A Wicked web of deceit

Saturday, December 2, 2023. Surinder Singh is spending the day with his family at his Vasant Kunj residence in southwest Delhi. The day has gone well till the afternoon as he proceeds to check his mail history. Confusion, followed by disbelief; there are multiple emails from his bank. Deductions have been made from ‘your’ virtual credit card, the bank informs indifferently.

Now reader, a virtual credit card is a digital card, available solely over the internet and does not have a physical form. Customers can use them to carry out online transactions. It is similar to a conventional credit or debit card, bearing a card number, CVV, and validity period. However, these details are only available online.

Back at his residence, Surinder Singh wondered how he came to own a virtual card. As far as he knew, he didn’t have one; never applied for one either. The bank, however, thought otherwise. An Axis Bank virtual credit card is registered in his name, but set up under some unknown email ID and unknown mobile number.

He lodged a complaint on the National Cybercrime Reporting Portal (NCRP) regarding the dubious transactions, to the tune of Rs 3 lakh from his Axis Bank account. The complaint was received by the Cyber Police Station, Delhi Police, Southwest District, which finally went on to crack one of the most sophisticated and unusual cases of cybercrime in the city.

Not every time does a victim of cyberscam get a call from the cybercons or is enticed into a lucrative offer by manipulative voices on the other side. Sometimes, a fraud would adopt elaborate and elegant ploys, and the target’s bank account emptied remotely without any need for making contact. Surinder Singh was one of these unfortunate victims.

Fake PAN, Original Aadhaar

Delhi police, having registered a case of cheating against an unknown culprit, wrote to the tech multinational Google, asking them to furnish registration details of the Gmail ID involved in the malpractice.

Call records of the victim were also analysed to peruse whether he had not inadvertently shared any communications from his bank, details or OTPs, with probable miscreants. There were no such indications.

As the investigation continued, the cops received a communication from Google replying to the query on the suspected email ID. The tech giant shared details of the Gmail ID under police scanner for alleged use in the registration of the virtual credit card, also sharing the mobile number associated with the mail account.

“When we analysed the call records of the suspected mobile number, we traced its last known location to Fazilka in Punjab. The cheated amount of Rs 2,85,000 was credited to an AU Bank account of an individual named Ramandeep Singh and the same was withdrawn through cheque,” DCP (southwest) Rohit Meena said. Probing into the details and transactions of the AU Bank account, the cops found glaring irregularities. There lay a money trail of around Rs 58 lakh; eyebrows are raised. All of it seemed to indicate a serious web of cyber fraud.

January 28. A police team is dispatched to Fazilka, Punjab. A series of raids will follow as the cops descend upon the possible locations of the accused Ramandeep Singh. But, he is nowhere to be found. For three straight days, the cops have carried out intensive search operations with nothing to show for their efforts. Ramandeep is using various calling applications to misguide them, police suspect.

February 1. Ramandeep has been apprehended by the Delhi Police and brought to the capital. The interrogation will be crucial. There is palpable suspense even among cops, who are still uncertain about how the culprit defrauded Surinder Singh. What is revealed will shock everyone.

26-year-old Ramandeep Singh used to create virtual credit cards of Axis Bank using a mobile application called KIWI under the name of different people using their PAN (Permanent Account Number), linking phone numbers and mail IDs of different users.

But how did he get their PAN?

The accused, with the help of certain online applications, fetched the GSTIN number of random individuals. The 15-digit code that identifies a GST-registered business in India, GSTIN number, contained the PAN card details of the registrants, Ramandeep knew.

Once he had extracted the original PAN details of a possible target, he would fashion a forged PAN, but with the original Aadhaar number of the target. With a new identity, a forged PAN and an original Aadhaar, he would go on to create a virtual credit card and apply for a personal loan on different mobile applications. A senior police officer of the Delhi Police tells us that most of the mobile applications that offer personal loans, disburse the amount without proper review of KYC documents (Know Your Customer).

The accused Ramandeep would utilize the credit limit on the virtual credit cards, transferring the amount to his bank account through different payment gateways. He used to withdraw the amount from his bank account and give it to several individuals as a loan in his Punjab village. The money trail of around Rs 58 lakh in Ramandeep’s account indicated several had fallen victim to his ploys across the country; people, completely unaware that some unknown culprit in some remote corner of India can now craft a virtual credit card with their name and original Aadhaar details and later take a loan under their identity, ultimately siphoning money out of their accounts.

Cybercrimes, simple or sophisticated, are defrauding the public out of hundreds of crores every day, watchdogs say. Devastated by financial losses, victims approach the police. The cops, mostly, manage to solve the cases before them. Then there are those rare instances when the culprits are just too elegant, succeeding in escaping unnoticed with the proceeds of crime. From minor frauds of mere hundreds to illicit transactions worth crores, swindlers, with every passing second, are adopting new and innovative ways to defraud citizens.

Upsurge in cybercrimes

The National Crime Record Bureau (NCRB) data for 2022 reveals a concerning surge in cybercrimes across the country, with a 24.4% increase compared to the previous year.

In the national capital, cybercrime cases have almost doubled, posing a serious concern for security agencies. Number of cases rose from 345 in 2021 to 685 in 2022. In 2020, it was much lower with only 166 cybercrime incidents reported. Of the 685 cybercrime cases reported in Delhi in 2022, as many as 184 were filed for circulation of obscene or sexually explicit content over the internet and 21 for publishing or transmitting obscene material. A total of 116 cases were registered in the capital for publishing or transmitting pictures, audio or video clips depicting children involved in sexually explicit acts.

Cybercons have evolved their methods in keeping with current tech advancements. Sophisticated tools like Artificial Intelligence (AI) have entered the paradigm of cyber offences; like in the recent case of the deep fake video of actor Rashmika Mandanna that went viral over social media.

Deepfakes: A serious concern

Deepfakes refer to synthetic or doctored media that are digitally manipulated and altered to convincingly misrepresent or impersonate someone using AI.

A fake/edited video, where Rashmika’s face was superimposed onto a British influencer, had gone viral, sparking a widespread controversy following which the Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police had registered a case under relevant sections of the law.

The creator of the deep fake video was a 24-year-old engineering graduate from a Chennai college. He claimed he was a “big fan” of the actress and allegedly created the video to gain more followers on social media.

Another sensational case of AI-facilitated cybercrime was recently reported from Hong Kong where a branch of a multinational company lost $25.6 million (HK$200 million) after scammers, using deep fake technology, posed as the firm’s chief financial officer (CFO) in a video conference call and ordered money transfers.

Founder and chairman of the International Commission on Cyber Security Law, senior advocate Pawan Duggal, an expert in the subject, said the misuse of AI is a growing concern not only in India but globally. He asserted that India would need a new legal framework dedicated to the regulation of AI, coupled with stringent action against deep fake content.

“AI is a double-edged sword, ushering in both opportunities and risks. Cyber-criminals are increasingly leveraging AI-powered tools to conduct sophisticated attacks. We have recently seen how a deep fake video of an actress took the social media by storm. As AI continues to advance, policymakers must stay one step ahead, developing proactive strategies to mitigate the potential risks associated with AI-driven crimes,” says Duggal.

He emphasises that the time has come to formulate dedicated cybercrime courts, because the existing courts are already too bogged down with existing criminal prosecutions. “We also now require new legal frameworks to deal with the misuse of emerging technologies for criminal purposes,” he said.

Duggal is of the opinion that the pandemic has brought forth the beginning of a ‘golden age’ of cybercrime, one that is going to proliferate for many decades to come.

Meanwhile, the government has had a tough talk with social media platforms after several deep fake videos targeting actors sparked public outrage and raised concerns over the weaponisation of technology by creating doctored content and harmful narratives.

The Centre has asked social media platforms to act decisively over deepfakes and align their terms of use and community guidelines as per the IT Rules and present legal provisions. The government has made it clear that any compliance failure would be dealt with strictly and evoke legal consequences.

can new laws act as a deterrent?

The recently enacted Bharatiya Nyaya Sanhita (BNS) 2023 classifies cybercrimes as organised crime. Experts feel that the BNS can provide impetus to deal with emerging threats of cybercrime. “The significant aspect of BNS in dealing with cybercrime is its inclusion within the ambit of ‘organised crime’. For such offences, punishment is not less than five years and may extend to life imprisonment, along with cash penalties not be less than Rs 5 lakh,” Delhi-based lawyer Vineet Jindal, an expert in the field of cybercrime, tells us.

He said the BNS integrates provisions of the IT Act with prescribed punishment for offences. “For instance, offences relating to forgery, creation of false documents etc., include electronic records and have been made punishable,” he said, adding the new law can act as a deterrent to the rising cybercrime.

Cybercrimes against women

In the first week of February, a 16-year-old UK girl was virtually gangraped in a Metaverse, the first reported instance of alleged rape in a virtual reality game. ‘Cyber pregnancy’ and ‘cyber-kidnapping’ are emerging crimes posing severe threats to society. The NCRB 2020 report suggests that a total of 50,035 cases of cybercrimes were registered, an increase of 11.8% from 2019 (44,735 cases). During 2020, 6.6% (3,293 cases) cybercrime incidents were related to sexual exploitation. Experts suggest that cybercrimes, especially related to sexual content, often goes unreported either due to lack of awareness or legal infrastructure.

Institutions held to ransom: Cyber-threat at AIIMS

• Country’s top tertiary medical care facility, All India Institute Of Medical Science (AIIMS), in the national capital in November last year confronted a major ransomware attack that paralysed its patient care system for over two weeks.

• Experts dubbed the incident as one of the “biggest” and “most serious” cyber-threats that India has ever faced

• The hospital that caters to the medical requirements of the highest in the land, including the President and the Prime Minister was also susceptible to cyber assault

Some recent incidents

November 9, 2023

Several Indian citizens fall prey to a sophisticated cyber-fraud, cheated of hundreds of crores through fake loan applications. Delhi Police said they arrested a 52-year-old Chinese national woman, the alleged mastermind of the fake Chinese loan application scam amounting to around `150 crore.

November 1, 2023

A 38-year-old man was arrested for cheating a woman through a matrimonial website, introducing himself as a senior IPS officer serving as Joint Director of the CBI.

October 17, 2023

A syndicate of international cyber-cheats, involved in online fraud by making friends on social media platforms was unearthed by the Delhi Police; two Nigerian nationals were held.

October 12, 2023

Delhi Commission for Women chief Swati Maliwal allegedly received rape threats through social media, two days after she demanded ouster of filmmaker Sajid Khan from reality TV show Big Boss.

October 10, 2023

Four cyber criminals, operating out of Jamtara in Jharkhand, were arrested by the Delhi Police for duping people in the name of providing customer support services, later siphoning money from their bank accounts.

Policing cyber space

The Intelligence Fusion & Strategic Operations (IFSO) unit of the Delhi Police under the Special Cell and is a specialised unit handling complex and sensitive cases of cybercrime, including those where women and children are victims

The Delhi Police and IFSO regularly organises special awareness programmes against IT-related sexual offences.

The Delhi Police and IFSO have cracked multiple cases of ‘sextortion’, unveiled loan app frauds, busted fake call centres, among other scams.

Varying cases of cybercrimes, ranging from malcontent on social media to data theft, ransomware, phishing, online lottery scam, swindling and several others cyber offenses come under the ambit of the IFSO.