is most likely ‘Bankname@bankname.com’, whereas a fake id would be ‘Bankname@service provider.com’ (service providers may be Gmail or other options). These are scam indications.
Users also receive calls, messages, or emails with an offer that is too good to be true. Always question its legality. If anyone asks you to share the OTP for verification, immediately stop there and not share. – Do not pay any advance for any alleged benefits, be it a loan, promised employment, or lottery.
The use of a credit card is a safer alternative for online transactions than using a debit card. It has a clearance window, and if the fraud is detected immediately, it is feasible to stop the fund transfer.
Need for Legal Awareness and Immediate Action
E-frauds victims often feel defenseless and vulnerable. Their immediate reaction is to hide their shame and the assumption that there are no remedies. Criminals rely on the ‘shame-factor’ to go scot-free. One victim failing to complain is an encouragement for other criminals to commit such a crime against many.
Victims can go for plenty of legal remedies against such frauds, including filing a criminal case online on cybercrime.gov.in (6) or seeking remedies before the AO, Adjudicating Officer for proceedings under Section 46 of the IT Act, Information Technology Act, 2000 (7).
In such cases, the recovery of monies and property protection is the primary concern of victims. Proceedings before AO have been quite successful in vishing frauds, especially when there has been a victim’s sensitive personal or financial information breach from a bank or organization. Unfortunately, the remedy has not yet been utilized to its full potential.
In cases of banking frauds, RBI has issued circulars regarding banks’ liability in cases of financial scams. The RBI circular 2017 (8) has created two broad liability categories.
The first is ZERO customer liability when the Banks are at fault or when a crime occurs for no fault of either banks’ customer. In this case, the customer needs to intimate banks within three working days. There may be limited liability or full responsibility with the customer in other instances. It includes the customer’s negligence in the crime commissions, such as furnishing banking or financial details to a criminal that resulted in a crime. Even so, after the complaint is registered, losses after that are of the bank.
Hence it is important to report fraud immediately and seek blocking of compromised digital wallet, payment instrument, or card. Banks must receive and acknowledge such complaints. If a lender fails to receive or register such complaints, there are legal remedies against banks for infringement of the customer’s rights.
Not everyone in the country can pay extra for digital security. Therefore, there is an immediate requirement for a robust mechanism to take action against digital payment frauds. Similarly, firms linked with digital methods enabled by the government, like UPI, must have certain liabilities in case of scams due to their systems’ weakness.
Additionally, the launch of programs for consumer awareness about security-related risks is also required. Regulatory bodies such as RBI and NPCI (9) also need to expand their security capabilities and update their security guidelines to tackle threats.