New Delhi: In just over a month, a 78-year-old retired banker from South Delhi’s Gulmohar Park lost nearly Rs 23 crore, his entire life savings, to a network of digital scammers. Between August 1 and September 4, the banker was coerced into transferring this amount to cybercriminals. The retired banker’s ordeal is not isolated. In July, a retired defence personnel in Bengaluru lost Rs 1.8 crore in a similar fraud, and just last week, a doctor in Maharashtra was duped of Rs 7 crore in a digital arrest scam.

These incidents mirror a rising pattern of digital scams ensnaring victims — from businessmen and professionals to actors, retired defence personnel and bankers — across the country.

As per the data provided by the Union Ministry of Home Affairs in parliament in July, India’s cyber fraud losses surged by 206% between 2023 and 2024 — from Rs 7,465 crore in 2023 to Rs 22,845 crore in 2024. The number of fraud cases increased from 24 lakh in 2023 to 36 lakh in 2024. 

According to the Indian Cyber Crime Coordination Centre (I4C), which operates under the Union Ministry of Home Affairs, the losses due to cyber frauds are likely to increase to Rs 1.2 lakh crore in 2025. This amounts to about 0.7% of the country’s gross domestic product (GDP).

In a majority of cases involving digital arrest and other cyber frauds, sensitive personal information of the victims is used to threaten and coerce them into making payments. The retired banker, who lost Rs 23 crore, was falsely informed that his Aadhaar number had been used for activities linked to terror funding.

The Bengaluru-based retired defence officer was told that his Aadhaar number had been used to open a bank account involved in money laundering cases linked to Naresh Goyal, founder of the now-defunct Jet Airways.

Much of this sensitive information reaches cybercriminals through data breaches, phishing attacks, SIM‑swap frauds and leaks from banks or third-party vendors.

“There have been many instances of banks' databases being hacked and customer data being made available on the dark net. The banks report to police only in case of loss of money,” a source at the Kerala Police said. According to Kerala government sources, between 2020 and 2024, the state lost Rs 3,207 crore in 5.82 lakh cyber crimes cases.

Such cases underline a troubling paradox: the very systems designed to protect citizens are increasingly being manipulated against them. Among the most exploited safeguards is the electronic Know Your Customer (e-KYC) process. The objective of the e-KYC process is to enable firms, especially financial institutions, to verify the identity and address of the customer they are onboarding online, to prevent illegal activities like frauds, money laundering and terrorist financing. Ironically, cybercriminals are exploiting the very system to defraud people. 

The process often begins with scammers stealing personal information or creating fake identities and using them to complete the e-KYC process fraudulently. Once verified, they gain unauthorised access to the potential victims’ accounts or use the KYC credentials to open a new account, take loans and apply for credit cards in the victim’s name, resulting in significant financial loss and reputational damage.

At the heart of the KYC process lies Aadhaar, the 12-digit unique identity number used to authenticate individuals. As of February 2025, Aadhaar authentication transactions had reached 14,555 crore, while e-KYC transactions stood at 2,311 crore, according to data from the Ministry of Electronics & IT.

Balancing compliance and innovation

The Reserve Bank of India (RBI), in its master direction on KYC, has made the process mandatory. KYC can be completed through both face-to-face interactions and non-face-to-face digital channels. E-KYC is facilitated via platforms such as the Central KYC Records Registry and DigiLocker. 

Today, over 70% of new retail accounts are opened digitally — a shift that has not only streamlined onboarding but also created significant business opportunities for the KYC industry. 

Cybercriminals are increasingly leveraging the sensitive personal information shared for such KYC adherence to intimidate and manipulate victims into compliance. A common tactic involves impersonating officials from law enforcement or regulatory agencies such as the police, Central Bureau of Investigation, anti-narcotics units or the Reserve Bank of India. Using platforms like WhatsApp or Skype, they initiate video calls and falsely accuse victims of involvement in serious crimes such as money laundering, drug trafficking or human trafficking.

Well-educated and affluent individuals are increasingly becoming victims of cybercrimes, with scammers generally exploiting psychological vulnerabilities and leveraging sensitive personal information to coerce victims into complying.

But how do scammers get access to sensitive personal information?

Fraudsters use various methods like phishing and malware to steal data. They also exploit digital vulnerabilities like unpatched software or weak passwords. Apart from this, there are instances of data breaches at government institutions and private companies. Such data is being sold on the dark web at nominal prices.

The stakes are high because sensitive personal and financial information of over 140 crore Indians is linked to Aadhaar. From permanent account number (PAN), social security details and bank accounts to phone numbers and passports, every aspect of an individual’s identity is connected to Aadhaar. Though the government maintains that the Aadhaar database is fully secure, independent institutions have often raised concerns about the system’s security and privacy. Compounding the risk, data breaches happen at other levels as well.

Over 86% of households in the country now have internet access. While this expanding digital landscape has enabled citizens to access digital services at their fingertips, it has also opened new avenues for cyber fraud, making robust cybersecurity measures more critical than ever.

Identity verification

As cyber threats grow, identity verification firms are becoming key players in protecting the system and ensuring safer digital transactions. Leading companies across sectors — from banks and fintech to retail, IT, telecom, healthcare and e-commerce — engage identity verification firms to verify their customers, employees and other stakeholders’ credentials and data.

The rising demand for digital services, coupled with increasing fraud risks and tighter regulatory scrutiny, has fueled the growing need for identity verification. These systems are now seen as a critical back-end infrastructure for the economy, enabling fast, remote onboarding while significantly reducing costs.

In India, the identity verification business is dominated by start-ups with business growing at an average annual rate of around 20%.

The verification or onboarding process begins when a company initiates it for a candidate or customer. The individual receives a secure link to complete the verification independently.

“In the beginning, explicit consent is obtained to collect and verify customers’ information in full compliance with legal requirements, solely for the purpose of the specified onboarding,” said Ajay Trehan, Founder and CEO of AuthBridge, an identity verification firm.

“As the process progresses, all data collected for verification is automatically purged and never stored, ensuring complete privacy. This approach is communicated transparently to the user to maintain clarity,” Trehan said, explaining his firm’s working. 

The sharp growth of the financial technology sector has been closely linked to the enabling environment for identity verification created due to the Aadhaar ecosystem.

“Identity verification is the crucial first step in delivering digital financial services,” said Fintech Association for Consumer Empowerment (FACE) CEO Sugandh Saxena. 

She noted that regulated technology (RegTech) companies offering identity verification provide technology layers building upon existing public infrastructure.

With fraud techniques evolving rapidly, identity verification firms are introducing new layers of security to protect users while also ensuring a smooth onboarding experience.

Rohit Madan, Partner at Deloitte India, emphasised the broader impact, “Identity verification start-ups are reshaping digital trust by offering agile, tech-driven KYC solutions.”

The identity verification platforms typically use artificial intelligence (AI), biometrics, and real-time data validation to authenticate users and simplify onboarding.

“However, the journey is far from straightforward. Start-ups face challenges navigating fragmented regulations, managing data privacy concerns and staying ahead of increasingly sophisticated fraud. The pace of technological change demands constant innovation yet trust and security must remain uncompromised,” said Madan.

Mukesh Pandey, Managing Director and Co-founder of RupyaaPaisa, a fintech start-up, said the identity verification platforms enable faster customer acquisition. 

For a payments-led economy, identity vendors act as gatekeepers and enablers. “They reduce onboarding friction and costs, unlock new customer bases and enable regulated institutions to comply with RBI KYC requirements for digital onboarding,” said Pandey.

Regulations

While identity verification platforms are not authorised or required to store data, there have been instances of misuse.

There have also been instances of unauthorised use of the sensitive Aadhaar database. The Ministry of Electronics and Information Technology recently cracked down on several firms for alleged use of unauthorised channels. 

“There is an urgent need for the Digital Personal Data Protection Act, 2023 to be effectively implemented so that identity verification firms can be held accountable for failing to protect personal data or for sharing or selling it without consent of the customer/client,” said Rajiv Chugh, Partner and National Leader Policy Advisory and Speciality Services, EY India, which offers KYC services. 

“Regulations should ensure that data collected and verified for a specific purpose is used and stored solely for that purpose and e-KYC firms adhere to the terms and conditions agreed upon by the individual,” Chugh added.

Under the Data Protection law, there are provisions to impose up to Rs 250 crore penalty for data breaches. But there is no instance of the penalty being imposed.

Chugh said the penalty provisions under the Digital Personal Data Protection Act need to be highlighted to ensure compliance. “In fact, the firms on whose behalf the data is being collected would also need to be held accountable for working with non-compliant data identification firms. 

“The mechanisms to protect the rights of the data principal (individuals whose data is processed) are already in place, they now need to be enforced without any delay,” he added.

Mukesh Pandey said the identity verification companies require a multi-layered model of regulation encompassing a national data regulator, robust sectoral regulation and market level operating standards. 

According to Rohit Madan, the regulatory bar has been raised with the enactment of the Digital Personal Data Protection Act. 

“Start-ups must now implement robust privacy frameworks, ensure timely breach disclosures and adhere to strict penalty clauses for non-compliance. This marks a shift from optional best practices to mandatory accountability,” Madan said.

Identity verification start-ups that strike the right balance between compliance, user experience and innovation are well-positioned to lead the future of secure digital ecosystems. As digital identity becomes central to financial services, e-governance, and consumer platforms, the ability to verify trust at scale will be a defining advantage, he added. 

(With inputs from Arjun Raghunath in Thiruvananthapuram and Mrityunjay Bose in Mumbai)