Just like thousands of engineering graduates in pursuit of a job, 22-year-old Samhita RH had been trying to find one since she graduated from AMC Engineering College in Bengaluru. Samhita’s parents, who live in Hassan district’s Sakleshpur, were counting on their daughter to help clear loans they had taken for her education. A year after graduating, Samhita was desperate. She had uploaded her resume on several job portals and hoped she would get an interview call.
On the afternoon of December 21 last year, Samhita received an email from an id that read: hr.monster13@india.com.
“I did not suspect that this was a fake account. Soon after I received the email, I also got a call on my mobile number and a man named Abhishek Acharya said he was from Monster and that there was an interview call for a position at HCL. He said I have to pay Rs 1,200 as registration fee and that I would be able to go for the interview then. A few hours later, he asked me to pay Rs 18,000. The next day I had to pay Rs 13,000 and later the same day another Rs 15,000,” Samhita says.
The next day, she received a fake offer letter from HCL after a telephonic conversation and this time another man named Amit Singh, who claimed to be an employee in HCL’s HR department, allegedly told Samhita that she had to pay Rs 29,000 for a certification programme that would be conducted as part of her induction programme. Samhita paid Amit Singh too and when she asked him the date of joining, Amit allegedly informed her that he would be in touch.
By the first week of January 2019, Samhita was worried that she may have been duped. She got in touch with HCL in Bengaluru and enquired about the job offer she had received. She even sent them a copy of the “offer letter” she had received. To her dismay, HCL informed her that the letter was forged and that no one from the company had reached out to her.
When she contacted the mobile number of the alleged Amit Singh and demanded her money back, he allegedly hung up and could never be reached again. “I lost around Rs 76,000 in a few days’ time. My parents were struggling for money. They had taken loans to pay for the job and it turned out to be a sham. When I got that email, I should have been more alert. But hope and relief of finally getting a job had clouded my judgement. I filed a complaint with the Cyber Crime Police Station in Bengaluru on January 19 this year, but there has been no progress in my case,” Samhita says.
In Samhita’s case, police say that the phones used to contact her were last used in Madhya Pradesh and the IP address from which the email was sent was from Nigeria. “How can we track down some online identity that we don’t know. If it’s a robbery or a murder, its jurisdictional. When it comes to people morphing pictures and extortion rackets on online dating platforms, it is easier to track down the people as there is an ID of the person. But economic offences are the hardest to crack,” says Sandeep Patil, Joint Commissioner of Crime, Bengaluru.
Just like Samhita, thousands of people have fallen victim to job scams on the internet and the Bengaluru Cyber Crime Police say that a third of the cases involving economic offences in Karnataka are related to job scams, a third of them are related to OTP and UPI fraud, and the remaining are lottery related scams. And the police say that investigating cyber crimes related to economic offenses are very difficult.
UPI, lottery fraud on the rise
Ever since demonetisation led people to switch to online money transfer, police say that Unique Identification Pin (UPI) related cyber crimes are on the rise. According to the Cyber Crime Police Station in Bengaluru, of the 12,754 cyber crime cases reported in the city between January 2018 and August 2019, 38% of them were related to UPI.
“Before demonetisation, a lot of people were not using Google Pay, PayTM, BHIM and other UPI apps for money transfer. With more users, the pool of potential victims for those committing cyber crimes has increased,” Sandeep Patil says.
In July this year, a Madhusudhan, businessman from Bengaluru, filed a complaint with the Cyber Crime Police Station that a person posing to be a representative of an e-commerce company had looted Rs 1.6 lakh from three of his bank accounts via his BHIM app. Madhusudhan’s wife Lekha had ordered material for a dress from an e-commerce website. After it was delivered, she wanted to return it, and found a customer service number when she searched on Google. She asked Madhusudhan to help her get the money back.
Madhusudhan spoke to the representative, who informed him that the product could not be returned but that he could initiate a refund. “The product quality was bad and so we wanted to return it. The representative said he would refund the money and told me that he would send me a message, I had to click the link in the message and fill in a form for the refund to be processed. I never thought that this could be a scam. Within minutes, Madhusudhan received a message with a message ID that read: HDFC-UPI. Assuming it was legitimate, I clicked the link, which led me to a portal. But there was no form,” Madhusudhan says.
Madhusudhan tried calling the customer care number once more but there was no response. About three or four minutes later he received a message from his bank that Rs 90,000 was transferred to an unknown account via BHIM. Seconds later, he received another message that Rs 70,000 was transferred to another bank account via the same app. Madhusudhan immediately called his bank and asked them to stop any fund transfer from his account.
“I have three bank accounts linked to BHIM and money was wiped out from two accounts. I was able to save Rs 40,000 only after I called the bank,” he says. When Madhusudhan approached the police, Cyber Crime sleuths informed him that it was a phishing scam. “That message that I clicked, that was where it started,” Madhusudhan adds.
According to Karan Saini, Programme Officer with the Centre for Internet and Society, most UPI-related crimes are phishing operations and in rare cases involve spyware. Karan says that SMS gateways are the easiest means to con people into believing that a message is from a legitimate source.
“Businesses have the ability to send messages to people from SMS gateways provided by telecom companies. Consider the messages we get from e-commerce sites, banks, etc. While most businesses send messages to customers who have wilfully provided their details, bulk contact information can still be procured quite easily, and the cost barrier for sending bulk SMSes is also quite low. Most SMS providers charge customers around Rs. 300 for sending 1000 messages. Further, businesses have the ability to specify a custom sender ID (i.e., the name that appears on the message), which TRAI (Telecom Regulatory Authority of India) mandates to be 6 characters long (e.g., AXISBK), however, fraudsters can easily subvert the custom Sender ID feature to push their phishing campaigns. Most of the reported UPI scams seem to have succeeded because people were conned by the name of the sender. While several SMS providers maintain ‘blacklists’ that let them protect the Sender IDs of prominent customers, fraudsters can still trivially bypass these blacklists, by alternating characters within the Sender ID (e.g., changing AXISBK to AXISBA or even BKAXIS), or by simply moving to another SMS provider.,” Karan says.
In December 2017, Venkateshulu S, a jewellery store owner in Bengaluru, received an SMS allegedly from an e-commerce website stating that he had won Rs 1,00,00,000 in a lucky draw. The message stated that Venkateshulu, who had recently purchased a TV from the website, had won the lucky draw from a pool of customers chosen for it.
Venkateshulu, who was initially sceptical, had ignored the SMS. A day later, he received another SMS from the same sender ID, which claimed that he had to claim the prize within the next 24 hours or the offer would expire. He also received a call from a person posing as a customer care executive and informed him that he had to pay Rs 1 lakh to claim the prize and that the money would be refunded to him once the winnings were deposited into his account.
Within a few minutes, he transferred the money to an account number given by the conman. It was only after two days that Venkateshulu realised he had been swindled.
“I was waiting for the money to get deposited into my account. When I contacted that man again, his phone was switched off. Then I filed a complaint with the cyber crime police but they haven’t caught the culprit even now,” Venkateshulu says.
Speaking to The News Minute, Director General of Police, CID, Praveen Sood, said that just like Venkateshulu, thousands of people get conned in lottery scams. “When someone is asking you to pay money to collect alleged winnings, that must be the trigger. People get conned a lot by lotteries because the amount of money is too huge for them to pass up,” he says.
Thousands of cases, negligible convictions
From just 1,045 cases registered in 2014 to 8,495 cases between January and August 2019, the number of cyber crime cases being reported in Karnataka are on the rise. Between January 2014 and August 2019, 20,920 cases were registered across 30 Cyber Crime police stations in Karnataka and a whopping 85% of them have been registered in the lone Cyber Crime Police Station in Bengaluru City.
Of the 8,495 cases registered between January and August 2019, 7,516 of them were in Bengaluru. Another alarming reality is the low rate of conviction. There have been only 36 convictions in cyber crime cases in Karnataka in the last six years and out of them only 5 convictions have occurred in cases registered in Bengaluru. Of these convictions, four of them occurred in 2014 and one in 2018. There were zero convictions in the years in between.
The shockingly low rate of conviction, Cyber Crime sleuths say, is because 95% of the cases registered go unresolved for various reasons. Of the total number of cases registered in the last six years, arrests have been made in only 6.2% of the cases and the number of cases in which chargesheets have been filed is even lower.
Between 2014 and August 2019, chargesheets were filed only in 736 cases in Karnataka, of which 46.86% were from Bengaluru.
DGP Sood says that one of the primary reasons for the low conviction rate in cyber crime cases, not only in Karnataka but across the country, is the lack of geographical boundaries in cyber crime cases.
“In most cases across the country, the crime is perpetrated by people from other countries,” he says.
Senior police officials who have worked on numerous cyber crime cases in Karnataka say that another reason for low conviction rates in these crimes is that the cost of investigating cyber crime cases, especially economic offences, exceeds the actual loss suffered by victims.
“In many cases that I have worked on, the IP addresses or phone numbers are from Nigeria, Trinidad, Congo or an eastern European country. How do we track down and arrest these people? After five to six days of investigating, we reach a dead end. Between the amount that individual victims lose and the amount that needs to be spent on investigating that case, there is a huge difference. Lakhs have to be spent on one investigation. The economics do not add up and the physical international boundaries are major hurdles,” a senior police officer says.
Limited knowledge about advanced technology
Senior officials with the Cyber Crime unit in the Criminal Investigation department say that apart from a severe staff crunch in Cyber Crime stations, most police officers, public prosecutors and magistrates have limited knowledge about cyber crimes, the technology used, the methods of perpetrating such crimes and, most importantly, the technological jargon.
“Initially, we had only 10 police officials working in one police station in Bengaluru and they were handling thousands of cases. It was only in 2018 that the number of personnel were increased to 40. Even now, these officers are handling thousands of cases and it’s an overload,” JCP Sandeep Patil says.
According to DGP Praveen Sood, even in cases where arrests are made and chargesheets filed, overburdened sessions courts with limited magistrates who understand the nuances of cyber crime cases contribute to low rates of conviction.
The information stored in your inbox is a treasure trove for cyber criminals. Have you secured your email account properly? #CyberProtect pic.twitter.com/8sWKQVGYuO
— Cyber Protect (@CyberProtectUK) September 23, 2019
Students are being lured
— Cyber Protect (@CyberProtectUK) September 19, 2019
into laundering dirty cash with fake job adverts offering easy money.@DigitalEagles are sharing their top tips to help you stay safe during your studies.https://t.co/Y0RLaR17Ua #MoneyMules pic.twitter.com/k3ZHgWyPLI
New trick for cheating. https://t.co/3qdJBWbBeY
— Praveen Sood DGP CID Karnataka (@Copsview) September 16, 2019
Senior police officials who work with the Centre for Cyber Crime Investigation and Training Centre say that prosecutors and lawyers fail to put forth a strong case due to lack of knowledge about these crimes.
“Understanding the methods used by perpetrators of cyber crimes and most importantly the jargon is difficult for prosecutors and magistrates. Even officers working in Cyber Crime stations keep learning new things every day. Magistrate courts are overloaded and to find judges who can understand the nuances of the case and prosecutors who can put forth a good case is difficult,” the official explains.
In February this year, the Centre for Cyber Crime Investigation and Training Centre was inaugurated in Bengaluru in order to train police officers, prosecutors and magistrates on the nuances of cyber crime. DGP Praveen Sood says that with more police officers being trained, it is a first step towards ensuring that more cases are detected and disposed of quickly.
“Since cyber crime has no boundaries, the best way is to prevent it. More awareness is required. People must not use the same email ID for personal and financial transactions. Separate email IDs must be used for social media accounts because many people get conned on social media. There are many cases where social media accounts are hacked and pictures of women are morphed. It’s always better to change passwords frequently and not share it with anyone. Do not believe people who say they are bank officials asking for OTP and PINs. Never buy into lottery scams where they ask you to pay money in order to get your winnings,” Praveen Sood adds.