With the Haryana Police making arrests and launching an investigation into a multi-state phishing scam involving more than 300 bank accounts, questions over internet safety and cyber-hygiene have once again come to the forefront. In this particular case, perpetrators allegedly swapped SIMs of potential victims into e-SIMs before gaining access to their bank accounts.
What is the case being investigated by Haryana Police?
So far, the police have pieced together the preliminary modus operandi of a new phishing racket that they suspect has been used to access over 300 nationalised and private bank accounts across five states — Punjab, Haryana, Bihar, West Bengal and Jharkhand. Police are yet to ascertain the amount of money involved. But they have made five arrests — among the first in a racket involving e-SIM frauds. And four of those five are from Jharkhand’s Jamtara, a district that has gained notoriety as a hub of cyber crime, even inspiring a popular web series. “The case is unique, with the use of e-SIMs as the main conduit and with preliminary investigations establishing procedural infirmities and lack of due diligence on the part of banks and telecom companies,” said O P Singh, Commissioner of Police, Faridabad.
How did the perpetrators allegedly defraud their victims in this case?
According to the police, what sets this case apart from other phishing cases is “the novel modus operandi adopted, and mind-boggling layering done by apparently low-tech offenders”.
To begin with, they acquire a series of mobile numbers, use all of them to try and log in to a bank account. If a number prompts an OTP, they call the number’s owner and pretend to be customer care executives of the mobile operator offering to upgrade SIM cards or Know Your Customer (KYC) details.
Then, they send an email to the victim containing text to be sent to the official customer care number. It’s a ruse to register your email ID with the victim’s number, so that you can put in an official request to convert the SIM into an e-SIM. Once done, the victim’s phone number and everything else it is linked to, including the bank account, is under your control.
📣 Express Explained is now on Telegram. Click here to join our channel (@ieexplained) and stay updated with the latest
How is India placed as far as internet-related monetary frauds are concerned?
In 2019-20, banks reported 2,678 card and internet-related fraud, totalling Rs 195 crore in value, which was more than double the value of such frauds reported by banks in 2018-19, according to the latest data from Reserve Bank of India (RBI).
In the current fiscal, between April and June, banks reported 530 fraudulent transactions involving debit and credit cards, or techniques such as phishing done over the internet, which has led to Rs 27 crore being stolen until now. “The Reserve Bank is engaged in interlinking various databases and information systems to improve fraud monitoring and detection,” the RBI has said.
Earlier this year in July, cybercriminals had adopted a similar e-SIM swap approach to swindle a total of Rs 21 lakh from the bank accounts of several people. In the case being investigated by Haryana Police, the full extent of the monies involved is yet to be ascertained.
Have the authorities taken any measures to prevent such frauds?
The Reserve Bank of India, in June this year, said it has been taking measures to improve awareness through its e-BAAT programmes and organising campaigns on safe use of digital payment modes, to avoid sharing critical personal information like PIN, OTP, passwords, etc. However, it pointed out, despite these initiatives, “incidence of frauds continue to bedevil digital users, often using the same modus operandi users were cautioned about, such as luring them to disclose vital payment information, swapping sim cards, opening links received in messages and mails, etc.”.
The central bank therefore directed all banks and authorised payment system operators to undertake targeted multi-lingual campaigns by way of SMSs, advertisements in print and visual media, etc, to educate their users on safe and secure use of digital payments. Additionally, the Maharashtra Police also recently issued advisories to people on how to avoid phishing. “The goal is to trick the person into performing a specific action that will benefit the attacker, typically, this involves getting the victims to click on malicious links, open an infected attachment or authorise a transfer of funds,’’ the state police’s cyber cell had warned.