Cyber fraud: Online crimes overtake offline crimes

As technology improves and more people have disdained cash and wallets for digital payments, the number of conventional crimes has plummeted even as online crimes have risen tenfold.

India’s move towards online, cashless payments has created a rich hunting ground for scammers who have not spared any form of online transaction, be it digital wallet payments, online shopping, card vishing, insurance renewal, passport applications or know your customer verifications.

Not only are the banks, the police and the existing security apparatus unable to track down crores of embezzled rupees, but the system is not even able to identify and apprehend the vast legion of fraudsters who are causing havoc online, although police have claimed isolated successes.

READ: Cybersecurity: New forms of crime emerging

According to the Criminal Investigation Department (CID) in Bengaluru, there were 8,000 cases of cybercrimes all over India in 2016, numbers of which increased to 22,000 by 2017. National figures for the years 2018-2019 are still under analysis, but they are likely to be massive, as indicated by the trend.

In Bengaluru alone, according to State Crime Records Bureau, there were 10,204 registered incidents of financial-based cybercrimes this year (as of December 12), and 1,383 such cases elsewhere in the state. This vastly outstrips the 7,883 street crimes which took place in Bengaluru during that same period, although street crimes in rural areas outnumbered online frauds.

Praveen Sood, Director General of the CID, said that the true scale of the problem is not fully known by law enforcement authorities primarily because many victims do not even realise that they have been defrauded until days or months later.

The primary cause for fraud, according to Sood, is people’s laxity about how they use the web. Often, account and one-time passwords (OTPs) are shared with friends and family. In other instances, passwords are childlike in their simplicity, amounting to ‘ABCDE’ or ‘12345’.

“The investigation of cybercrimes is difficult. Often they hit a wall. In most cases, accounts are opened just to carry out a single scam. The modus operandi is one bank account, one scam; one mobile number, one scam. By when we follow up on the numbers, the scammers and the money are long gone,” he said.

Investigations are also often doomed to failure because attending police did not have the presence of mind to register a case in a timely manner. In other instances, victims are often at a loss as to where to file a complaint.

This was the case with Arpitha, a bank employee and a resident of Madiwala in Bengaluru, who was defrauded of over Rs 30,000 late last week.

Arpitha told DH that she was trying to sell furniture on OLX when she was cheated by a man who claimed to be with the Indian Army. “He was a determined bargainer who whittled down the sale price before talking me into accepting an advance payment, to ‘reserve’ the product,” Arpitha said.

The man sent a QR code for Arpitha to scan which he said would allow him to make the ‘advance’ payment. Instead of sending her money, however, the code was used to siphon Rs 30,000 from her account.

Given the runaround by police, it was three days before Arpitha could finally register a first information report (FIR) with the police.

Later, when she called the scammer demanding to know why he had defrauded her, he claimed that he had become a con man after someone had similarly robbed him.

Sood said efforts are being made to train police to respond earlier to such cases, and stressed that a 15-minute window following the crime was often all that police had to stop payment on a transaction and return the money to its rightful owner.

However, the Police Commissioner for Bengaluru, Bhaskar Rao, expressed the belief that these crimes are impossible to solve because of an arsenal of disposal bank accounts and phone numbers wielded by scammers, despite stringent Know Your Customer (KYC) requirements.

“On an average, digital fraud victims lose between Rs 10,000 to Rs 50,000. But by delegating an inspector to investigate the case, the state ends up spending nearly Rs 2 or 3 lakh per case, not to mention the investigator’s pending casework which piles up in his absence. This is not viable,” he said.

“The onus of responsibility is on the banks to take swift action and upon platforms where such scams are taking place,” he added.

OLX said that it is taking every possible action to weed out fraudsters. Lavanya Chandan, director of the company’s legal team, clarified that the platform nullifies roughly 20-25% of all dubious advertisements using Artificial Intelligence. Other ads are examined by a human team of auditors.

“Phone numbers identified as being used in frauds are blacklisted and we even fingerprint smartphones to prevent them from being used again, even if the sim card is changed,” Chandan said.

But while OLX said that it has blocked “thousands of scammers,” it also admitted that it was caught in a game of cat and mouse with scammers employing various tactics to reenter the platform.

One of the primary problems is a flaw in how QR codes are created under the government’s cashless Unified Payments Interface (UPI) system. These scannable codes are widely used for cashless payments. While some platforms include a short description of what a QR code is to be used for (either for paying or receiving payment), others do not. Scammers have also learned to circumvent the system by taking a screenshot of the QR code and cropping away the description message at the bottom.

Never share OTP

The scams are not limited to QR codes. Renuka, the owner of a sports goods outlet in Vidyaranyapura, was conned by a ‘customer’ who claimed he wanted to purchase a table-tennis board. After taking down her bank account number and IFSC details for a bank transfer, the man, who gave his name as ‘Vikram’, called her back to ask her for the OTP number which had been sent to her phone.

Police are unequivocal that sharing OTP numbers with others leads to fraud. Renuka realised this the hard way after she revealed the OTP number to the man. On the following morning, she realised that ‘Vikram’ had robbed her of Rs 2.49 lakh by accessing her bank account.

The creation of fraudulent websites mimicking official sites also appear to have become a cottage industry among scammers. Sandeep Patil, the Commissioner of Police (Crime) said that he has ceased visiting websites for banking and other services, preferring instead to download official mobile apps dealing access to services.

This was a lesson engineer Loganatha Pandian of Whitefield learnt late.

Trying to renew his vehicle fitness certification, Pandian accessed what he believed was the website of the K R Puram Regional Transport Office. It was fake. After calling the helpline number listed at the top of the site and following instructions relayed by a person on the other end of the line, he received a clickable link via text message on his cell phone. Opening the link installed several apps. Pandian lost Rs 89,993.

Considering the growing rate of such crimes, Sood said that he suspects that perhaps 50% of police will only be dealing with cybercrimes in the near future.

At the highest level of police authority, an officer was less charitable. “Scam victims have only themselves to blame for their misfortunes,” he said.

It is a telling statement about the cold reality that victims of financial digital fraud currently face: that no help is coming.

While eight new Cyber Crime, Economic Offences & Narcotics city police stations have been promised for the last two years, none have materialised. It will also be years before a large and proficient team of trained cyber-investigators is on-hand to tackle the growing menace of online crimes.

Until then, victims are on their own.