Representative image of cybercrime.
Credit: iStock
By Andy Mukherjee
On a hot and humid August morning last year, Biren Yadav was alone at his home in Gurugram, a New Delhi suburb, when his phone rang. The call was from a woman claiming to represent the Telecom Regulatory Authority of India. The caller seemed to know everything about Yadav, a 77-year-old former Indian Air Force officer. She read out his address, national ID and tax account number — all correctly. “One of your phones is transmitting antinational messages,” said the caller. “Unless the cyberpolice clears your name, we have to freeze all your numbers.”
That was the beginning of Yadav’s “digital arrest,” an elaborate scam that preys on India’s affluent. This is no small-time hustle. One ex-banker says he was conned out of 230 million rupees ($2.6 million) in August, and government data puts the collective toll at 25.8 billion rupees ($290 million) since 2022. But if global trends are anything to go by, that figure, which tracks 242,000 known cases, likely dramatically underestimates the problem. A survey last year by the Global Anti-Scam Alliance, a nonprofit based in The Hague, found that only 28% of financial-scam victims report the crime to law enforcement, while 1 in 5 don’t even try to get their money back.
No wonder: Those who try seldom succeed. Outside of the US, UK, Canada and Australia, recovery rates are dismal. In India, those who lose small sums are often told by the police not to bother registering their complaints; after a laborious judicial process, they’d be lucky to see a few cents on the dollar. Some are so shaken by the ordeal, or so embarrassed by their own gullibility, that they choose to hide their losses from their own families.
The damage caused by the rise of the digital-arrest con — which has found fertile ground amid the country’s soaring youth unemployment, endemic corruption and glaring wealth inequality — runs deep and wide. For victims, it goes beyond the financial, with the trauma of the experience leaving painful scars. Banks, where criminals control fraudulent accounts that play a key role in draining victims’ savings, are on notice; they’ll have to kiss cheap liquidity goodbye if the scam leads the middle class to lose trust in the financial system. Many of the syndicates that orchestrate these grifts are run from outside India, which risks turning the whole situation into a national-security headache. And as factors like artificial intelligence and an influx of cryptocurrencies enter the picture, an already dire situation could quickly get worse.
Yadav knew none of this when he picked up the phone. His first assumption was that his personal data must have been compromised; someone had used his credentials to register a number that wasn’t his. He agreed to let the caller transfer the call to the cyberpolice to sort out the misunderstanding.
Here’s where the story took a more sinister turn: Yadav was passed to another official-sounding voice, who informed him that the government believed he belonged to a 246-person cabal working in cahoots with Naresh Goyal, the founder of what was once India’s largest private airline. With Goyal out on bail in a bank-fraud case, his coconspirators were being rounded up, the “police officer” said. Yadav’s only option, he said, was to plead his innocence to the Central Bureau of Investigation over a video call — or face arrest for hiding 300 million rupees ($3.4 million) of Goyal’s alleged loot in his accounts.
The rise of a ‘scamdemic’
According to GASA, scams are a $1 trillion-a-year global industry. Shopping fraud, where people are made to pay for stuff they never receive, is the most common. Another well-known technique is known as pig butchering, where marks are lured by small financial gains before the perpetrators whack them with a big blow that drains their accounts. Digital arrests, by contrast, deliver the knockout punch right at the beginning — by making vulnerable individuals feel the mighty boot of law enforcement on their chest. The criminals don’t ask for bribes; they insist on proof of innocence. Victims suffer from extreme fear and psychological shock, and they seek relief by voluntarily handing over huge sums to their tormentors, all via proper banking channels.
While the police may help the odd industrial tycoon recover their funds, more often the authorities come up empty. Law enforcement typically responds to digital arrests by going after the owners of the accounts where the victim transferred their savings — though by that time, the con artists have either withdrawn the cash or moved it. These accounts are mostly mules, meaning they’re either owned by individuals or companies who had no idea their identities have been hijacked, or — less innocently — by people who’ve lent their accounts to criminals in exchange for payment or favors. The police have found WhatsApp and Telegram groups in which corrupt bank officers hawk mule accounts to cybercriminals for hefty commissions.
The actual perpetrators operate in shadowy networks — a diffuse approach that makes them difficult to pin down and smash, especially when they’re controlled from overseas. According to an investigation by news site Scroll, thousands of young Indians have been trafficked to Cambodia, where they’re held in captivity and forced to extort people. My colleague Karishma Vaswani says Asia is in the midst of a “scamdemic,” and Cambodia, Laos and Myanmar are its ground zero. Indeed, in Yadav’s case, the police eventually traced his scammer’s number back to Cambodia.
Credit: Bloomberg
India offers rich pickings for this variety of online con. A digital juggernaut is rolling through the world’s fifth-largest economy. But without sufficient guardrails for data privacy, it’s a transformation that comes with some collateral damage. Every month, Indians authenticate billions of transactions using their unique digital ID, known as Aadhaar, the Hindi word for “foundation.” That’s created a colossal repository of personal data — including biometrics — that authorities claim is fully secure.
Reality suggests otherwise. In October 2023, US cybersecurity firm Resecurity showed that the personal information of 815 million Indians was being sold on the dark web. That data was traced to a hack of the Indian Council of Medical Research, a government organization. The government said there was “evidence of leakage,” but no information had been stolen. The police arrested four people.
Such loosely guarded databases are tempting treasure troves to multitudes of unemployed, tech-savvy youth. With a Chinese-style manufacturing revolution yet to occur and AI now threatening white-collar jobs, India offers them very few pathways to a middle-class life, let alone an Instagrammable lifestyle. For some, digital crime is the answer.
But even without hackers in the mix, the government’s own use of sensitive personal information would be deeply problematic. Tax officials, for instance, have been given sweeping powers to snoop into people’s emails, chats and social media. Opposition politicians, student leaders and civil-society activists are being held, often for months or even years without trial, on corruption, money-laundering, sedition or terror charges brought by the same investigating agencies whose names are used by criminals to intimidate victims of digital arrests. Between the fear of Big Brother and the ubiquity of online misinformation, even educated, successful individuals have stopped trusting their own better judgment about what to believe.
In the case of Usha Goswami, a retired marine biotechnologist living in Goa, that confusion helped enable a brutal four-day digital arrest in June. When scammers first showed Goswami a copy of her Aadhaar card, she says she was skeptical, thinking, “Anybody can fake it.” But when they said her bank accounts were being used by human traffickers to launder money and the police were on their way to arrest her, she got scared. To prove that her funds were clean, her handlers insisted she transfer the cash to “government-approved accounts” for verification. The 80-year-old scientist ended up losing 9.7 million rupees ($109,000), according to the police report she later filed. By the time Goswami and her Singapore-based daughter got a court order to start recovering the funds, Yes Bank Ltd., the receiving institution, had released a big chunk of the money to another claimant. Most of Usha’s savings were gone — possibly for good.
Follow the money
Yadav, who was now several hours into his digital arrest, agreed to an interrogation over Skype with a man who identified himself as a junior officer of the Central Bureau of Investigation, the Indian equivalent of the Federal Bureau of Investigation. (Skype was a popular staging area for this ripoff until Microsoft Corp. retired the service in May; Goswami’s digital arrest took place on WhatsApp.) Yadav would now meet the “senior officer” who would decide his fate.
The actor who played that role sat at a large desk, in full uniform, India’s national emblem displayed on the wall behind him. People kept entering the room with files as he barked orders. Of Yadav, he asked his junior: “Why haven’t you arrested this man yet?” He knew all about the septuagenarian’s savings, down to the last rupee. “He was shouting at me and at one stage even threatened to seize my children’s property. That’s when I lost it,” Yadav recounts.
That day and the next, the handler assigned to Yadav instructed him to visit four different banks, transferring his life savings to what he described as government-approved accounts for “inspection.” In each case, the pensioner received banking instructions on a WhatsApp audio call in plain view of the tellers.
In hindsight, this part rankles Yadav: “Have our banks failed so badly, or were they a party to it?” Ultimately, Yadav lost 15.95 million rupees ($180,000). Nobody at the branches, where he was a familiar customer, had asked him a single question about why he was paying a penalty for premature withdrawal of his time deposits, he says, or writing out transfer orders to the likes of “Leopard Race Private Limited.”
The idea that bank officials can be party to such scams isn’t paranoia. Samudrala Venkateswarlu, a former director of Sreenivasa Padmavathi Cooperative Urban Bank, is currently in judicial custody in connection with the digital arrest of an advertising executive — who also happens to be Yadav’s neighbor. Nearly 85% of the 58.5 million rupees ($659,000) extorted from the ad executive eventually ended up in 11 fraudulent accounts at this small, Hyderabad-based bank. Two of these accounts, belonging to a carpenter and a tailor, have been named in a number of other cybercrime complaints, while several other account holders are untraceable — their addresses with the bank are fake. Venkateswarlu, whom the police accuse of opening and operating at least some of these accounts, was denied bail for a third time in September, even though he told a Gurugram magistrate that the allegations against him are false. In one of the bail proceedings, Venkateswarlu named the cooperative bank’s chairman, P. Srinivas Kumar, as a suspect. Kumar, who has denied any involvement, told me that he wouldn’t comment because the matter is under judicial consideration.
The advertising executive, who asked not to be named due to safety and professional concerns, has now gone to India’s Consumer Disputes Redressal Commission, accusing some of India’s largest lenders of deficient service. HDFC Bank Ltd., which transferred the funds out of the executive’s accounts, has told the commission in writing that the victim is shifting the blame for their own negligence. ICICI Bank Ltd., which received the money, says it doesn’t have any obligation to someone who isn’t a customer; the Kerala-based Federal Bank Ltd., whose money-transfer network was used by the cooperative lender at the heart of the scam, has yet to reply to the commission. None have answered my questions.
If cops are struggling to understand how to respond to the racket, bankers are callous about their role in preventing it. Lenders sometimes allow transfers to take place even after the National Cyber Crime Reporting Portal issues an injunction; they often refuse to reverse fraudulent transactions under court orders. The lack of quick action leaves criminals with ample time to withdraw the stolen funds and take them overseas as crypto.
Then there’s the glut of mule accounts. As part of the current government’s financial inclusion drive, some 550 million new bank accounts have been created over the past decade. And despite banks’ insistence that they follow the Reserve Bank of India’s guidelines for authenticating new customers, it’s clear that a significant number are used for fraud. Theft has also become easier as banking has sped up — not just retail payments via smartphones, but even high-value transfers that settle in real time, 24/7. No doubt that’s greased the wheels of genuine commerce. But when money moves instantaneously, it’s lost just as quickly.
In Yadav’s case, HDFC Bank is contesting a court order for the return of the 3.8 million rupees ($43,000) it managed to secure before scammers could move it elsewhere. Not all of the money belongs to the air-force veteran, it argues. As part of legal proceedings, the bank has shared the entire history of the account in which Yadav’s money landed. It appears from the 104-page statement and other supporting documents that he wasn’t the only one who succumbed to fraud that fateful day last August. The suspicious account, which held the equivalent of $6 on the morning of the scam, received more than 37 million rupees ($417,000) in a single day. By evening, most of the funds had vanished. I asked the bank why its surveillance system didn’t catch the telltale signs of fraud sooner. Neither HDFC nor the Reserve Bank of India, the country’s banking regulator, has answered my questions.
Yadav did finally manage to get some of his stolen funds returned. Ironically, that’s the moment his bank actually stepped in, freezing the balance in his pension account when it identified the influx of tainted funds. Nearly one year later, it has yet to be unlocked.
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Breaking the spell
Digital arrests must be defeated along the same two axes on which they succeed: psychology and technology.
When most people face a sudden threat, their natural fight-or-flight response gets triggered. When they are subjected to a digital arrest, they either challenge the criminals before they can lay a trap (fight) — or they just switch off their phones to escape the hostile environment (flight). But there’s a third stress response that often gets ignored: The motor system hits the brakes and we stall. Digital arrests succeed when that deer-in-the-headlights syndrome kicks in and refuses to go away. The advertising executive from Gurugram, whose intimidation campaign lasted five days, says their rational brain just froze up.
Even a small intervention that takes power back from the amygdala, the brain’s threat-detection center, and gives it back to the prefrontal cortex, the reasoning faculty, can help greatly. For instance, India’s telecom regulator could insist that all communication services carry a warning that pops up on the kinds of long calls required for digital arrests: “Your call has lasted more than an hour. Be careful. No law-enforcement activity takes place on our platform.”
Banks could use similar alerts — in fact, some are already starting to. Recently, while trying to add a new recipient via online banking, a message box popped up, cautioning me about digital arrests. Late last year, Prime Minister Narendra Modi even played a clip of the hoax in his monthly radio broadcast to build public awareness. These are good initiatives, but they won’t be enough.
That’s because the actual money transfers are taking place offline, in physical branches. Why? Banks typically set a cooling-off period for online payments to a newly added account. There is no such constraint on transfers done at a branch. Plus, many customers feel safe in their local branches; the employees there are known faces. The economy will pay a price if financial institutions don’t take immediate steps to maintain this trust, says Venkatanarayanan Anand, a Bengaluru-based internet security researcher. Having seen many instances of digital arrests while doing consulting work for state agencies, Anand has moved his own savings to money market funds, held outside the banking system. “I have advised my parents to do the same,” he tells me.
Goswami, the retired marine biotechnologist, has already lost her faith in banks: “I now worry even about the safety of my documents in their fixed-deposit boxes,” she says. For the middle class to retain confidence in regular deposit-taking institutions, lenders need to start investing in technology designed to fight scams. It should be possible to analyze CCTV footage from across their branches using AI and machine learning. Marrying that data with suspicious account activity, banks ought to be able to spot zombie customers in a scammer’s grip. Far-fetched? Not really. State Bank of India, the country’s largest deposit-taking institution, is planning to install AI-enabled cameras across more than 22,000 of its branches to detect unusual behavior. No other bank has such an extensive network to monitor; none has the SBI’s retail heft to set industrywide standards.
India’s banking regulator should also look to how other nations are tackling financial crime. Last year, Singapore created shared-responsibility guidelines for scam transactions. Payment providers are now required to block anyone who tries to drain more than 50% of a customer’s account balance in a 24-hour period. Telecommunications services have to use anti-scam filters to block suspicious words in bulk messages. Companies that don’t comply have to compensate customers in full. Similar laws are coming up in other markets, too. In Hong Kong, banks that aren’t doing enough to help customers identify and prevent scams may soon be on the hook. Since October of last year, UK banks have been required to reimburse up to £85,000 ($114,000) to customers tricked into sending money to a fraudster’s account. The onus is on the bank to prove that the customer wasn’t careful, not the other way around.
There’s no reason laws and regulations in India shouldn’t offer similar protection to victims of fraud. Banking can be slow — like it used to be when intercity checks across the vast, continent-sized geography took days to clear. Or it can be fast, like in today’s digital India. But its cornerstones must be trust and free will. It’s very much the job of bank CEOs to make sure they earn the former — and ensure customers are exercising the latter.
More immediately, banks must provide victims with a better recovery rate so more are encouraged to come forward. After a year of running from pillar to post, Yadav has managed to retrieve 10% of what was stolen from him. He’s reluctantly written off the 60% that scammers converted to cash or crypto — or passed along to their accomplices. What really embitters him is the 30% locked up in various banks, which he can’t touch despite court orders. Yadav’s digital arrest may be over, but with so much of his money still in custody, he’s finding it hard to feel free.