Recently, the Karnataka police found itself in a rather embarrassing situation after its DGP for internal security division AM Prasad, was conned by fraudsters of Rs 2 lakh through vishing (fake call fraud). In mid-June this year, Assam legislator Utpal Dutta was defrauded Rs. 14 lakh from SBI bank by cyber criminals. Former IAS officer C V Ananda Bose lost Rs. 3 lakh, an ex-Income tax officer from Nagpur lost Rs. 68 lakh from his retirement fund. A 16-year old Delhiite hanged himself after losing Rs. 29,000 to a fraud from an e-linked account, while a 49-year-old homemaker from Bengaluru committed suicide at the shock of Rs. 11 lakhs being siphoned off from her account by scamsters.
Over the last few years, while news stories of people being conned or scams involving lakhs of rupees have been reported fairly regularly in media, there are still thousands of other stories that have gone unreported — of senior citizens, techies, businessmen, home-makers, retired employees losing large or entire portions of the savings to cyber criminals. In an era in which even governments are mooting for digital transactions, horror stories of people falling victim to such cyber-crimes such as vishing, phishing, fraudulent e-mails, e-lottery scams, social-media scams, online insurance fraud, net-banking insurance fraud, data harvesting mobile apps have unfortunately become the new normal.
In response to a question raised by Member of Parliament Dushyant Singh and Manoj Tiwari, the RBI said that between 2013-14, 9,500 cyber-crimes were reported; in the year 2014-15 13,083 crimes related to ATM, debit card, credit card and net banking frauds were reported, while in 2015-16, the number stood at 16,468.
So why, despite the repeated cautions, warnings and alerts by the financial and other regulatory agencies to desist from responding to unsolicited calls, emails or messages, are people still falling prey?
Online scammers are ‘professionals’
Former Mangaluru MLA JR Lobo, who was cheated of Rs.49,000, said that he was impressed by the fluency of the ‘scammer’ in English. “Although, I am aware of fraudulent online scammers and was cautious, I was overcome by his command over English,” he said.
This is a common misconception: it is traditionally believed that scamsters, whether online or on the phone, would at some point give themselves away by their poor accent or gaps in knowledge of IT or banking transactions. On the contrary, many of these scamsters have formally or informally trained themselves in the operational procedures and protocols used in banks or other institutions. Depending on the awareness and education levels of their probable victims, the scamsters frequently change their tone, and conversational style to convince their targets.
In several cases, phone scammers have been known to have perfected ‘method-acting;’ they assume the role of an official from a bank, or income-tax authorities, or insurance company, or the customs department and threaten the vulnerable customers with account closure or legal action if they don’t comply with their demands of “fines/penalties.”
All through, the caller maintains an unwavering tone of authority and a fluent command over English or other Indian language. In several cases the role of a company insider is now being probed by the investigating agencies, for helping scammers with banking, IT, legal and other account-related details and transactional jargon.
Even when it comes to imitating the website of an e-commerce giant or financial organisation, the scamsters are very meticulous in imitating the page-layout with attention to every logo, signage and details. Unless the online customers have an eye for reading the basic page details such as URL (Uniform Resource Locators), which might contain a misspelt word or numbers or additional characters, it is difficult to tell them apart from the authentic one.
Scamsters adapt quickly to technology
Over time, online commercial platforms have evolved to provide for some built-in security for themselves as well as their clients, with a variety of customer verification methods and account safe-keeping mechanisms. So beyond user ID and a password, there are mobile and email OTP (One Time Password), CVV (Card Verification Value), PIN (Personal Identification Number), Expiry date (in case of cards), and such requirements for authentication.
However, the scamsters have learnt and understood how these mechanisms operate and also how to circumvent these mechanisms, either by cajoling or intimidating their victims (as officials) to reveal exclusive details such as OTPs.
In a recent case, a scammer duo in Delhi successfully withdrew Rs. 11.5 lakh of a Janakpuri resident. The fraudster, through a third-party seller, accessed the account number of the resident in a particular bank, promptly walked to the branch and impersonating the customer, applied for a change in mobile number. Once the number was successfully registered against the account, they received an OTP for each transaction on their mobile phone and continued to drain the victim’s account without raising any suspicion.
Some fraudsters were also found using Internet-based platform Voice Over Internet Protocol (VoIP) to mask their phone numbers to that of a toll free number 1800, while calling their victims. SBI officials say that the suspects often use features facilitated by Voice over IP. Features such as Interactive Voice Response System (IVRS) are also used by scammers to win the confidence of the clients.
Data-harvesting from social media sites
The amount of personal information that individuals voluntarily share on social-media has left cyber security regulators worried. For cyber-criminals, accessing personal information such as photos, mobile numbers, birth date, email, location has become evidently easier. In several cases the cyber criminals have been impersonating social-media users, to plead or request monetary assistance from their friends or acquaintances, citing that they are unable to contact their family and are in urgent need of money.
According to industry estimates, social media presence of Indians is anticipated to reach 25.87 million users by 2019. In the case of late-entrants or elderly to social media, they may be caught off-guard and are more susceptible to online-con. For instance in 2017, a 72-year-old Mumbai woman lost Rs. 42 lakh of her life savings, after befriending a fraudster who promised her a gift worth Rs 16 crore in return.
In a few cases, several popular brands or organization have found themselves in an embarrassing position, after Internet-peddlers impersonated the business and duped the customers.
Cyber-criminals have not even spared charitable causes; during the recent flood relief efforts in Kerala, online criminals tried to siphon off public funds by opening a fake account in the name of Kerala Chief Minister’s Distress Relief Fund as against the official Chief Minister’s Distress Relief Fund (CMDRF). The ploy could have been hugely successful, but for the alertness of media who cautioned the banking authorities, who subsequently suspended transactions in that account.
E-wallets and how they help fraudsters
Given the lax or non-existent regulation for mobile apps, several of their devices such as smartphones, tablets and others have become potential targets for cyber-criminal attacks. These cheating apps can contain malicious or Trojan programmes, malware or ransomware that can steal both personal and financial information from the device.
Sometimes, the fake apps themselves purport to offer security updates or similar features, and through them gain more access to information, leading to data-theft.
Security systems in place
On their part, financial regulators alongside RBI have repeatedly claimed to have established comprehensive Cyber Security Framework for the banks. The financial and regulatory agencies have been repeatedly cautioning users through various publicity drives; they have asserted over and again that they never ask for USERID/Password/PIN number/OTP through phone call/SMS/e-mails and have strictly directed people not to respond to any such phone call/SMS/e-mails.
Time and again the enforcement agencies have alerted people against downloading unverified applications, or responding to fake online job offers, sms/email offers of crores of lottery, huge prize monies, and valuable articles in return for a fee.
“Even something seemingly as harmless as accepting an ‘unknown’ friend request, or innocently uploading a picture and personal details on social media, can be a step closer to being a victim of cyber crime,” says a police official.
Invest in a reliable anti-virus, firewall and cyber security service provider, which secures your personal computer against viruses, ransomware, malware, spyware and also creates system backup, recovery. It should provide real-time protection for personal and financial information on a computer.
Use and choose a strong password for all accounts, one which contains alphabets, numerals and symbols. Avoid using financial or banking sites on public computers or cyber centres. Never save your user ID and credentials on shared IT devices or public computers. Always make sure you have signed out from devices after use.
As a ground rule NEVER respond to suspicious e-mails/voice calls, schemes, lottery, sweepstakes, requests. Do not share online login information or account details. Check URLs of the sites concerned; seek clarification on the credentials of the information seekers and check with the bank or organisation they claim to be from, before acting on any of their instructions or requests.
As a community, we need to educate, share experiences with each other about cyber crimes and prevention, especially with children and senior citizens. It is easy to scoff at the naiveté of victims, but it is always more than likely that they would have been more cautious had they been warned, or had heard of similar instances.
Be cautious about the information you share on social media. Criminals can often bypass security protocols with the aid of your shared online content — such as your mother’s maiden name or the name of your school or your pet’s name, date of birth, email etc. Change your account settings frequently and be cautious while accepting friend requests or exchanging messages with strangers.
Check your bank statements, online shopping accounts regularly and thoroughly. Contact the concerned establishments through their official channels for any suspicious transactions for further guidance.
What to do if you are a victim of online fraud
Given the number of cyber users in Indian and the rising incidence of fraud, there are sufficient mechanisms in place to report financial cyber crimes.
In the case of banking fraud involving ATMs, instantly bring the matter to the notice of the banker or the financial institution. RBI’s 2017 notification on ‘Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transaction‘ offers ‘zero liability’ for individuals or customers, if fraudulent transaction is reported to the concerned within three working days – which means that the onus is then on the banks to reverse the ‘fraudulent’ transactions to the customers account.
In case of fraud perpetrated through email or social media or any other cyberfraud, the matter has to brought to the notice of the jurisdictional police station or city cyber crime cells, against which a First Information Report (FIR) will be filed.
When filing the complaint officially with the police, the following must be kept in mind:
- In case of email fraud, the alleged correspondence/full header of the email and material has to be provided by the complainant to the police in hardcopy/CD format
- In cases of social media related crimes, along with the URL, the complainant also has to provide screenshots as well as the hard copy of the alleged content and profile.
- In case of Fake call/Lottery scam/Online transaction/ cheating frauds, the victim has to provide the bank statement of the preceding six months to the officials, along with a copy/screenshot of the alleged SMS (or communication) coaxing the victim to act.
- In all the above cases, the victim has to share details of his bank account as well as the alleged account to which the amount has been transacted.