On May 5 last year, Gurugram resident Umesh Gupta filed a complaint with the station house officer (SHO), Sadar Thana. When his Covid positive cousin’s oxygen saturation had started plummeting, he searched online for oxygen cylinders. That is when he got a WhatsApp forward about a ‘Mr S. Dasgupta’ who was selling cylinders. On May 1, after speaking to him a couple of times, Umesh advanced Rs11,000 to Dasgupta’s SBI account. The deal was that the cylinder would reach him within two hours of the advance being credited. But no cylinder was delivered. Umesh called Dasgupta several times, only to be brushed off with vague explanations. The next day, Dasgupta called and demanded another Rs12,000. A suspicious Umesh got a few of his friends to call Dasgupta for cylinders. Each time, Dasgupta would give different account numbers under different names. He also stopped picking up Umesh’s calls.
When the SHO took no action, Umesh got an attorney at the Gurugram district court to appeal to the the cyber cell. The cyber cell ignored it, until the attorney moved court. A few weeks later, the judge asked the cyber cell for a status update. “The person from the cyber cell was very rude,” says Umesh. “He seemed unhappy to register my complaint. Right now, I am not pursuing the case to get my money back. I just want to make sure no one else gets cheated by these people.”
Umesh’s case is not an isolated one. Fraudsters are dime a dozen, offering everything from free coaching classes, online discount coupons and “Rs20 lacs loan in just few clicks”. According to the National Crime Records Bureau, cybercrimes jumped by almost 84 per cent in two years—from 27,248 in 2018 to 50,035 in 2020.
Even more damning is a global tech support scam report released in July 2021 by Microsoft. Of the 16 countries surveyed, India reported the most number of people who lost money through these scams. Thirty-one per cent of Indians who continued with scam interactions said they lost money in 2021.
Ramanuj Mukherjee, a lawyer-turned-entrepreneur who founded a pro bono legal platform called ‘Lawyers Against COVIFRAUDS’, says that it is extremely difficult to nab these fraudsters. One of the reasons is that there is no comprehensive cyber law in India. “We have only one law that governs cybercrime—the Information Technology Act,” says advocate Heena Joshi, a member of Mukherjee’s team. “This act is not limited to crimes in India; fraudsters in other countries are also liable to be punished under this act. Unfortunately, this is not implemented because the cyber portal in India does not allow you to register international numbers. This means fraudsters are misusing international numbers, even from within the country, to commit these crimes.”
Another reason is that many of these scams involve multiple states. If you file a case in one state and the scammer is in another, the police is most probably going to drop the investigation. The coordination across state borders is not great, says Mukherjee. Out of the 17 cases Mukherjee’s team took up, money has been recovered only in one. According to the RBI, there were 73,988 card/internet frauds (ATM/ debit/ credit card/ internet banking) reported between April 2020 and March 2021; total amount involved—Rs228.65 crore.
The cyber police, too, express their helplessness in recovering the money and nabbing the fraudsters. “After we receive the complaint, we try to freeze the bank account within 24 hours,” says G.R. Radhika, superintendent of police (Cyber Crimes), Andhra Pradesh. “But by then, the money is routed to multiple other accounts. It is very difficult to arrest the accused because most of the documents submitted to the bank are fake.”
It does not help that Indians fare extremely poorly on cybersecurity awareness. In a recent National Privacy Test conducted by global VPN service provider NordVPN, India ranked 19th out of 21 countries when it came to online security habits. Only Turkey and Japan featured below us. Indians fell easy prey to fake online bargains and were found to have poor awareness on information that should not be shared on social media platforms. Almost one-third Indians said they would entertain fraudsters offering to repair their “malware-infected” device; globally, only 4.5 per cent of respondents said they would fall for such scams.
In March, author Rakesh Anand Bakshi googled FASTag and came across a website that promised to deliver it to his house. He paid 02,000 by credit card. Within 20 minutes, he realised that the transaction had been fraudulent because he had not received any receipt by email or SMS. Within an hour he had blocked the card. He kept calling the number on the website every 20 to 30 minutes. At first, a girl answered the call and he demanded to have the transaction reversed at once. She said she would look into the issue. “But the problem is that they keep changing numbers. They destroy several SIMs a day,” says Rakesh. “I should blame myself for losing the money. Even while I was filling in my details, I knew there was something wrong. The website had the same look as ICICI Bank’s. Even the colours and the logo looked genuine. They fool us by adeptly duplicating these things.”
What happened to Rakesh is just one of the dozens of scams that are doing the rounds. Some of them include SIM swap/SIM cloning, where fraudsters pose as staff from the service provider and ask for details to upgrade mobile connections from 3G to 4G. After they get access to the SIM, or obtain a duplicate SIM, they carry out digital transactions through the OTP received on the duplicate SIM. Then there are frauds on online selling platforms, where fraudsters show an interest in your product. Instead of paying for the product, they use the “request money” option on the UPI app to steal money from your bank account. There are countless other scams—UPI phishing scams (where fraudsters send an email or SMS containing unauthorised links), fake cash-back scams, scams using screen-sharing apps, scams through unsolicited emails, redirect-to-website scams, scams through pop-up ads or windows….
“Most of these scams started spreading after demonetisation, when people started using online payments,” says Anand Prakash, an ethical hacker employed by companies like Facebook and Uber. “With Reliance Jio, everyone had 4G connections and people started understanding how things worked online. Earlier, in the days of net banking, there were a lot of steps to transact money. Five years ago, you would never have a provision for QR code scanning in stores. With UPI and online payments, everything became extremely easy. But with more ease comes more risk.”
According to him, the scammers are 50 to 100 member gangs spread countrywide. They create multiple bogus accounts in different places to bounce money around before collecting it, so that the trail grows cold and it becomes nearly impossible to track it. “It is definitely happening on a large scale,” he says. “I myself get around 20 requests a day from victims.”
One kind of fraud which has seen a sharp rise in recent times is crypto fraud. There are many fake websites that offer to generate large profits by investing in cryptocurrencies. Ongole, a small town in coastal Andhra Pradesh, has witnessed a sharp rise in these frauds. Radhakrishnan (name changed) from Ongole tells us how he was scammed into trading in crypto. He chanced upon a website offering a variety of cryptocurrencies that assured a profit of 5 to 10 per cent in under two days. He initially invested a few thousand rupees and made a significant profit in just a few days. Elated, he encouraged his cousin also to invest Rs5 lakh, and became eligible for a referral bonus. The rising value of their investment kept the duo happy. A while later, a slight change in policy was conveyed to them—a minimum lock-in period of 30 days would apply to large amounts. After a few days, they realised that their account had become inactive. There was no further communication from the other side.
“There is no way one can properly monitor cryptocurrencies,” says D. Sai Satish, a cybersecurity expert. “A person sitting in Malaysia or Singapore could be running these fake websites. Cryptocurrencies can be easily used in money laundering.”
A woman was watching a movie on her computer when a pop-up ad appeared on the desktop, saying that her PC was locked and she had to call a particular number to unlock it. She calls the number mentioned in the ad, and a man called ‘Luke’ picks up the call.
“Is this your personal computer or your family computer?” asks Luke.
“It’s a work computer,” she replies.
“Do you have an IT guy in your office?” asks Luke.
“No, I brought my office computer home,” the woman replies.
“There will be a one-time charge if we fix the problem for you today,” says Luke.
“Why would my computer be locked in the first place,” asks the woman. “I was just watching movies.”
“Could be that there was a virus on the online movie website,” replies Luke.
“How much is the charge?” asks the woman
“50 pounds,” replies Luke.
In reality, Luke is Lalit C., a scammer sitting in a Delhi building housing a fake travel agency called Faremart Travels, a front for a scamming business. These scammers buy malicious adverts which claim that your computer has a virus and then lock your PC. The adverts then appear as pop-ups on the victim’s computer so that he or she is forced to call the number on the pop-up to unlock the PC.
The main building in Delhi hosted legitimate businesses. Behind that building, however, was another one where the scammers—numbering from two to 22 depending on the time and day—sat. If the police ever raided the main building, they would find nothing illegal. The alleyway between the buildings was used by the scammers to move between the legitimate and sham businesses.
Last year, however, their scam backfired spectacularly, because the man they were trying to scam was an Irish ‘scam buster’ who goes by the pseudonym, Jim Browning. When the scammer tried to connect to Browning’s computer, he was able to reverse the connection and see exactly how these scams were conducted through the CCTV camera installed in the building. What Browning captured and uploaded on YouTube was one of the most detailed exposes of a tech support scam. The company’s Paypal account showed that thousands of dollars were being transferred into it every month from victims in the US, the UK and Australia. Faremart made $3 million a year through these scams. Browning shared the footage with the BBC, which made a documentary on the call centre. This prodded the police to close it down and nab the CEO of Faremart, Amit Chauhan, a globe-trotting ‘entrepreneur’ whose Facebook page showed him vacationing in Germany, Amsterdam, Singapore and a number of other places.
There are hundreds of such sham call centres in the country, most of them clustered around Delhi and Kolkata. The scammers operate a highly decentralised network, where each aspect of the crime is delegated to subcontractors. “These include sellers of phone numbers; programmers who develop malware and pop-ups; and money mules,” an FBI agent in Delhi told The New York Times.
The police have been busting many of these rackets. But there are many hurdles to making the charges stick. Until these glitches are solved and a robust cyber law is put in place, all there is to do, it seems, is to educate ourselves on the myriad ways in which one can get scammed.
with Rahul Devulapalli