The call came on a Monday afternoon in July. Ashok* had just had lunch at his Bengaluru home when the unknown number blinked on the phone. A voice – automated, he thought – said that a Fedex package in his name was blocked at the Mumbai airport. A minute later, a human voice began speaking, telling him that the package contained illegal items like multiple passports and 50 grams of MDMA. In the next few hours, Ashok spoke to more than one person through different calls, people posing as officials of the police and narcotics bureau. Credentials of an officer in the rank of an SP were shared, which convinced him. By evening, he had transferred more than Rs 3.6 lakh, as advised by “the officials” to prove his innocence.
He was told that fake accounts were opened in his name and the RBI had to block all these accounts. He was then asked to share the details of the accounts that belonged to him. After that he was asked to transfer a certain amount of money to an account held by the RBI upon which the RBI would "start analysing that account for fraudulent transactions."
He then began transferring the money which they convinced him would "trigger automated analysis by RBI servers on prior fraudulent transactions." They told him the money would be restored to his account in 15 minutes or so, after verification. But the promised refunds were never made. His police complaint the next day too has not helped in recovering the money so far.
Ashok is a victim of social engineering attack, a psychological manipulation to trick users into making payments or giving away sensitive information compromising their cyber security. What he went through is the coercive type of social engineering as opposed to the less harmful tactic of forcing people to part with their money through fake messages to help a friend or for charity. And it can happen to anyone, including young IT professionals like Ashok.
A woman, also an IT professional based in Bengaluru, was deceived using a similar technique. She was told of a Fedex package in her name containing MDMA and in a Skype call, showed a person who they claimed they had arrested and that he gave them her credentials. Panic-stricken, she transferred four lakh rupees.
P Prakash, Inspector General of Police and nodal officer of Kerala Cyberdome, says these are the two methods (coercive and charitable donations) by which most of the defrauding incidents – of which there has been a sharp increase in recent years – happen. In Kerala, the number of cognisable cyber crimes went up from 307 in 2019 (the year before COVID-19 struck) to 815 in 2022 and to 685 up to June 2023.
“It has increased multi-fold since COVID-19 struck, because a lot of people switched to online banking, to UPI payments, making it easy for fraudsters to get a large amount of money transferred in a short time,” he says, citing the example of a senior citizen in Pathanamthitta who lost Rs 30 lakh in a matter of two hours and another man in Thrissur who was tricked into sending lakhs of money under a false charge. The man in Thrissur was told he had uploaded child porn on the internet and that he would be in trouble with the cyber police.
Several cases have been reported where fraudsters impersonate officials of law enforcement or utilities to scare people into giving up money. Last month, a 78-year-old man in Thrissur lost Rs 4 lakh after he was tricked into installing an app by someone posing to be a railway official. He had opened the wrong website in place of IRCTC to cancel a train ticket upon which he got the call instructing him to install the app. The app turned out to be a spyware through which his phone could be accessed. Once they had his bank account details they accessed the account and withdrew the money.
Basically, they exploit the fear factor, says cybercrime investigator Pattathil Dhanya Menon. She speaks of cases in which people get calls or emails claiming that their utilities like electricity will be disrupted or a rail ticket cancelled if they don’t transfer money immediately. “Many users don’t know how these things work. They think maybe this is how bills are generated and this is how you pay them,” Dhanya says.
The scammers use bulk sim cards using fake profiles and then use these numbers for their operations. There are also private companies that provide virtual or internet mobile numbers which are not easy to track.
“People panic and immediately do what is asked of them, especially when the calls come from what they think are law enforcement agencies,” Prakash says. But the law enforcement agencies will never make such calls, asking for money, he says.
There is also the less persuasive method of getting people to part with their money by using a genuine cause for raising funds and creating fake pages for it. Prakash talks of a case where a child’s accident in Thiruvananthapuram led people in the neighbourhood, including the MLA, to begin a fundraising campaign on social media. However, fraudsters began a fake page for the same cause and collected funds, forcing the original fundraisers to shut down their page.
Kerala even had a case of deepfake scam when a man in Kozhikode was made to believe through a video call that his friend in Dubai urgently needed money. The fraudster used AI to impersonate the man’s friend.
Srikanth of Cashless Consumer – a collective that researches digital payment frauds -- talks about the time there were cases involving impersonation of army officials to extort money from people, during the time of the Balakot airstrike [in 2019]. Even offline, such tricks have been used before, he says, only that it has increased a lot more in the last five years when the UPI user base had considerably grown.
“In some cases, they may have some specific information about the victim coming into money. There are a variety of sources from which you can get a slightly detailed credit profile report if you know the mobile number and a proof of identity like Aadhaar or PAN. It is hard to track down, until you catch hold of the fraudster, how they get the list in the first place. But in most cases, it could be a random selection. They may make many hundred calls out of which a few work,” Srikanth says.
There are also cases where the perpetrator spends time befriending an individual on social media, earning their trust, before making a convincing plea for money. In August, a 40-year-old woman in Thiruvananthapuram ended up transferring more than Rs 13.5 lakh to help “an online friend from the UK” after someone posing as a Customs official from Mumbai called her and said he was in trouble. The person in question had befriended her on Facebook and earned her trust before making claims about travelling to India.
But Kerala is still better than many other states, Prakash says since there are no organised cyber crime gangs. There is a cyber police station in every district, there is a portal to report cyber-crimes.
Prakash says that most often people are reluctant to report such crimes because they are ashamed to. “They have to understand that they are the victims here and there is no need for shame. The important thing here,” he stresses, “is to report the crime as soon as it happens. There is a mechanism to deal with these crimes so that the banks or financial institutions can block these money transactions within 48 hours if they are immediately reported.”
Srikanth talks about the basic steps one can take to verify a suspicious number. One can check the caller’s Whatsapp profile, then search for the identity in TrueCaller and finally, find out if the number is on a UPI app, in which it will have to be linked to a legal name. "Fraudster numbers are typically mass-managed. So there is a possibility that you may get a call from someone posing as a Fedex agent and when you check the Whatsapp profile it might say insurance professional. It could mean the same number was used by another fraudster for a health insurance scam," Srikanth says. But there are smart ways of duping all of this and even on a UPI app, they may get away with giving the credentials of another person to create a bank account. The fraudster may use the same name to match it, he says.
Even these methods become useful only if the number you get a call from is on Whatsapp or a UPI app or TrueCaller.
Dhanya says it is always better to cross check real time before making any kind of payment online. "Every person needs to understand the dynamics of online payment and the tricks used to syphon off money from bank accounts,” she said. Often the victim is tricked into installing an app or clicking a link which will then install spyware on their phone. The spyware can then connect to the phone banking apps that may be installed on the phone and make money transfers.
One reason why scammers are able to effectively pull off such deceptions is because they are trained in it. Professional cyber fraudsters train others in social engineering attacks, Prakash says. To combat this, there has to be a lot of training on the policing side too. Kerala has three cyber domes – in Kochi, Thiruvananthapuram and Kozhikode – where police officials are trained to deal with cyber-crimes. It is also imperative that police agencies of the different states coordinate to track the criminals, since they may work from any remote location nationally, or even internationally.
The Indian Cyber Crime Coordination Committee (ICCC) dealing with cyber-crimes has been taking measures to control the issue of bulk sim cards and addressing other methods of social engineering.
The helpline number to report cyber-crime in India is 1930.
* Name changed