“Dear customer, your account with xxxx has been suspended. Please complete your KYC (know your customer) with this link…”; “Dear user, Please update your KYC for your account with this link/number…”; “Dear customer, you have earned Rs 5000 worth reward points on your account xxx…”
These are just some of the bulk messages received on thousands of phones every day, sent by fraudsters waiting for people to click on the phishing links and share personal information. But what has exacerbated the headache for law enforcement agencies of late is the proliferation of websites that sell names and numbers of people in bulk, senior Delhi Police officers told The Indian Express. Officers added that the scamsters have become proficient in creating lookalike websites of banks, telecom providers or brands to steal information and siphon money — anywhere between a few thousands to several lakhs — from vulnerable people.
In March, the Delhi Police’s Cyber Cell arrested 23 people for sending such messages every day and “inducing” people to visit fake websites on the pretext of updating KYC details — failing which they would “lose” their account in a large public sector bank.
Once a person would part with personal details online, money would soon disappear from their account.
A senior officer at the public sector bank, who did not wish to be named, said: “Last year, we had more than 500 complaints in November-December. We had to send alerts on social media, newspapers and on our app. The fraudsters kept sending bulk messages asking people to update their KYC or else they would lose their account. We also reported the matter to Delhi Police and the Ministry of Home Affairs. It is very serious. These people pose as bank officials and cheat customers of lakhs of rupees. We would never send such messages to our customers.”
KPS Malhotra, DCP (Cyber Cell), explained their operation: “The men sent bulk messages with links that would lead to a fake page of a public sector bank’s app. The account holder would feed personal information on the fake netbanking page and the accused would take these details, log into the original account and siphon money from there.”
“It was a pan-India network; we had more than 100 complaints with us. Over 51 of these were in Delhi. The accused were arrested from different locations,” added the DCP.
In fact, many FIRs often club hundreds of complaints — last year, for instance, the Cyber Cell in Dwarka registered eight cases of KYC fraud, with each clubbing more than 500 complainants from across the country.
In the case from March, police found many of the victims lost up to Rs 1 lakh. Such gangs, police said, operate from different cities across the country — posing jurisdictional challenges to investigators — and have several modules to handle different tasks.
For instance, some men are tasked with creating the phishing links, sending bulk SMSes and creating bank accounts to transfer the money to, while others work on procuring data of their targets.
According to the Cyber Cell, procuring data of the victims is key to the operation. An ACP-level officer told The Indian Express that the accused were buying it from websites where personal data of lakhs of people is sold in bulk for as little as Rs 600 and up to Rs 7,000.
The Indian Express logged into some of these websites and found how easily one can buy data — names, phone numbers and even addresses. The data is differentiated into different categories for “marketing purposes”.
Categories include ‘students seeking jobs’, ‘senior citizens’, ‘doctors in Delhi-NCR’ and ‘car owners in Delhi-NCR’, making it easier for fraudsters to zero in on the group they meant to target.
The data is available in the form of different files, and one simply has to create an account on the websites and buy it.
A team led by ACP Raman Lamba found that the accused were procuring numbers from such websites and sending bulk messages regularly.
“They mostly target senior citizens, retired officials and frequent shoppers. Data of these people are easily available on the websites,” said one officer. The Indian Express contacted one of the websites and asked them about the data being sold online.
The company, which refused to be named, claimed one can share and sell details such as name, email IDs and phone numbers as these are categorised as “general data”. However, data such as credit card details and medical records cannot be shared online as it is “sensitive/personal”.
“There are no laws protecting the selling of general data. The data can be categorised and sold online for marketing purposes. Many brands want their ‘target audience/customers’ and need such data. This data selling business was started to provide data for marketing purposes, but cyber criminals may use it for illegal purposes too… The data is only shared for promotional activities… It is the user’s responsibility,” said the company’s spokesperson.
Asked how the websites gathered such data in the first place, the spokesperson said: “As there are a lot of companies who sell data, so they purchase data from each other whichever is required. However the original source of data is unknown. But as per my knowledge, some data like B2B companies data, doctors data, chemists data is collected from web directory sites where name, address and contact numbers are available openly. And other data may be sold by companies itself — for example I have opened an account (with a broker) for trading, and after a few days I start getting calls from different companies for trading purpose, so we can believe the data is obviously sold by the company itself, and when this data is used by these companies, it comes in open market for reselling by small medium sellers.”
In the case where a fake banking app was created, the accused would send bulk messages to thousands every day and then wait for people to click on the link.
An officer said that when the victims would click on the link, they were directed to the fake/phishing website, while the accused would open the original website. As the person typed their username and password, the accused would see it in real time, the officer said.
At this point, an OTP or one-time password would be required for sign-in.
“Since the OTP is a crucial part of the sign-in, the accused would also put an OTP link on the fake site. As soon as the victim would type the OTP received on their mobile number, the accused would use it on the original website and get access to the account,” said the officer.
Further, the accused would send more OTPs to keep withdrawing money from the account. On the victim’s mobile/laptop screen, he/she would see the KYC formalities being completed and the site asking for yet another OTP to finish the process.
“While the victim is thinking he is completing his KYC process or registration for reward points, the accused is simply stealing OTPs and withdrawing money from his account,” added the officer.
In one specific case, the accused were arrested with more than Rs 2 crore. “They started the operation during the pandemic; in fact many gangs did. We received over 25 complaints with the same modus operandi. Most of the complainants were 45-plus. One of the complainants, a retired DU professor, was cheated of Rs 1.7-2 lakh. This was the largest amount.”