MMA-KAS in partnership with Digital Security Association of India (DiSAI) organised a discussion with Mr V Rajendran, Chairman, DiSAI; Mr Amaraesh Pujari, IPS, Director General of Police, Cyber Crime Wing, TN; and Mr Shiva Balaji, Cyber Security Professional and Founder CEO, Bitlock Online Solution Pvt Ltd. The following are excerpts from the talk by Mr Amaraesh Pujari.

We live in an age where the success of our economy, our internal security, our defence and indeed the entire gamut of our existence relies on the power of IT and how efficiently we are able to harness the incredible and huge potential of IT resources. The efficient harnessing of IT resources has transformed the destiny of our nation, making India one of the most notable economic, technological and military powers in the world today. But unfortunately the same IT resources also make us hugely vulnerable to a whole plethora of risks. This is because the entire edifice of IT infrastructure was not designed so much for security, but mainly for ease of operation, efficiency and interoperability—the driving forces behind the evolution of the huge globally interconnected cyber space, within which the nations, industries, companies and individuals function. Every day, our critical infrastructure comes in the crosshairs of inimical forces. Every day, thousands of our innocent people become unfortunate victims to cyber criminals who are out there, just to make a fast buck. It is quite unfortunate that these tidal waves of cyber crimes that threaten to engulf us go unabated. Fortunately, we didn’t, as yet, have had a situation faced by a nuclear reactor in Natanz in Iran: the Stuxnet worm stopped the nuclear reactor operating there. But we should be alive to the threat of weaponisation of the malware. What we are facing today is primarily a wave of cyber financial frauds. We have a national portal to report cyber crimes; not that every crime cyber gets reported, but a bulk of them get reported. Even with less than 100 percent reporting of the cyber crimes, every day we get 2,000 to 3,000 cases reported. In India, cybercriminals make 12 crores every day. That makes it to more than 4,000 crores every year. 80 websites are hacked every day. It is estimated that 2 lakh mobile numbers are active in our country that are out to scam the people. Ransomware is making its presence felt. You would have heard the case of attack on Oil India quite recently. More and more such cases are coming to our notice. This is just a snapshot of the gravity of the situation that stares us. Let me touch a few recent trends which keep us busy in the crime detection and prevention.

The Loan Apps

Taking advantage of the downturn of the economic situation of many people due to the pandemic, loan apps have mushroomed in our Play store. These apps provide you with a loan of a few thousand rupees with exorbitant interest rates. One is not bothered about the interest rate when one needs a few thousand rupees immediately. The daughter of one of our family friends went to a restaurant with three of her student friends. She was short of just 500 rupees. One student had a brilliant idea and said, “Let’s download a loan app and get a thousand rupee loan.” They downloaded the app and immediately thousand rupees got credited to her account. They paid the bill and came out. Immediately, a phone call came that she had to pay ten thousand rupees within one hour, though the time given in the app was three days. When she protested, the caller threatened to dial all the people on her contact list and morph her profile photo. How do you think this happened? While downloading the app, we say, ‘yes, yes,’ to all the permissions that are asked for. We hand over our entire life, on a platter, to the fraudster. She didn’t believe it at first, but when she started getting phone calls from her relatives and friends that somebody was telling lot of negative things about her and her family, she got alarmed and informed her dad. After that, we solved the case. This is the menace of the loan apps, which are all illegal. We have busted 79 such apps so far. We wrote to Google and we have taken them out, but more loan apps keep mushrooming.

Phishing Links

Quite often, we get SMS or email informing us that we have won crores of rupees in a lottery. If you click their links or start engaging with them, you will get conned. The most prominent one among them is getting a phone call. They deliberately target rural areas where awareness is not much. But in my service, I have seen that even the best of educated people have been conned, including those in the banking and IT industry.  You may get a phone call, supposedly from a banker that a 2 lakhs cheque issued by you, is going to be presented.  The fraudster might get your name from TrueCaller.  You say that you have not given the cheque. The fraudster says, “Then you can lodge a complaint at the police station. Or else, I will send you a link. It will be either—Yes or No, that is: pass my cheque or don’t pass my cheque.” The fraudster puts pressure, and you click the link and select the ‘No’ option. Within ten minutes, Rs 40,000 may get debited from your account. We see also see a lot of cases asking people to click a KYC link, provide details for KYC or update the Aadhar number. If people don’t respond, they threaten that the account might be closed. To issue a new ATM card, they will request you to click a link. Again, within minutes of your clicking the link, your money will be gone.

Job frauds and other scams

Then there are a lot of job frauds. Fraudsters exploit the unemployment scenario. People are bombarded with fake job offers. The catch is, you have to deposit some money and that money never returns. Another kind of a scam that we are noticing is the search engine scam. Suppose you get into a problem during netbanking, you try to reach the helpline of a bank through Google. It could be a fake helpline where you reveal all your sensitive details and get conned. We come across many cases of social media impersonation. A professor known to me called me frantically one day saying that he just transferred Rs 40,000 to his Vice Chancellor because the latter had met with an accident and he got a message, “I am not in a position to speak. Please transfer 40,000 rupees. I am in this hospital. I will return the money in two days after I get discharged.” The professor requested me to put in a word to the hospital authorities for his treatment. I said I will be very happy to do so but asked him if he was sure that his Vice Chancellor sent him the message. The professor said that the message carried the VC’s profile photo. “Anyone can put your photo as their profile photo.” He later realised that his VC was hale and healthy and that he was defrauded of Rs 40,000 by a scamster.

Sometimes, you may get a call that there is an IT refund for you and you have to enter some details by downloading a new app that the IT department has come out with. When you download that app, whatever you enter gets mirrored to the fraudster including the password that you enter. Another type of scam is that you may get a message that Rs 40,000 got deposited in your account. You may wonder who gave you this money. Within minutes, you will get a call from a person that he wrongly deposited the money in your account, maybe because he entered one digit wrongly. As he needs the money urgently, he will request you to transfer that money to his account. As a good citizen, you also transfer that money from your account, only to realise that Rs 40,000 was never deposited, the message was fake and you have transferred from your account balance. Therefore, please be very careful. Never download suspicious apps or suspicious QR codes or click any unknown links. You have to save yourself. You don’t have to believe the unknown caller.

1930: The Magical Number

Government of India has taken a lot of steps. A National Critical Information Infrastructure Protection Centre has been created under 17A of the IT Act to safeguard our critical infrastructure that houses companies and their offices. Another very good initiative is the Cybercrime Coordination Centre. This is the main coordination centre that operates under GOI’s Ministry of Home Affairs. Now, a National Cyber Crime Reporting portal has been created. Anybody affected by cybercrime should upload the details in this portal: https://www.cybercrime.gov.in/

Most importantly, one cyber helpline number has been created. It is 1930. You may take a lot of precautions, but in spite of that, suppose you fall victim to one of the cyber fraudsters and lose some money, is it gone forever? If you report to 1930, the money lost by you can be frozen by the banks and returned to you eventually. Just like we talk of the golden hour in case of medical emergencies, here also, we have the golden hour. If you report within one hour of the cyber crime, there are very high chances that the siphoned off money will be safely returned to you. Please store this number in your mobile as Cyber Crime Emergency Helpline and share this widely with people in your circle. Your 1930 call will land in our control room which is connected to the banks. Then a message goes to the concerned bank to freeze that amount. Your transaction will be frozen and with the help of the bank, you will get back your money. Banks prefer that fraudulent transactions should be reported to them within 72 hours, but don’t wait for 72 hours. The criminal can encash your money through some ATM or other means. Then it becomes a cost prohibitive exercise to send a team to another state because most of the criminals are located remotely. So the best way is to reach us is within one hour of the occurrence.

State Cyber Command Centre

In Tamil Nadu, we have opened a State Cyber Command Centre. I invite you to visit it sometime. We have opened one cyber crime police station in each of the districts. Tamil Nadu was the first state in the country to open a dedicated cyber crime police station in each district. Going a step ahead, we are opening a cyber cell in each police station. If your complaint is non-financial in nature, for example, somebody is morphing your photo and misusing it, then you can upload it in the NCCRP portal: www.cybercrime.gov.in. It will reach the concerned police station. The Kavalan-SOS app also has a facility to report cyber crimes. I urge all of you to download this app because it is very useful. It has dozens of citizen services that the Tamil Nadu Police offers to the citizens. In fact, the necessity to go to a police station is more or less obviated, if you have this kind of app in your mobile phone. This is not only for your safety but it is a crime prevention tool. For example, you may want to verify your domestic help that you have hired or your tenant. You want to buy a vehicle and check if was involved in a crime case or not. All these can be done through the app.

What more needs to be done?

Are we really able to control cyber crimes? Well, not to the extent that ideally I would have liked it. Much more needs to be done. I believe that banks have a central role in preventing financial cyber crimes. Only with the cooperation of banks, these crimes can be prevented. Here are a few suggestions:

• In any money debit messages, banks can include the wordings- ‘If you suspect any fraud, please call cyber crime helpline number 1930.’
  
• The KYC system needs to be made stronger.
  
• Many financial crimes happen on weekends. Banks may tighten slacks, if any, normally found during the weekends.
  
• When an account is opened with the bank, banks should give the customers a white list consisting of three or four numbers, only through which, the banks will contact them. Other numbers are to be considered as ‘unauthorised’ or ‘fraudulent.’
  
• People call with fictitious numbers. The telephone companies can work with IT departments and ensure that the KYC number of the person is also displayed with the call.
  
• When OTP is sent, add details such as your OTP for withdrawal of Rs 10,000 is….. and so on. Some banks are doing this and this may be practised by all banks.
  
• TrueCaller must be updated with all scamster numbers, so that their calls are marked as ‘scamster.’
  
• Using CSR funding, banks must build awareness against cyber crimes.
  
• Catch people young. Make cyber security as part of the school syllabus.