Sometime back, I received a call on my mobile telling me that a delivery agent from a courier company was unable to locate my door. The voice at the other end asked me to send my location on a number they would share. My response was to ask the delivery agent to call me directly. But within seconds, I received a message with the number on which I was supposed to share my location. When I checked the number, I found it prefixed with *21* and suffixed by #. This is the sequence that enables calls to be forwarded, and is used to steal personal data and OTPs.
The ingenuity of scammers is constantly evolving. Just as the number of cases of digital arrest declined in 2025, thanks to sustained awareness campaigns,scams replacing elaborate artifice with basic trickery are filling the gap. According to the latest data from the National Crime Records Bureau, cybercrime cases rose more than 17 percent in a year to cross the 1-lakh mark in 2024. A large chunk of this was financial fraud, followed by online sexual exploitation.
The vulnerable cohort, especially for financial fraud, is largely the elderly and those with considerable bank deposits. This targeting is probably made possible by stolen personal data available on the dark web, sold to criminal operators.The cybercrime network has spread its talons using specific data, preying on ignorance, creating a false sense of urgency, isolation and even simulating concern for the victim.The advice we heard in the good old days before the advent of social media—of not talking to strangers, with the additional rider of not responding to messages from strangers by clicking links or downloading files—is relevant even today. While there are apps and websites that check the genuineness of links, robust commonsense is still invaluable.
The Indian government has launched certain initiatives to facilitate reporting of cyber fraud. Spam and suspected fraud complaints can be registered on Sanchar Saathi. Money is already lost can be reported on the National Cybercrime portal and designated help lines. This is to be done at the earliest as it initiates immediate damage control by freezing stolen funds and blocking fraudulent accounts. While these measures are laudable, it is prevention of cybercrime that is the emerging challenge.
Cybercrime is a shape-shifting beast that defies detection. As a cross-border phenomenon it is often supported by certain State actors. Cartels like Lazarus, which operate with great stealth and precision, have an extensive reach. They not only organise and control cyber-attacks but also absorb and redistribute the proceeds. The use of cryptocurrency has facilitated criminal networks to execute heists while covering their tracks. The use of AI tools has given rise deep fakes and impersonation scams. AI-generated content can mimic government authorities and exploit users to share confidential information. The technology has also facilitated curated phishing attacks, with more user data and preferences being available. Therefore, what is needed is coordinated investigation across the globe, stronger cyber policing and greater public education about online fraud.
The emergence of plug-and play-tools for hacking, and malware and ransomware as a service give hackers access to systems in a way that can disrupt services and impact businesses. Insurance against cyberattacks are available, although at a heavy premium. The tendency of businesses not to report cyberattacks, fearing reputational damage, keeps enforcement agencies from understanding the modus operandi.
As a response to growing cybercrime, tech firms like Google and Microsoft have put in place proactive measures to dismantle infrastructure used by threat actors, working in collaboration with law enforcement. This may be the most appropriate strategy for now, given the scale of the problem.
In India, though rapid digitalisation has transformed banking, there is an awareness gap among users regarding safe practices, as well as a lag ininstitutional preparedness to tackle cybercrime. Banks, which act in a fiduciary capacity, have the responsibility to promote awareness of safe practices among their clients and warn them of the risks. It is true that information is available on their websites and on social media. However, outreach programmes for customers, especially senior citizens, about online hygiene would be a welcome measure.
The extent of banks’ liability for losses incurred by customers involves reading the fine print. Compensation depends on whether the fault is that of the customer or the bank. Customers are also required to report the event of fraudulent loss within three days for zero liability. But it cannot be denied that banks have the first visibility of suspicious or unusual fund movements. While it is true that banks’ vigilance has prevented scams, stronger checks on mule accounts is needed. Recently, the RBI ombudsman directed several banks to compensate a victim of digital arrest 5-7.5 percent of the amount transacted. The ombudsman held the banks responsible for failing to monitor mule accounts, lapses in KYC and failing to flag rapid suspicious transactions that resulted in transferring `22.92 crore through 4,236 transactions routed via 811 mule accounts.
In UK, banks are legally required to compensate victims for scams up to £75,000, unless it is on account of fraud or gross negligence. This is a model worth looking into as the RBI frames the rules of compensation for small-value fraudulent transactions.
(Views are personal)
Read all columns by Geetha Ravichandran
Geetha Ravichandran
Former bureaucrat and author of The Spell of the Rain Tree
