<p>India’s cyber-fraud crisis has reached a scale that can no longer be dismissed as a by-product of rapid digitalisation. The country lost an astonishing Rs 22,842 crore to cybercriminals in 2024 — almost three times the losses reported in 2023 — with nearly 20 lakh complaints logged on the National Cyber Crime Reporting Portal. With the Indian Cybercrime Coordination Centre projecting losses of more than Rs 1.2 lakh-crore in 2025, the threat is evolving faster than our defences. Much of this fraud starts with just an SMS — a seemingly routine link claiming a bank update, subsidy, job, or reward.</p>.Sanchar Saathi | India’s cybercrime crisis cannot be solved by surveillance theatrics.<p>Against this backdrop, TRAI’s 2025 amendments to its TCCP regulations deserve full recognition. They arrive at the right moment, tackling a problem that has festered for years. Mandatory business registration, stricter classification of promotional and transactional messages, and the requirement to pre-tag variables such as URLs in SMS templates mark an overdue clean-up of India’s messy commercial messaging ecosystem. Telecom operators now whitelist these templates, blocking malicious links before they reach users. AI-based systems identify suspiciously high-volume messaging, and quickly suspend offenders. For a country weary of spam and fraud, these reforms promise long-awaited discipline.</p>.<p>But beneath this promising surface sit glaring vulnerabilities that cybercriminals are poised to exploit.</p>.<p>The centrepiece of the new system is the mandatory tagging of website links inside commercial SMS so telecom operators can check them against whitelists. In theory, this stops scammers from hijacking bank or government-style messages to plant malicious URLs. In practice, the system rests on self-declaration. The sender — whether a bank, fintech, or a fraudster pretending to be one — declares whether a URL is safe. There is no independent verification. If the URL matches the whitelisted entry the sender submitted, the system lets it through.</p>.<p>This works beautifully for honest businesses, and disastrously for everyone else. A sophisticated scammer can simply declare a malicious link ‘legitimate’, and slide it into a whitelisted template. The filter won’t question it. India has already seen how a fragile messaging architecture can backfire: when the Distributed Ledger Technology scrubbing was introduced, slight mismatches blocked legitimate OTPs from major banks. That proved two things: false alarms can break the system, and blind trust can, too.</p>.<p>If tagging is the new gatekeeper, it can’t be built solely on trust. Small but critical upgrades are needed: periodic third-party audits of declared URLs, AI monitoring to flag suspicious click behaviour, penalties for false declarations, and real-time co-ordination with cybercrime intelligence hubs, like the I4C. These are not bureaucratic burdens — they are survival mechanisms.</p>.<p>The second major blind spot in TRAI’s framework is its limited scope. The rules, as strong as they are, apply only to registered businesses sending bulk commercial SMS. They do exclude messages from personal numbers (P2P), and those originating from foreign SIMs.</p>.<p>This is where India’s defences are weakest, because cybercriminals have already adapted to evade enterprise-level regulations. If ‘official-looking’ bulk messages face scrutiny, they simply switch to ordinary Indian numbers or international numbers masked as domestic. With P2P traffic forming nearly 70% of India’s SMS volume, this loophole isn’t a crack — it’s a highway.</p>.<p>Rural India is paying the price. Digital adoption has surged, but digital skills have lagged. The UPI saw 18.4 billion transactions worth Rs 24 lakh-crore in June, yet many rural youth struggle with basic smartphone tasks — only about half in Bihar and Rajasthan, compared with nearly 90% in Kerala. Scammers exploit this gap by sending fake SMS from personal numbers promising jobs, refunds, or government benefits. The result: cybercrime in rural and semi-urban areas jumped over 400% between 2021 and 2024, with some states crossing 1,000%.</p>.<p>This is why TRAI’s reforms, while commendable, cannot stop at enterprise-level controls. Partial safeguards cannot protect citizens from shape-shifting, borderless cybercrime. To safeguard India’s digital economy — especially its rural heartland — gaps in self-declaration, P2P oversight, and international SMS filtering must be closed. Parliamentarians may call for digital literacy drives, but awareness without system-level protection is not enough.</p>.<p>The question is no longer whether TRAI’s reforms are necessary — they are. The question is whether they are enough. Without mandatory audits, AI-driven anomaly detection, international telecom cooperation, I4C-linked intelligence systems, and risk-based P2P monitoring, cybercriminals will continue exploiting blind spots. The promise of digital inclusion will remain fragile, and the benefits of India’s payments revolution will be overshadowed by fear and mistrust.</p>.<p>India must decide: fortify its messaging ecosystem with resilience against today’s cyber threats, or let cyber sharks devour the vulnerable? The window for action is narrowing.</p>.<p>(Megha is Assistant Professor, Shyam Lal College (M), University of Delhi, and senior visiting fellow, Pahle India Foundation, Delhi. Surabhi is Research Associate, Pahle India Foundation)</p><p><em>(Disclaimer: The views expressed above are the author's own. They do not necessarily reflect the views of DH).</em></p>
<p>India’s cyber-fraud crisis has reached a scale that can no longer be dismissed as a by-product of rapid digitalisation. The country lost an astonishing Rs 22,842 crore to cybercriminals in 2024 — almost three times the losses reported in 2023 — with nearly 20 lakh complaints logged on the National Cyber Crime Reporting Portal. With the Indian Cybercrime Coordination Centre projecting losses of more than Rs 1.2 lakh-crore in 2025, the threat is evolving faster than our defences. Much of this fraud starts with just an SMS — a seemingly routine link claiming a bank update, subsidy, job, or reward.</p>.Sanchar Saathi | India’s cybercrime crisis cannot be solved by surveillance theatrics.<p>Against this backdrop, TRAI’s 2025 amendments to its TCCP regulations deserve full recognition. They arrive at the right moment, tackling a problem that has festered for years. Mandatory business registration, stricter classification of promotional and transactional messages, and the requirement to pre-tag variables such as URLs in SMS templates mark an overdue clean-up of India’s messy commercial messaging ecosystem. Telecom operators now whitelist these templates, blocking malicious links before they reach users. AI-based systems identify suspiciously high-volume messaging, and quickly suspend offenders. For a country weary of spam and fraud, these reforms promise long-awaited discipline.</p>.<p>But beneath this promising surface sit glaring vulnerabilities that cybercriminals are poised to exploit.</p>.<p>The centrepiece of the new system is the mandatory tagging of website links inside commercial SMS so telecom operators can check them against whitelists. In theory, this stops scammers from hijacking bank or government-style messages to plant malicious URLs. In practice, the system rests on self-declaration. The sender — whether a bank, fintech, or a fraudster pretending to be one — declares whether a URL is safe. There is no independent verification. If the URL matches the whitelisted entry the sender submitted, the system lets it through.</p>.<p>This works beautifully for honest businesses, and disastrously for everyone else. A sophisticated scammer can simply declare a malicious link ‘legitimate’, and slide it into a whitelisted template. The filter won’t question it. India has already seen how a fragile messaging architecture can backfire: when the Distributed Ledger Technology scrubbing was introduced, slight mismatches blocked legitimate OTPs from major banks. That proved two things: false alarms can break the system, and blind trust can, too.</p>.<p>If tagging is the new gatekeeper, it can’t be built solely on trust. Small but critical upgrades are needed: periodic third-party audits of declared URLs, AI monitoring to flag suspicious click behaviour, penalties for false declarations, and real-time co-ordination with cybercrime intelligence hubs, like the I4C. These are not bureaucratic burdens — they are survival mechanisms.</p>.<p>The second major blind spot in TRAI’s framework is its limited scope. The rules, as strong as they are, apply only to registered businesses sending bulk commercial SMS. They do exclude messages from personal numbers (P2P), and those originating from foreign SIMs.</p>.<p>This is where India’s defences are weakest, because cybercriminals have already adapted to evade enterprise-level regulations. If ‘official-looking’ bulk messages face scrutiny, they simply switch to ordinary Indian numbers or international numbers masked as domestic. With P2P traffic forming nearly 70% of India’s SMS volume, this loophole isn’t a crack — it’s a highway.</p>.<p>Rural India is paying the price. Digital adoption has surged, but digital skills have lagged. The UPI saw 18.4 billion transactions worth Rs 24 lakh-crore in June, yet many rural youth struggle with basic smartphone tasks — only about half in Bihar and Rajasthan, compared with nearly 90% in Kerala. Scammers exploit this gap by sending fake SMS from personal numbers promising jobs, refunds, or government benefits. The result: cybercrime in rural and semi-urban areas jumped over 400% between 2021 and 2024, with some states crossing 1,000%.</p>.<p>This is why TRAI’s reforms, while commendable, cannot stop at enterprise-level controls. Partial safeguards cannot protect citizens from shape-shifting, borderless cybercrime. To safeguard India’s digital economy — especially its rural heartland — gaps in self-declaration, P2P oversight, and international SMS filtering must be closed. Parliamentarians may call for digital literacy drives, but awareness without system-level protection is not enough.</p>.<p>The question is no longer whether TRAI’s reforms are necessary — they are. The question is whether they are enough. Without mandatory audits, AI-driven anomaly detection, international telecom cooperation, I4C-linked intelligence systems, and risk-based P2P monitoring, cybercriminals will continue exploiting blind spots. The promise of digital inclusion will remain fragile, and the benefits of India’s payments revolution will be overshadowed by fear and mistrust.</p>.<p>India must decide: fortify its messaging ecosystem with resilience against today’s cyber threats, or let cyber sharks devour the vulnerable? The window for action is narrowing.</p>.<p>(Megha is Assistant Professor, Shyam Lal College (M), University of Delhi, and senior visiting fellow, Pahle India Foundation, Delhi. Surabhi is Research Associate, Pahle India Foundation)</p><p><em>(Disclaimer: The views expressed above are the author's own. They do not necessarily reflect the views of DH).</em></p>
