Cybercrime poses a burgeoning threat in India, impacting millions of individuals and organisations. According to the National Crime Records Bureau (NCRB), cybercrimes in India in 2023 resulted in a staggering loss of ₹66.66 crore, with 4,850 reported cases. A recent report by the Indian Cybercrime Coordination Centre (I4C) revealed that digital financial frauds accounted for a staggering ₹1.25 lakh crore over the last three years. According to the National Cybercrime Reporting Portal (NCRP), in 2023, at least ₹10,319 crore was reported to be lost by victims of digital financial fraud. The Parliamentary standing committee on Finance in its report on “cyber security and rising incidents of cyber/white collar crimes” mentioned that the domestic fraud as reported by the SE (Supervising Entities) in FY’23 was ₹2537.35 crore. According to the report, the number of complaints received in 2023 alone was 6.94 lakh.
Some of the problems faced during investigations are highlighted here with solutions for both prevention and detection of online financial frauds.
How digital frauds work
While various names have been given to diverse types of frauds, the general modus operandi of a fraudster is any one of the following: (a) convincing the victim to send money, either by impersonation (fake WhatsApp/FB/Insta, social media profiles) or by giving them a false promise of greater return (investment, crypto, held up custom package etc.)
(b) by taking credentials such as Unified Payments Interface ID (UPI), Personal Identification Number (PIN), One-Time Password (OTP) or Internet banking ID/password from the victim and then using the same on other apps/websites and transferring money without the knowledge of the victim. For this the customer will either be given a fake link which looks exactly like a UPI app screen/banking website or the victim will be conned into installing a screen sharing app. The scammers can also convince the victims over phone to give out those details. When these details are used on official banking apps this gives the fraudsters access to even the Fixed Deposits/Recurring Deposits which are also siphoned out in most cases.
(c) by taking card details and convincing the victim to share OTP.
After the scam
After a fraudster empties a victim’s bank account, the money undergoes a series of circulations in broadly three stages. The first stage is a temporary account into which the fraudsters transfer victims’ money. This account will be used to receive money from various other victims as well. From here, the money is then transferred into a second stage account. The second category of accounts are a group of accounts among which money is circulated. There are a lot of middlemen who are money circulators. Their task is only to receive money from first level bank accounts for a nominal cut. The victim’s money is then split into small parts and then circulated within these accounts, by a person who is sitting in a different corner of the country. After sufficient churning, the money is then transferred into a third stage account which is a sink account. This can be a bank account, an e-wallet etc. Here, the total defrauded amount from a group of victims is re-collected. The money is then withdrawn in a large chunk through conventional methods of either ATMs/cheques or e-wallet cash outlets such as an e-wallet payments bank.
How can frauds be prevented
Most frauds can be prevented with some basic technological interventions:
As a first, just as how Google accounts do not allow logging in from a new device unless permission is granted by the former, financial institutions must be mandated to replicate this feature in their apps. As soon as a UPI ID, password or OTP is entered in a different device, an alert must be generated in a previous device with no further action being allowed until it is approved by the person. Secondly, the screen share facility must be disabled. Banking and financial apps must disable screen-sharing to run on top of them. And finally, in the bank statement, all banks/NBFCs/SEs must be mandated to provide comprehensible data. Currently only partly printed numbers are shown which even knowledgable customers are unable to understand. The transaction description must contain the receiver’s account/mobile or any other identifying number irrespective of it being within the same bank or to an outside bank.
One of the biggest hindrances law enforcement agencies face is in following the money trail. The siphoned off money hops across bank accounts and wallets within minutes but supervised entities/banks/NBFCs/wallets are not able to give the required details to agencies with the same speed. Most of the crime is reported after 24 hours of the commission. Due to stress and trauma most victims end up deleting much of the evidence from their devices/phones. By the time a money trail is established the money is already withdrawn from the system and there is no way to either identify the person or recover the money.
Speeding up information access
Certain basic changes to the form of data provided to enforcement agencies can help in minimising delays:
(a) the banks/NBFCs/SEs must be mandated to provide data in a predetermined format with all the terms explained. The data must be given in a CSV or XLSX file. For example, the CDR (Call Data Record) shared to enforcement agencies has a fixed format and fixed file types, such as .CSV or .XLSX. Currently the banks give the statement either in a printed hardcopy or in PDF format. This causes huge inconveniences to the investigating officers. Most tech-savvy officers are often held back only because they do not get the data in a usable format. (b) The International Mobile Equipment Identity (IMEI) must be recorded. All banking and financial apps must be mandated to save IMEI details of the device being used. Fraudsters use fake mobile numbers and fake bank accounts which span across different States with the goal of adding layers to increase anonymity and preventing agencies from prosecuting them. Thus, the IMEI becomes crucial evidence in determining the device and its location. Recording IMEI will make for stronger evidence in establishing a device and its connection to fraudsters in a court of law.
The road ahead
The Bharatiya Nagarik Suraksha Sanhita 2023 which is set to replace the Indian Penal Code of 1861, recognises ‘organised crime’ as a “continuous unlawful activity”. Digital financial frauds are very much covered in this definition. Law enforcement agencies face a lot of difficulties in conducting interstate raids and arrests. It requires a large team and coordinated effort. Interstate digital financial fraud networks must be recognised as a serious crime and bail may be restricted by the Courts. Additionally, digital frauds create a considerable amount of black money when seen from a macro-economic perspective. In conclusion, cybercrime being a subset of crime in general can be dealt like conventional offences, albeit with a different set of tools. Instead of a specialised unit, if the fintech and telecom industries are mandated to take certain preventive steps in their technology and provide data in a manner which enables speedier investigation, the prevention, detection, recovery and conviction will be much more effective. Faster availability of data will make it easier to identify and convict pan-Indian gangs.
The author is an IPS officer, currently posted as Addl DCP, Delhi Police.
