How social engineering scamsters have weaponized fear to defraud victims

What followed was nothing short of a nightmare. Within an hour, the octogenarian received calls from people posing as Central Bureau of Investigation (CBI) officers from Mumbai. They alleged that his Canara bank account had been used to launder money. Oswal did not have an account with Canara Bank, but the scamsters had details of his Aadhaar card, which they used to put him on the defensive. Under the pretext of helping him clear his name, they put him under ‘digital custody’ using a Skype account.

“I had never used Skype until then, so they helped me create an account and told me not to leave the house and to be always online so they could monitor my activities,” Oswal told Mint. “They kept sending me various documents (related to the alleged case) on WhatsApp with the CBI insignia, which seemed very authentic. They also forbade me to discuss the matter with anybody else, including my family members, or it would lead to a prison term of three years.” At the same time, he said, they never threatened him and tried to put him at ease. “Otherwise, I would have consulted my lawyer immediately.”

Once the scamsters realized who Oswal was, they upped the stakes and even held a fake virtual court hearing the next day, with one of them impersonating D.Y. Chandrachud, then the Chief Justice of India.

“I never saw his (Chandrachud’s) face but heard his voice. He asked me just one question: whether the account (in Canara bank) belonged to me, which I denied,” Oswal said. “Thereafter I was sent a court ruling and asked to deposit ₹4 crore in three separate SBI accounts. The next day, they asked for another ₹3 crore.”

The scamsters told him that failure to do so would lead to his arrest, but assured him that the money would be refunded once his name was cleared. He complied both times.

Things went awry for the fraudsters on the third day when Oswal, feeling unwell, moved out of their surveillance to visit the hospital. There he confided what was going on to his colleague, Vikas Kumar, who flagged it as a scam and alerted the police. This was also the day the fraudsters directed him to transfer more money, but this time to an ICICI bank account, which raised Oswal’s suspicion. Following prompt action by the local police, two people were arrested and over ₹5.65 crore recovered.

“The most important aspect was the speed with which the police acted—within 12 hours of filing the FIR, the accounts where the money was transferred was frozen, and the cops gave precedence to retrieving the money first rather than catching the culprits,” Oswal said.

Oswal may have been the most high-profile victim of a cybercrime, but his case is just one in a multitude—the number of cyber crimes in India has surged since the pandemic. The number of complaints received by the Indian Cyber Crime Coordination Centre (I4C), which falls under the ministry of home affairs, has shot up from just 26,049 in 2019 to over 1.5 million in 2023. In the first four months of 2024 alone, it received 740,957 complaints, with the total financial toll at ₹176 crore.

The figures may be eye-popping, but experts believe they are only a fraction of the actual number of crimes. Most victims are still averse to reporting a fraud out of embarrassment, and in many cases, the local police take such cases lightly. As a result, many cases do not get reported.

Cybercrime takes many forms, including financial crimes such as vishing, where voice calls, or messages are used to steal personal information; phishing, where emails or text messages are sent to trick people into revealing important information or install malware; identity fraud, theft of card or financial information, and ransomware attacks. Beyond direct financial crimes, it also involves spreading malware to infect computers or networks and trafficking in illegal materials.

In India, the profile of victims of financial cybercrimes is very wide, ranging from retired and serving officers and white-collar workers, to students, businessmen, housewives, seasoned professionals and even an Reserve Bank of India (RBI) official.

Most victims fell prey to online investment fraud, gaming apps, algorithm manipulations, illegal lending apps, sextortion, and one-time password (OTP) scams. In 2023, I4C reported over 100,000 investment fraud incidents.

“Technology is evolving at a fast pace, and with AI and deepfakes, the challenge is even more complex. Typically, criminals make the best use of technology, and investigators play catch up. That is the scary bit,” said Aaron Bugal, a field chief technology officer at Sophos, a British security software and hardware firm.

How they do it

The modus operandi in all financial cyber crimes is similar. Fraudsters first call victims on their mobile phones posing as Trai officials or courier executives seeking to deliver a package. Subsequent calls from people posing as CBI or Enforcement Directorate (ED) officials accuse them of involvement in a money laundering or narcotics case, and once the victims are on the defensive, place them in “digital custody”.

View Full Image

The fraudsters are well aware the victims are scared of law enforcement agencies. So, they use social engineering—deception to manipulate the victims into doing their bidding—to offer help and save them from punishment. “Cyber frauds have risen because fraudsters have cracked the social engineering method of instilling fear—i.e., of the police, CBI, ED—in the minds of unsuspecting senior victims,” said Prashant Mali, a cyber and privacy lawyer at the Bombay High Court.

A retired businessman from Delhi concurred. “They know the mere mention of a case is enough to scare us, so they build confidence and act as if they are on our side,” said the businessman, who was put under digital arrest for nine days and duped of ₹10.3 crore over a fortnight. “Their assurance that everything will be alright if we cooperate and that the money will be returned once the investigation is over is what misled me. If they had only tried to scare me then it would not have worked.”

Like Oswal, victims are then directed to deposit money into specific accounts with the assurance of a refund once the case is closed. Through a chain of transactions, the money is then funnelled through various other accounts, making it difficult for investigative agencies to retrieve it.

“The scamsters are well aware of the deficiencies in the system—lack of coordination and urgency to track such cases, and use this to their benefit,” said Bugal of Sophos. “Even though the money moves through digital channels, leaving footprints all over, the transactions happen so quickly that every minute counts. The longer the delay, the lower the chances of tracking the money.”

Unlike Oswal, though, in most cases, recovery is abysmal—less than 20%, on average. At the local police station, cops are simply indifferent. “The police do not seem to be concerned about the monetary loss due to cyber frauds and their help is limited to freezing the target account. Our justice mechanism has failed our citizens,” said lawyer Mali.

‘Digital arrest’ con

Oswal’s case served as a wakeup call for investigating agencies, prompting them to start an awareness campaign on the illegality of ‘digital arrests’. Nearly 4,600 cases of digital arrests have been reported in the first four months of 2024 alone. According to I4C, these fake arrests resulted in a loss of ₹120 crore.

On 18 October, for instance, a retired government official in Noida was duped of ₹1.19 crore after being put under “digital arrest” for four days by scamsters posing as CBI officials probing a chit fund fraud of ₹300 crore. On that same day, in Hyderabad, an 80-year-old retired woman was duped out of ₹13.9 lakh by fraudsters posing as police officers. The scammers falsely accused her of being involved in money laundering and threatened her with arrest.

A fortnight earlier, on 5 October, an employee at an institute under the department of atomic energy was duped out of ₹71 lakh by using the digital arrest modus operandi in Indore, Madhya Pradesh. The scammers posed as Trai officers and accused the victim of sending illegal advertisements and text messages. The victim was threatened with an arrest warrant for money laundering and human trafficking.

On 6 October, I4C issued an advisory warning the public about digital arrest crimes. It emphasised that law enforcement agencies such as the CBI, police, customs, ED, or judges do not conduct arrests through video calls and cautioned the public against falling victim to these schemes. “Don’t Panic, Stay Alert. CBI/Police/Custom/ED/Judges DO NOT arrest you on video call,” stated the advisory. It even featured in Prime Minister Narendra Modi’s monthly radio programme, Mann ki Baat, on 27 October.

Govt measures no deterrent

The government has set up teams for greater coordination between various investigative arms at the central and state level. It has also roped in domain experts from the tech and banking backgrounds in the fight against financial cyber crimes.

The ‘Citizen Financial Cyber Fraud Reporting and Management System’, under I4C was launched in 2021 for immediate reporting of financial frauds in a bid to stop siphoning off of funds by fraudsters. Since its inception, the government claims more than ₹2,400 crore have been saved in more than 7,60,000 complaints.

A toll-free helpline number, 1930, provides assistance in lodging online cyber complaints. Till date, more than 5,80,000 SIM cards, as reported by police authorities, have been blocked by the Government of India.

Yet, as the rise in the number of cases suggests, these measures have not deterred the criminals. Bhavesh Mishra, deputy secretary, IT electronics and communications department, Government of Telangana, believes around two cybercrime cases are reported every minute now and people are losing around ₹1.3 to ₹1.5 lakh on an average in India. “Recovery rates remain below 20%,” he said.

“Cybercrimes currently account for 30% of all crimes, a number that could rise to 50% in the future. Online betting and loan app scams have seen a significant increase, with fraudsters using UPI payments and crypto networks to carry out large-scale scams,” said Cyberabad police commissioner Avinash Mohanty. “There is an urgent need to speed up [strengthen] the regulatory framework with coordination between government and industries. Banks need to strengthen their KYC procedures, improve oversight and audit and ensure compliance to regulation.”

Several investigations have revealed that multiple companies associated with the same address and with common directors are involved in cyber crime, Mohanty added. “It is as if readymade companies are prepared in India and handed over to individuals who want to create frauds.”

Mule accounts

One of the biggest enablers of cybercrime in the country is a gaping loophole in the banking system—the presence of a large number of mule accounts. These are accounts used as the first port of call for money laundering globally. Many of them are relatively inactive or dormant and suddenly spring to life when a large transaction happens and money quickly flows to many different accounts before the banking system can act.

View Full Image

The danger such accounts pose has been frequently flagged by regulators, including the RBI, but the menace has not been tamed yet.

In India, many such accounts are willingly opened by individuals and offered to fraudsters for a fee, which makes it difficult to detect at the time of onboarding. Investigating agencies, with the aid of bankers, are trying to crack down on such accounts. In the first four months of 2024, around 3,25,000 suspect mule accounts have been frozen.

A recent case in Pune, where a software engineer was cheated of ₹12 lakh in a parcel scam by cyber criminals, shows how mule accounts are used. One of the accounts that received part of the money, ₹2.5 lakh, belonged to a struggling rickshaw driver. When the cops zeroed in on him, he directed them to a man in a black SUV, who had given him ₹10,000 to use his account. Tracking the movements of the SUV, police managed to bust the gang, arresting four people and recovering 18 cell phones, 90 SIM cards, 60 bank passbooks and debit cards, and 15 Aadhaar cards. The culprits were handling over 300 mule accounts. The masterminds, however, were abroad and untraceable.

“The handlers get caught while the real perpetrators almost always get away,” said Nisheeth Dixit, advocate and cyber law consultant. “If one gets duped, the system is such that one has to be prepared to run from pillar to post to retrieve the money and get the perpetrators behind the bars.”

The overseas connection

So, who are the real culprits? While cyber sleuths are yet to figure that out entirely, there is evidence to suggest most of these frauds emanate from South East and Middle East Asian countries.

“We have seen a spurt in organized cybercrime emanating from South East Asian countries, including Cambodia, Myanmar and Laos,” said Rajesh Kumar, chief executive officer, I4C, at a press conference on 22 May. “We find that 45% of cyber-financial frauds taking place in the country originate from this region,” he added.

We have seen a spurt in organized cybercrime emanating from Cambodia, Myanmar and Laos.
— Rajesh Kumar

Myanmar and Cambodia have also become hotbeds of cyber slavery, where job seekers from India are lured on the pretext of employment. As per official data, nearly 30,000 people who travelled to Cambodia, Myanmar, Vietnam and Thailand in the first five months of this year have not returned and are suspected to be involved in cybercrime against their will.

Mint reached out to cybercrime departments in the police of over a dozen states as well as I4C, the RBI, Microsoft and telecom operators Bharti Airtel, Jio and Vodafone Idea. None of them responded to the publication’s questions. Some officials were, however, willing to speak on the condition of anonymity.

“Entities outside India are definitely involved. Ultimately, we will have to make our systems more immune to such attacks and people need to be more aware,” said a Delhi police staffer under the cyber wing. “Right now, cases are rising in such a way that we are overwhelmed.”

The perpetrators know that too. In one of their more daring strikes, an RBI officer in Bengaluru was the target of a suspicious parcel-turned-money laundering case in May and duped out of ₹24 lakh in three tranches.

Nobody is safe.