Cybercrimes surged along with the Coronavirus (COVID-19) pandemic. Financial scams topped this list. Lockdowns seem to have opened the floodgates for criminals with innovative ideas for crimes. With the lockdown moving lives online, losing the e-payment options, be they credit or debit cards or digital wallets or net banking would spell disaster for the e-customer. This fear – be it of losing the e-payment modes or of ‘freezing’ of accounts; or ‘loss’ of investments are just some of the modus operandi used by criminals.
Fear is the Key
Fear and greed, as I oft quote, are the primary triggers that fraudsters use to bait victims and with the pandemic already causing a heightened sense of fear, messages of further e-restraints appear to have worked wonders for criminals with even the most cautious and knowledgeable falling prey to online frauds.
You have just heard the news of the lockdown extending. You receive a message asking you to complete ‘Know your customer’ (“KYC”) process. You are asked to complete KYC in two days. You are given the option of going to the bank or calling a number given in the message. You are told that your bank account will be blocked if you do not complete KYC within two days and all money in the account will be frozen.
The same modus as above, replace ‘Bank account’ with ‘digital wallet’. The message or person calling insists you complete KYC or else…
In the same scenario as above, replace ‘Bank Account’ with ‘Mutual Funds’ and the threat is about freezing your investments; stoppage of monthly payments; loss of the investment itself in its entirety. Or being told that you will retain only 10% of your total investment and forfeit the rest.
In the same scenario, replace the message with a call allegedly from a ‘bank employee’ or ‘company representative’, who is offering to ‘help’ you complete the process.
Similar modus, but in this instance, you are offered a ‘loan’ at low interest and possibly no EMI for some months / during COVID-19 etc.,
In one form or the other, every single instance of financial frauds during COVID relied on ‘fear’ as the trigger to ensure victims fell for scams.
Bait & Phish
‘Phishing’ or ‘Vishing’ scams are not new to COVID-19 times – they proliferated even before lockdown situations created new e-norms (Know more about ‘phishing and financial frauds here). ‘Phishing’, which is merely ‘fishing for information which is then used to commit the crime’ relies on multiple options including fraudulent e-mails with links that would direct a customer to fake websites or calls, seeking personal / financial information or SMS messages that induce or threaten recipients to make them respond. Call based financial frauds are tagged as “vishing”, based on the use of Voice over Internet protocol (VoIP) for such frauds. Even where the number used may still reflect as that of a company or bank, it still does not guarantee the authenticity of the caller. The number may have been spoofed. Simple to complex tactics are adapted by criminals to mislead and deceive.
The increasingly evolved methodologies in committing e-frauds leaves victims baffled. A victim with a digital wallet may believe she is completing KYC and whilst on call her bank account balance is siphoned out by the criminal. Similar with debit card scams. With credit cards, there is still a window of opportunity to protect or limit the damage. Once the money leaves the banking account of the victim, the present systems appear ill-equipped to recover the criminal spoils. Prevention in such cases, appear to be the best cure.
Using a well-known name or brand name is typical modus for the online scamster. Entire banking websites are fabricated using the look and feel of the original or official site. Recent forms of attack include hacking into genuine and authentic websites and changing the contact details on such sites to mislead customers to the fraudsters. COVID saw a spurt in fake sites and even apps, which targeted fear of the pandemic and the lockdowns making online news of covid- trends the primary source of information. Fraudulent sites that claimed to offer cyber safety measures indicate the ingenuity of the fraudster in using ‘fear factor’.
Recent forms of attack include hacking into genuine and authentic websites and changing the contact details on such sites to mislead customers to the fraudsters.
Each scam relies on the victim taking the bait. The first bite for the scamster is a victim responding to a phishing or vishing attack. The next level is a test run for payment. The claim for the first payment is always for a small sum. If a victim takes this bait and makes the payment, further demands will arise for increasingly larger sums. Every time a victim may resist, the classic modus is to threaten that if the further payment is not done, earlier payments will be forfeited.
Online Platforms: With each action that is being taken to prevent or protect against such scams, the criminals innovate and find new ways to defraud. Caution in any transaction would be the simplest safety tip. With online platforms, earlier cautions included checks for ‘https’ and the padlock and the verification of certificate ownership. Now you may have to check all three and not just one, as criminals are finding ways to circumvent and fabricate checklist safeties.
Emails: With emails, whilst the name you see may be of a bank or company, checking the full email id may give you an indication of fraud. The email id would have no bearing to the organisation. Else the email id may be the user name of an id obtained from a general service provider and not be that issued by the organisation. For instance, a bank id is likely to be ‘[email protected]’ whereas a fake id may be obtained using ‘[email protected] provider.com (service providers may be Gmail or other email options). Each of these are indications of a scam.
OTP Verification: If an offer is ‘too good to be true’, question its authenticity. If ANY process asks you to share the One Time Password (‘’OTP”) for verification purposes, stop and do not share. If ANY call, message or email asks you to pay ‘administrative charges’ or ‘taxes’ including GST or any other ruse to make you pay, STOP. Do not make ‘advance’ payments for any alleged benefit, be it a loan, inheritance or lottery. If you are promised employment up payment of ‘security deposit’ – STOP and DO NOT PAY.
For online transactions, use of credit card may be a safer alternative than using a debit card. Credit card transactions have a window for clearance and if the fraud is detected immediately, it is feasible to stop the transfer of funds. SMS facility has been made mandatory for payment systems, for this reason. Check all messages about banking transactions and if it is not a transaction you have done, submit your complaint either through a call to the customer care centre or by email or in person. However, you may do this, ensure you file this complaint immediately. If you did not receive the SMS, file the complaint immediately upon noticing the wrong claim or entry. An immediate action, that is, in writing or through even a recorded call (calls to customer care numbers are invariably recorded) is imperative.
Victims of e-frauds feel defenceless and vulnerable – invariably the immediate reaction is to hide their ‘shame’ at falling victim and their assumption that there are no remedies. The ‘shame-factor’ is a key component of the scam, as criminals rely on it to go scot-free. One victim who fails to complain is merely encouraging a criminal to commit such crimes against many. For the sake of the victim and to protect others, it is therefore imperative that a victim files a complaint to seek remedies.
Legal remedies are aplenty against such scams, including filing of a criminal case (you could do this online on cybercrime.gov.in) or seek your remedies before the Adjudicating Officer (“AO”), in proceedings under Section 46 of the Information Technology Act, 2000 (as amended) (“IT Act”).
Recovery of monies and/or protection of the property is of primary concern for victims. Proceedings before the AO have been quite successful for victims of phishing/vishing frauds, especially where there has been a breach of sensitive personal/financial information of victim from the bank or organisation. This remedy, however, has not been utilised to its full potential.
In case of banking frauds, Reserve Bank of India (“RBI”) has issued circulars with respect to the liability of banks and payment systems, in cases of financial frauds. Whilst earlier circulars placed most of this onus on banks, the RBI circular of 2017 created two broad categories of liability.
- The first is of ZERO liability of customer in some instances such as in cases where the Banks are at fault or even where a crime occurs for no fault of either the bank or customer, where the customer intimates the bank within THREE working days.
- In other instances, there may be limited liability or full responsibility with the customer. This would be contingent on the extent of contributory negligence of the customer in the commission of a crime including of furnishing banking or financial details to a criminal that resulted in the commission of a crime. Even in such cases, once the complaint is registered, losses thereafter is that of the bank. Hence it is important to report immediately and to seek blocking of the compromised card or payment instrument or the digital wallet.
Reporting a fraud immediately is therefore imperative. Banks are mandatorily required to receive and acknowledge such complaints. If a bank fails to receive or register such complaints there are also legal remedies against the bank for such infringement of the rights of the customers.
Need for Immediate Action from RBI
There are advisories for banks to create awareness amongst customers of these trends of cybercrimes. RBI ought to review its circulars to ensure clarity with respect to the liability of banks and customers. It ought to make it mandatory for banks to share the details of and create AWARENESS about the REMEDIES available to customers from banks. There also ought to be explicit penalties for banks refusing to or failing to register the complaints from customers.
Further, banking channels are used for siphoning out funds. These are clear indications that the KYC process is failing at this stage. Remedies for such failure by banks does not give protection or remedies to victims of financial cybercrimes. It is imperative that payee banks are also made liable for breaches of protocol including of KYC norms. Banks ought to remedy their architecture to ensure that names of parties and bank accounts match, as many frauds fraudulently use well-known brands or names to mislead victims into believing that a bank account is that of a company whereas the bank account may actually be of an individual. Securing the stable after the horse bolts does not remedy a victim’s grievance. Merely offering ex post facto protection i.e., of placing the liability on banks after complaint registration does not provide an effective remedy to victims.
Post demonetization, India has given great impetus to digital and e-banking. This impetus has to carry with it not only e-literacy for customers but also a better internal process for banks to deal with this exponentially growing menace of financial frauds. Failure to address not only preventive measures but also remedial actions for victims will merely decimate trust in systems and leave victims in a more vulnerable position. Until more effective measures are implemented, caution and prevention remain the best cure.
The writer is an Advocate, Supreme Court of India & Founder – Cyber Saathi Foundation. This column in collaboration with SheThePeople.TV takes forward the initiative to empower victims through knowledge of threats and vulnerabilities on electronic domains and remedies to combat them through laws and remedies. This will be a monthly column that will be published on the first Friday of the month.