<p>While banking frauds regularly make news headlines, digital/cyber frauds don’t get similar attention despite faster growth trends. </p><p>This needs a correction. Recently, in a parliamentary response, the Ministry of Finance reported that over 2.4 million digital financial fraud incidents drained Rs 4,245 crore in the first 10 months of 2024-25 – a 67% rise from the Rs 2,537 crore in 2022–23.</p>.<p>This, despite the web-based Central Payments Fraud Information Registry set up by the RBI and the government’s Citizen Financial Cyber Fraud Reporting and Management System being in play and showing good results. </p><p>This mechanism covers both banking and non-banking sectors, and credit card/pre-paid payment card issuers. It facilitates real-time reporting and coordination with law enforcement agencies, thereby preventing fraudsters from transferring funds. Acting in tandem, they have significantly reduced the potential losses of digital financial frauds and saved about Rs 4,386 crore across 1.3 million complaints received this year. Yet the rise in cyber fraud remains unchecked. What explains this?</p>.<p>The metropolitan areas are more affected than rural geographies. Also, frauds typically happen during business hours. A larger bulk of these frauds seems to be linked to the UPI system compared to debit and credit cards, and internet banking. This, however, is perhaps because of the popularity of UPI rather than any particular vulnerability in its architecture. The reported average ticket size of fraudulent transactions is generally low, with the bulk at less than Rs 10,000. Instances of fraud involving above Rs 1 lakh are far fewer. Furthermore, the majority of UPI fraud victims are usually early/mid-career salaried individuals. What may be inferred is that frauds are happening not because of the illiteracy or ignorance of consumers, but because of fraudsters using what could best be described as a strategy of ‘mind management’. What makes this possible?</p>.<p>Frauds are increasing possibly due to an ecosystem-induced vulnerability in the users. While technical solutions are necessary, they are not sufficient – something different needs to be done. To understand what this elusive ‘something’ could be, we need to first reflect upon, and understand, the dynamics of our ecosystem which facilitates the frauds. Calls/emails from unknown individuals who address you by name are increasingly common – some of them market products such as stocks and mutual funds; some are from charitable institutions seeking donations; some are potential fraudsters. Phones and ‘secure’ social media platforms are also getting hacked and voice and number cloning is no longer an impossibility.</p>.<p>The e-commerce systems that operate in our cities use OTP for customer identification. Consequently, OTP sharing is something of an automated reflex, especially for working-age youngsters running against time in balancing multiple responsibilities. With the usage of digital interaction and payment systems being propagated, many governmental/semi-governmental institutions are independently collecting and maintaining digital directories of the KYC details of individuals (Aadhar numbers/ phone numbers/ email IDs, thumb impressions, residential addresses etc). Furthermore, our policies now increasingly require frequent KYC updating, renewal, and re-verification with service denial automatically enforced for non-renewal. With remote re-verification or digital re-validation permitted, harried individuals are getting increasingly conditioned to share or validate KYC details to any officious-sounding agency.</p>.<p>At the same time, the security systems for managing KYC (other than in banking and other allied financial services) are relatively heterogeneous and somewhat lax. As a consequence, accessing KYC databases of a large variety of publicly/semi-publicly owned institutional service providers is relatively simple, especially for enterprising IT-savvy youngsters looking to get rich quick – and their numbers are increasing rapidly. They are also facing an environment where attractive jobs are getting increasingly scarce.</p>.<p>Given that cyber fraud is a systemic problem, we need to view its prevention as an ecosystem management issue. The onus of management must shift from the consumer to the regulator. While various aspects of such systemic management need a separate discussion, some initial quick fixes could be considered. The facility to allow ‘non-pin’ OTP-based third-party debits in UPI could be disallowed as pin usage acts as an additional layer. Furthermore, since bank accounts are PAN/Aadhar-linked, a master registry of all accounts with AI-based monitoring of suspicious transactions could be contemplated. This registry could be a wing of the existing banking regulator.</p>.<p>We are entering what can best be described as the AI age. With the smarter use and misuse of AI systems emerging as a reality, the variety of means an enterprising individual can deploy will only grow. Combating it will thus also need an AI-sensitive mindset shift in our regulators.</p>
<p>While banking frauds regularly make news headlines, digital/cyber frauds don’t get similar attention despite faster growth trends. </p><p>This needs a correction. Recently, in a parliamentary response, the Ministry of Finance reported that over 2.4 million digital financial fraud incidents drained Rs 4,245 crore in the first 10 months of 2024-25 – a 67% rise from the Rs 2,537 crore in 2022–23.</p>.<p>This, despite the web-based Central Payments Fraud Information Registry set up by the RBI and the government’s Citizen Financial Cyber Fraud Reporting and Management System being in play and showing good results. </p><p>This mechanism covers both banking and non-banking sectors, and credit card/pre-paid payment card issuers. It facilitates real-time reporting and coordination with law enforcement agencies, thereby preventing fraudsters from transferring funds. Acting in tandem, they have significantly reduced the potential losses of digital financial frauds and saved about Rs 4,386 crore across 1.3 million complaints received this year. Yet the rise in cyber fraud remains unchecked. What explains this?</p>.<p>The metropolitan areas are more affected than rural geographies. Also, frauds typically happen during business hours. A larger bulk of these frauds seems to be linked to the UPI system compared to debit and credit cards, and internet banking. This, however, is perhaps because of the popularity of UPI rather than any particular vulnerability in its architecture. The reported average ticket size of fraudulent transactions is generally low, with the bulk at less than Rs 10,000. Instances of fraud involving above Rs 1 lakh are far fewer. Furthermore, the majority of UPI fraud victims are usually early/mid-career salaried individuals. What may be inferred is that frauds are happening not because of the illiteracy or ignorance of consumers, but because of fraudsters using what could best be described as a strategy of ‘mind management’. What makes this possible?</p>.<p>Frauds are increasing possibly due to an ecosystem-induced vulnerability in the users. While technical solutions are necessary, they are not sufficient – something different needs to be done. To understand what this elusive ‘something’ could be, we need to first reflect upon, and understand, the dynamics of our ecosystem which facilitates the frauds. Calls/emails from unknown individuals who address you by name are increasingly common – some of them market products such as stocks and mutual funds; some are from charitable institutions seeking donations; some are potential fraudsters. Phones and ‘secure’ social media platforms are also getting hacked and voice and number cloning is no longer an impossibility.</p>.<p>The e-commerce systems that operate in our cities use OTP for customer identification. Consequently, OTP sharing is something of an automated reflex, especially for working-age youngsters running against time in balancing multiple responsibilities. With the usage of digital interaction and payment systems being propagated, many governmental/semi-governmental institutions are independently collecting and maintaining digital directories of the KYC details of individuals (Aadhar numbers/ phone numbers/ email IDs, thumb impressions, residential addresses etc). Furthermore, our policies now increasingly require frequent KYC updating, renewal, and re-verification with service denial automatically enforced for non-renewal. With remote re-verification or digital re-validation permitted, harried individuals are getting increasingly conditioned to share or validate KYC details to any officious-sounding agency.</p>.<p>At the same time, the security systems for managing KYC (other than in banking and other allied financial services) are relatively heterogeneous and somewhat lax. As a consequence, accessing KYC databases of a large variety of publicly/semi-publicly owned institutional service providers is relatively simple, especially for enterprising IT-savvy youngsters looking to get rich quick – and their numbers are increasing rapidly. They are also facing an environment where attractive jobs are getting increasingly scarce.</p>.<p>Given that cyber fraud is a systemic problem, we need to view its prevention as an ecosystem management issue. The onus of management must shift from the consumer to the regulator. While various aspects of such systemic management need a separate discussion, some initial quick fixes could be considered. The facility to allow ‘non-pin’ OTP-based third-party debits in UPI could be disallowed as pin usage acts as an additional layer. Furthermore, since bank accounts are PAN/Aadhar-linked, a master registry of all accounts with AI-based monitoring of suspicious transactions could be contemplated. This registry could be a wing of the existing banking regulator.</p>.<p>We are entering what can best be described as the AI age. With the smarter use and misuse of AI systems emerging as a reality, the variety of means an enterprising individual can deploy will only grow. Combating it will thus also need an AI-sensitive mindset shift in our regulators.</p>
