The RBI report for the year ended March 2022 has said that card and internet frauds worth $1.55 billion were reported in 3,596 cases. Yet, another RBI report says that in the past seven years India lost at least Rs 100 crore to banking frauds and scams.
 
While the public at large lacks awareness on the modus operandi of fraudsters, banks too have been slow in upgrading their security systems to counter tricks of fraudsters.

Another recent survey has said that 50% online frauds are happening through UPI which in numbers translates to more than 25-30 billion.

In the latest edition of ‘Checks and Balances’, Geetanjali Minhas of Governance Now spoke with a panel of technical and cyber experts as well as officers of the Mumbai Police on why such frauds are increasing and safeguards users need to apply against losing their money.

Watch the programme here: https://youtu.be/4_T1YStPg6Y
 
Giving out numbers, Balsing Rajput, DCP, Mumbai- Crime Prevention and Detection, said that during his PhD research he studied data from 2000-2020  and found that 60% online crimes related to illegal gains or financial advantage to the criminals and remaining 30% related to women and children including stalking, bullying, ‘sextortion’ etc and 10% related to hacking etc. Crimes through debit and credit cards are at the top, followed by ATM, e-wallets, UPI-based wallets, sextortion, loan frauds and morphing. Criminals are forming syndicates and setting up call centres in an organised nature. This is easy money for criminals in cyber economic crime.

He further said that data (user and meta) is breached and available in market. This data is then used by criminals to call people. “Crime is psychological and done by hacking human mind by engaging people in talking, asking for passwords, OTP, PIN etc, etc,” he said.

Rajput said devices should have anti-virus, safe apps, passwords, patterns and personal information should not be shared on phone. Unnecessary and unverified apps should not be downloaded as they pick up data. He advised against clicking on links received on phones as that gives route access to fraudsters as seen in OLX and payment frauds. Passwords should be changed regularly. Users must be aware and sensitive of devices they are using.
 
Asked about any ideal place to store passwords, he said there is no such place. Some passwords can be memorised and some stored in some place at home.

Speaking on challenges faced by police, he said evolving technology and frauds are also new to the force and decoding technology used by perpetrators is posing a challenge to police too. While there is shortage of trained manpower and retaining them, training is being given to police personnel. The complex global cyber fraud ecosystem faces jurisdiction issues and requires a lot of time and efforts to get data from companies located abroad. Encryption and VPN pose technological issues.   

He said the current IT Act needs amendments as some serious crimes not covered in IT Act. The Act provides for an officer of the rank of police inspector to investigate cybercrimes when their numbers are less, the load and complaints are huge. He also said that India needs to have a data protection law.

Maharashtra at present has 47 cyber police stations. He advised aggrieved citizens to file online complaints on the GoI portal, www.cybercrime.gov.in, or on pan-India helpline – 1930 – even as police is upgrading its own infrastructure.

Here, Hemraj Singh Rajput, DCP, Mumbai, Cyber, too said that their department has seen an increase in complaints with regards to online loans, sextortion, investment, crypto, electricity bills etc, and the modus operandi of fraudsters is same. “Such crimes are happening as citizens are sharing their personal data with the caller. Fraudsters play mind game and plays with psychology.”
 
As an example, he pointed out that no company representative will call from a personal number. In such cases they have seen calls coming from personal numbers and conmen engaging in conversation for 15-20 minutes. Here citizens must be vigilant and question if a particular company has so much time to waste on a single customer for only a certain amount but instead, they end up losing money.

He said that the city has adequate infra and manpower. “Mumbai has five regional police stations with 40 trained officers and 90 trained personnel. Our officers are taking care of frauds where amount is more than Rs 10 lakh.” Additionally, Mumbai has also connected to the ‘1930’ national helpline.

“Our mobiles are our Safes. Just as we don’t share our info with strangers, we should not share the key to our safe with strangers calling on phone. Citizens should look up websites of service providers and not search engines where info can be potentially tempered with by cyber fraudsters,” he advised.

NS Nappinai, a Supreme Court advocate, founder of Cyber Saathi and author of the book ‘C Sassy Tales’ on trending cyber crimes, said that the impact of cybercrime is most on the common man at the bottom of pyramid.

She said that cyber laws are scattered in general laws and there is a need for a precise and effective legal framework which everyone can understand. Originally, the IT Act was framed to enable e-commerce and did not have cybercrime as its focus notwithstanding the fact that many cybercrimes had already taken place. Subsequently amendments were made.
Batting for a new law keeping with current requirements, Nappinai said, “Laws are meant to be dynamic. Instead of choosing a band aid syndrome of repairing existing default mechanism we should come up with a robust law.”

She further noted that despite taking  customers’ KYC documents there are repeated calls from banks to verify or update KYC. Banks and corporate entities are actually socially engineering users to fall prey to cyber as the same modus is used by cyber criminals. In a situation where banks, corporates and government are repeatedly asking for same details when we are moving towards Digital India, how can a user know that certain action can be done in certain instances and not in others?

Putting the onus of responsibility on RBI, Nappinai, who has been working with the government of India on capacity building and policy work for more than two decades, says merely putting out circulars on digital payments safety is not enough. There are no directives to banks, payment systems etc., to explain to customers about trending crimes, customer rights and remedies and how they can avail them. Often, once the money has gone out of the banking system and gets siphoned off, it is very difficult to recover the amount despite a good investigation.    

“My suggestion to RBI is to relook regulatory mechanism to protect customer rights. Why are the banks that have not done KYC norms effectively not being penalised? Every single financial fraud involves banking system which a huge gap and not plugged by the regulator. It is high time RBI steps in to take true and effective mechanisms for customer protection now that they have enough precedents across multiple jurisdictions.”

TV Mohandas Pai, chairman, Manipal Global Education and former director of Infosys, however, says that India has a comprehensive law and policy, but enforcement is poor as it requires enormous investment.

“Enforcement has to be at multiple levels… surveillance... put them  behind bars… we have a broken justice system where its take years and years and the cases go on… In the 75 years of our freedom, justice system has been the biggest failure. The poor suffer the most,” he said.

He said that banks have a strong fraud detection system and core banking is working very well. NPCI is a fantastic organisation though it has its share of problems. They should get ethical hackers. UPI is a fairly robust system.

“India is the most digitized country, the number of frauds is large but percentage is very small. Much of online fraud is very rudimentary but the state capacity is not there,” said Pai as he added that police is not adequately staffed. Cases go unreported because victims feel nothing will happen if they report. Customer service attitude should change across India.

He further asked why the government has failed to nab cyber fraudsters when it knows they are operating from Jamtara hub in Jharkhand, a flourishing cybercrime industry and it is easy to track them.

Pai said that the government is a very slow moving organisation. It has taken on too much. It should remove the logjam. People in Delhi still have a colonial attitude. “There should be specialised institutions doing specialised work where people will be paid well. Most brilliant people in the world have become hackers because RoI is high.”

He said that the KYC issue is a management and enforcement issue. Just like Aadhaar, RBI, SEBI etc. should have a common KYC and update details as and when required along the lines of institutions like GST. He also called for having fraud insurance, cyber army, having ethical hackers conferences and prioritising CERT over other things.