Columns | Soft Power

The Great Indian Scam

It’s time we rooted out OTP fraudsters

Makarand R Paranjape Makarand R Paranjape | 14 Oct, 2022

(Illustration: Saurabh Singh)

IT USED TO BE that a whole country came to be identified with a special kind of rip-off popularly known as the Nigerian 419 scam. Named after Article 419 of the Nigerian Penal Code, which is quite similar to its colonial cousin, IPC 420, the acronym for cheating and swindling in India. The latter, long ago, slipped into our common vocabulary in the phrase charsaubees and even gave a famous Raj Kapoor film, Shree 420 (1955), its title.

Also known as the advance fee fraud, this con involves getting the victim to part with a small amount of money in order to claim a large fortune, whether in money, diamonds, bonds, or some other windfall. Harvesting emails, phone numbers, and, more recently, social media accounts, this swindle has many variants and has claimed many a victim. One recent, well-publicised example was a top news personality’s fake job offer from Harvard.

Yes. It’s happened to me. That, too, very recently. But not the Nigerian 419, which, luckily, I never succumbed to despite being targeted for over 20 years. Rather, the desi Indian OTP scam, which is now trending all over the country. A senior friend, who does not, fortuitously, have a credit card, wanted me to purchase some alcohol for him. He found a deal online and requested me to help. I said instinctively, “Sounds like a con.” But since he insisted, I gave his guy a call. The man at the other end was very well-spoken and affable. He said he’d been talking to my senior friend for days and would deliver the goods to the latter’s residence on receiving payment. The amount was reasonable, so I asked, would you send someone with a machine to swipe the card or should I come to your shop to make the purchase? He said, “No, no, Sir—that’s too much trouble for you—just give me the OTP for the amount agreed on.”

I smelled a rat, but thought I’d go along to see what was up. After taking my credit card details and CVV, he sent me an OTP, which I relayed to him. My card was immediately charged. But then he said, “Oh, Sir, I forgot to add the GST, so I am unable to generate the bill. Do you mind paying an additional ₹100? You’ll get another OTP.” It happened as he said. I gave him the second OTP too. That’s when he went for the kill. He said, “Sir, please OTP jaldi boliye. Yahan kuch problem aa rahi hai. Machine aap ka number nahi le raha hai.”

Sure enough, another OTP came, which I read out, perhaps too rapidly, because he asked me to repeat it. That’s when I looked at the SMS more carefully. It was for ₹1,85,000. I knew it was a scam. I had the presence of mind to block the card immediately.

Fortunately, except for the initial amount, which was not very high, and which I have filed a dispute for, no other money was taken from me. But the trouble to go through calling the bank, blocking the card, and trying to get a new card in place of the tainted one is immense. Worse, I found that reporting a fraud or filing an FIR is not easy. My senior friend, on whose behalf I was making the purchase, had little to go by. There was also some shame in reporting his attempts to source liquor, which he didn’t want other people to know about.

An FIR requires, moreover, a visit to the police station, six months of bank statements, and much other materiel before it can be registered.

Between April 1, 2020 and March 31, 2022, over 9 lakh incidents of phishing, vishing, smishing and OTP compromise were reported. Forty-two per cent of Indians have been its victims, in one way or another. We have lost some ₹1,500 crore due to tele and cyber fraud attacks

What happened to me was mild compared to the horror story I heard about my friend’s father, a Mumbai-based senior aged 77, whose bank account was robbed of ₹8 lakh by a similar OTP scammer. In his case, it was a debit-card swindle by someone who promised him a refund. Once the money leaves the account, it is virtually impossible to dispute, let alone reverse. My friend did file an FIR. The police traced the money to two local bank accounts, from where it was quickly transferred to several other accounts which were not in Maharashtra.

I didn’t know that there was already an OTT scam Netflix series on this phenomenon called Jamtara. I haven’t had occasion to see it, but the name refers to a district in Jharkhand, bordering West Bengal, notorious for this sort of scam. Quite tellingly, its subtitle is Sabka Number Ayega. After I started doing some research, I discovered that the headquarters has moved from Jharkhand to West Bengal, with one area of Kolkata, infested with hundreds of IT cells and cubicles, the new nerve centre of an international operation. Not only millions of Indians but hundreds of thousands of foreigners from affluent, English-speaking countries have been duped out of millions of dollars from call-centre and phishing, vishing, and smishing fraudsters operating out of India. This is giving both India and its techies a bad name worldwide as the epicentre of a new kind of cybercrime.

Is it possible that India too will join the ranks of the infamous, with a specific type of country-identified scam named after it? Yes, if government figures and statistics are considered a baseline, with actual figures being much higher. Answering a question in Parliament in August this year, Minister of State for Finance Bhagwat Karad reported that between April 1, 2020 and March 31, 2022, over 9 lakh incidents of phishing, vishing, smishing and OTP compromise were reported. A shockingly high 42 per cent of Indians have been its victims, in one way or another. We have lost some ₹1,500 crore due to such tele and cyber fraud attacks.

In a phishing attack, someone posing as a legitimate business or institution lures individuals into providing banking, credit card details, passwords, and so on, using these to dupe them. Vishing goes a step farther, using a direct phone conversation in which the criminal pretends to be a banker, law enforcement or income tax official, a utility company employee, or a business requiring you to update an account, approve a KYC, or click a link to access an essential service. Smishing specialises in SMS fraud, getting you to reveal OTPs and compromise your debit or credit cards, bank accounts, and so on.

Some of these fraudsters ask you to download an app or click a link, which makes them see your screen. Others hack into your email accounts or browsers where passwords are stored. Once the sensitive information is accessed, stealing or siphoning off money is a synch. But the definitive signature of the operation is to get you to reveal your OTP. When caught, these criminals are found with hundreds of SIM cards, email ids, and fake accounts. Surely, the procedures for issuing phone SIMs and bank accounts can be further tightened.

Despite government agencies being long aware of the scale and extent of the crime, not enough has been done to prevent it. Only 17 per cent of those defrauded have recovered some of their losses, with the remaining getting no redress. Cybercrime is not only harder to detect and prosecute, it is also less dangerous and risky for the criminal. Digital theft operates remotely, avoiding direct human contact with the victim, thus reducing the moral responsibility and guilt. Crooked by nature or habit, cybercriminals get hardened with repeated offences. Especially when the con is so easy and successful, what with the huge number of digitally challenged even among the well-heeled and educated sections of society, what to speak of the cyber-illiterate and undereducated populace at large.

Zero tolerance for cybercrime and OTP fraud in India is the only way forward. An interstate agency can be tasked to root it out, especially the politician-criminal nexus. It is hardly any surprise that such crime allegedly flourishes in non-BJP states, where criminals have political protection and patronage. Some months ago, two Jharkhand MLAs were caught in West Bengal with a carload of cash. Joining the dots reveals the extent that the tentacles of cybercrime have spread throughout the land.

Rather than putting the onus solely on would-be victims, government should proactively raid and smash these cells. Many of them have been identified by scam-baiters and busters from across the world. At least metaphorically speaking, it is here that bulldozer justice is most called for, even if these are cyber bulldozers. With tech-savvy ministers such as Rajeev Chandrasekhar and Ashwini Vaishnaw in the Union Cabinet, not to speak of a technophile as prime minister, India must not delay in rooting out the Bharat OTP scam.

economic fraud online privacy OTP phishing smishing vishing