Step 1: Acquire a series of mobile numbers, use all of them to try and log in to a bank account. If a number prompts an OTP, it’s time for the next step.
Step 2: Call the number’s owner and pretend to be customer care executives of the mobile operator offering to upgrade SIM cards or Know Your Customer (KYC) details. Gain trust, obtain the victim’s email ID.
Step 3: Send an email to the victim containing text to be sent to the official customer care number. It’s a ruse to register your email ID with the victim’s number, so that you can put in an official request to convert the SIM into an e-SIM. Once done, the victim’s phone number and everything else it’s linked to, including the bank account, is under your control.
So far, this is what police in Haryana’s Faridabad have pieced together about a new phishing racket that they suspect has been used to access over 300 nationalised and private bank accounts across five states — Punjab, Haryana, Bihar, West Bengal and Jharkhand.
Police are yet to ascertain the amount of money involved. But they have made five arrests — among the first in a racket involving e-SIM frauds. And four of those five are from Jharkhand’s Jamtara, a district that has gained notoriety as a hub of cyber crime, even inspiring a popular web series.
“The case is unique, with the use of e-SIMs as the main conduit and with preliminary investigations establishing procedural infirmities and lack of due diligence on the part of banks and telecom companies,” O P Singh, Commissioner of Police, Faridabad, said.
“What sets this apart is the novel modus operandi adopted, and mind-boggling layering done by apparently low-tech offenders,” Singh said.
Officers investigating the case said the perpetrators have confessed to gaining control of bank accounts after obtaining the e-SIMs of victims. In several instances, they said, the target was ICICI Bank, through the desktop version of its website, and the numbers used were of Airtel.
Preliminary information from records analysed shows that several transactions ranging between Rs 10,000 and Rs 99,000 have been made, an officer said. “The fraudsters break up transactions into smaller amounts for it to be undetectable. An amount of Rs 1,00,000 is transferred in several transactions of Rs 500-Rs 1,000, which let them avoid suspicion,” the officer said.
These funds were found to have been transferred into wallets provided by PhonePe, Ola Money, Paytm Payments Bank and Airtel Payments Bank. Police have issued summons to Paytm, ICICI Bank, and others to appear before it and present documents to ascertain procedural lapses, if any.
An ICICI Bank spokesperson said: “We have two levels of authentication for logging into an internet banking account. In addition to an OTP which is sent to his/her registered mobile number with us, the customer needs to enter the ATM PIN. Unless customers share these information together, it is not possible to login into their internet banking account. On a regular basis, we communicate to our customers to not share PIN, passwords or OTPs with anyone. Further, we would like to state that a bank cannot be held responsible for a SIM SWAP fraud.”
Airtel did not respond to queries from The Indian Express. Paytm and Ola Money did not respond to e-mails seeking comment.
A PhonePe spokesperson said: “We are fully compliant with NPCI guidelines on fraud prevention. We are awaiting more details on the specifics of the allegations being referred to in this case. We would also like to state that for PhonePe wallets, we are fully compliant with the requirements of KYC verification. PhonePe continues to be a safe and trusted platform for over 23 crore users across the country.”
Among those arrested is a resident of Punjab, who has been described as one of the key orchestrators of the scheme. “He worked with a telecom company and a digital payments company in the past, which could be a key factor in planning the scam,” said sources.
Police sources said a notice has been sent to the Punjab State Power Corporation Ltd (PSPCL), following suspicion that 91 bills of the company were allegedly paid through fraudulent transactions by the scamsters.
Police say the accused was also connected to several contractors in Punjab and Haryana, who brought migrant labourers from Bihar and Jharkhand. These contractors maintained a database of the labourers, including their bank account details, which were used by the perpetrators.
“The financial trail would lead us to these migrants, who had no clue about the transactions being made in and out of their bank accounts,” an officer said.
The case in Faridabad comes close on the heels of similar e-SIM cases that surfaced in other states. In July, the Cyberabad police station in Telangana registered four cases of e-SIM swap in which fraudsters had withdrawn up to Rs 21 lakh. Maharashtra Police’s cyber wing had earlier issued an advisory against e-SIM swap frauds.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines