How online scammers escape the law
My friend lost ₹87,000 in a scam that’s still happening openly
(Click here if you are blocked from reading this story by the Medium Paywall)
Although most Indians have become aware of online scams, the scam industry continues to flourish in India. Recently, one of my friends got scammed while shopping online. I haven’t asked him (let’s call him X) for all the details, like what product or brand he purchased. I don’t think that is as relevant as understanding how scams work, why cops find it hard to catch these scammers, and what we need to do to stay safe.
Let’s start with X. His misfortune began with an ad that he saw on NDTV, a reputed TV news channel in India. A company called driftdeals.com was offering huge discounts on some audio equipment. Let’s assume it was the JBL headset shown below. This is a somewhat premium brand in audio systems in India. Being a keen music lover, X decided to check out the product. So he went to the website saw the product, liked it, and liked the price even better.
Now X had reservations about buying from an unfamiliar website. But then he thought to himself that if it was advertising itself on a national TV channel like NDTV, it couldn’t be a scam. His logic was if driftdeals.com was indeed a scam, someone would have complained to NDTV, and they would not allow it to advertise on their TV channel.
What made him decide to go ahead was that the product didn’t cost much. So X went ahead and ordered the device.
Now let me just break up this into the six elements that make it successful.
A Six-Stage Scam
Stage 1: The Bait
That bargain offer on a good brand being advertised on a reputed channel was just the first piece of the scam. What X didn’t realize was he had just taken the bait in the scam.
Stage 2: The Fake Product
A few days later, the courier delivered his order to X who opened it eagerly. But the moment, he laid his eyes upon it, he knew he had been had. It was obviously a fake JBL speaker and wasn’t even functional.
However, the scam was just beginning.
An irate X called up the customer care number from the website. They told him not to worry. A courier would pick up the product shortly, and his payment would be refunded once the seller collected the product back.
Stage 3: The Fake Refund
A couple of days later, the defective product was collected by a courier, and in due time, X got a call from the seller who said he had received the speaker, and now wished to refund X.
In reality, all the seller has X had been doing up to this point was conditioning X to be open to receiving money.
The scam now starts in earnest. The seller says his refund to X’s credit card isn’t working. He asks X for alternate ways to refund, like UPI. They ask him to type stuff, distract him by speaking while he’s typing, and confuse him. In short, they deliberately try his patience to the limit, and at some point, X types something he shouldn’t have. In the next few minutes, ₹87,000 disappears from his account till X calls his bank and blocks his account.
Stage 4: The Police FIR that wasn’t
X goes to the police and complains about the scam. The cop suggests X remove all money from the compromised bank account. X makes a counter-suggestion to the cop to track down the scammers by asking NDTV to disclose details of the individual paying for the Driftdeals TV ad. The cop says he will look into the matter. X follows up every few days but there is no progress.
What X doesn’t realize is that the cops have not filed an FIR (First Information Report). Once an FIR is recorded in the police system, the cops have to record all the steps they have taken to recover the money. This will be reviewed by senior police officials, and if they feel that the cops handling the FIR have not done a good job, these cops will be pulled up. So the cops try to avoid filing an FIR wherever possible. They know that if the FIR is not filed within a certain period of time, it will be too late to file it, and they can avoid this job.
X, being a law-abiding citizen, has never been to the police station before this. He knows what an FIR is, but does not know how critical it is, and assumes that the complaint he filed is all that is needed.
Stage 5: The amoral TV station
One week after complaining to the police, X realizes the police aren’t going to help as the Driftdeals ad still playing on TV with impunity. X decides to take matters into his own hands. He calls NDTV and gets connected to an executive. She quietly listens to his story and promises him that action will be taken against the advertiser. X is relieved to see something finally happening.
Two more days go by but the ad is still running on TV.
X begins to realize that NDTV’s priority is the money they receive for running Driftdeals.com ads. They have no scruples about the advertising content along as the advertiser pays NDTV for telecasting the ad. The only way NDTV is going to take the ad down is if the law forces them to do it.
And that is not going to happen.
Stage 6: The uncooperative Cyber Police
X is now getting desperate so he approaches India’s newly formed CyberCrime Department. To his dismay, X is informed there are too many cybercrime cases and the CyberCrime cell only takes on cases where the fraud is above ₹500000, which rules X out. He protests and the cell asks him to get a copy of the FIR and they will see what they can do.
X goes back to the police station, asks for a copy of the FIR, learns to his dismay that an FIR was never filed, and it’s too late to file it now.
What makes such scams possible?
The scam is successful due to several factors
- You can openly advertise a fraudulent scheme on any media. The media houses want your money, and take no responsibility for the ad’s content
- Cops avoid registering an FIR because it’s too much work and they are unlikely to get enough evidence to convict online scammers
- Cyber Crime Cell won’t follow up on scams involving less than ₹500000
- Banks can’t track the money as it’s instantly transferred out
- Telecoms don’t flag mobile numbers accused of being involved in frauds
In short, the scams keep happening because the scammers aren’t being punished. If they are caught, locked up for a few years, and their case highlighted in the media, they would think twice.
Oddly enough, a couple of days ago, Mumbai Police reported arresting the kingpin of a whole bunch of fake online shopping sites.
Driftdeals isn’t in the list. So maybe, we are just seeing the tip of the iceberg. This news item below says ‘10.5K people defrauded of ₹10 crore.’
So what’s going on? Why is it so hard to catch the scammer and return the money when we know the bank account to which the money was transferred during the scam?
Why don’t banks freeze the scammer’s account?
Theoretically, that should be easy. In reality, the bank account of the scammer is almost always a fake account created with a fake ID that can’t be traced or belonging to someone who is no longer alive.
Secondly, the scammer instantly transfers the money to another bank account and from there to a third, and fourth and fifth account. This could be at different banks which makes it hard to track transactions. Or he could transfer it to online wallets and make purchases delivered to multiple locations. Basically, the scammer puts so many layers in these money transfers that it becomes almost impossible to follow the money.
For instance, if X’s ₹87,000 is split into 32 units of ₹3,000 each and transferred multiple times via a network of bank accounts at small banks with very little infrastructure which doesn’t allow easy tracking. And later withdrawn at different ATMs by different ‘couriers’ whose only role is to pick up the cash. These could be housewives or even kids. Or the money is transferred to hundreds of online wallets. The owner of the wallet is given a small share (like 10%), while the bulk of the money is passed back to the scammer. There’s no way the bank can track all those transactions.
Why about the secondary bank accounts?
That would be against the law. Once the money goes to a second account, that account holder can claim the money is just a loan being returned. Since he didn’t commit the scam, the police can’t take action against him. See what this bank manager says on Quora
Why do the police ignore online scammers?
It’s all about evidence.
Or rather the lack of evidence in online scams, as compared to the solid evidence in real-life crimes to which the courts are used to. This results in very few convictions. That may explain why police show a noticeable lack of enthusiasm for following up with online scams. Theoretically, the cops can go to the bank where X’s money was transferred, identify the account holder, arrest him, and transfer the money back to the victim. In practice, it’s hard to collect solid evidence linking the theft to the thief in online scams. Here’s why.
Fake bank account The online scammer’s bank account is usually created with a fake ID or belonging to someone who is dead. That evidence is insufficient to pin the scam on the scammer even if he is caught.
High-security e-wallets Often, scams happen on online payment gateways or wallets like Paytm, PhonePay, GooglePay, Mobikwik, Citrus Pay, etc. To protect regular users, these are usually designed to be highly secure with encryptions, passwords, and so on, to make it hard to track the user. . Ironically, the scammers use this security in their favour, making it hard for the cops to uncover any evidence against them.
Fake mobile numbers What makes a scammer so bold is his phone number is also usually created with a fake ID. So is his email ID which means the entire KYC is fake. The scammer is confident he can say whatever he wants and get away with it as the number is not in his name. In fact, scammers routinely call their victims and promise to return the money, and then scam them again. One fake Aadhaar can be used to purchase up to 10 SIM cards so trying to track a scammer using his mobile number is usually a wild goose chase.
Organized and violent gangs We hear but one voice on the phone, and assume we are dealing with a single scammer working in isolation. In reality, there is a huge organized community of scammers and their supporters operating from towns like Jamtara in Jharkhand, Bharatpur area of Delhi, Mewat area in Haryana, parts of Rajasthan, apart from other small places.
Most of the local folk in these places support the scammers, and that often includes the local police. Why would they not? The scammers give them a small share of their income in return for using their online wallets (say 10% of the money deposited in a Paytm account goes to the owner while the rest is given back to the scammer). Cops who track down these scammers to these townships won’t get any info. What’s worse, the cops quite often get physically beaten up for their pains if they venture into the scammer’s hometowns.
Huge expenses Sending a police team to a distant place like Jamtara is prohibitively expensive. An investigation can take two weeks or more, and even simple expenses like travel, food, hotel stay, local transport, plus salaries quickly add up. To apprehend the scammer who stole X’s ₹87,000, the cops may have to spend several times that amount, which is hard to justify.
Low conviction rate After putting in such a lot of effort, the courts usually set the scammer free. That’s because the evidence is considered insufficient by judges who are used to seeing more concrete evidence in offline cases.
Out of court settlements with victims Once the cops catch the scammers, they usually strike a deal with the victims, offering to return some of the money they stole. Most victims agree as it’s a simple case of something is better than nothing. In return, the scam victims agree to call off the case.
Unfortunately, this means all the hard work and expenses incurred by the police go to waste, and the scammer will probably be back to scamming people that very same day. All this would explain the cops’ lack of enthusiasm for taking on X’s case.
Thinking creatively to catch the scammers
I’m not qualified to come up with a solution to stop these online scams as I know absolutely zilch about online security or tech. But whatever solutions the cops are coming up with aren’t working either.
So I might as well brainstorm, using common sense and logic to figure out what the obstacles are and what the possible solutions could be.
Why are the obstacles for the government? I can think of four reasons. Lack of evidence, lack of funds, lack of technical skills, lack of cooperation between the different players in a scam (telecoms, banks, cops, media) to pool evidence from different sources and build up a strong case and get convictions against the scammers.
Funding: Right now, scam victims don’t get back a single rupee they lose. If X were asked to pay 25% of the amount as a reward for getting back his money, I’m sure he would agree. Something is better than nothing. That approach with scam victims should take care of the funding issue.
Please note, I’m not suggesting this as a permanent solution but only till such time as the government’s CyberCrime department gets up to speed.
Tech Skills: Why not create a task force of tech experts? If the government can privatize Air India, why not crime-fighting? Just sub-contract the job of setting up a system to track down these scammers to the software industry. It would be an interesting challenge for India’s young tech geniuses, not too different from the many ‘cops & robbers’ games they play endlessly.
Evidence: Obviously, the usual ways of collecting evidence may not work. Scammers are basically virtual crooks using fake IDs, fake phones, fake bank accounts. There are no physical documents or photos or fingerprints or any of the usual solid evidence.
But what is available is a voice. So one way out would be to get the tech industry to create advanced voice recognition software. The task force could then tie-up with telecom networks and install phone taps on suspect phone numbers. Over time, a database of the scammer’s voice signatures can be created and used to identify individual scammers.
Of course, the scammers might come up with voice disguising equipment. Let’s tackle that issue when it happens. After all, it’s not going to be easy to con a victim if your voice sounds like Darth Vader.
Now we come to the question of how do we get the scammer’s voice.
Location identifier and voice recorder: Get the tech wizards to develop an app that identifies the location of the caller. This app must also automatically record the last ten calls on the phone (earlier calls will be erased to avoid compromising phone storage).
I’m talking of an app like Truecaller being created and given away for free like TRAI’s DND app. All citizens should be instructed to install this app to trace where calls are coming from, and who is calling. Of course, this will mean other privacy issues. But if all phones record the last ten calls automatically, people will soon learn to live with it as the price for a scam free life. Hell, this may even scare off the scammers and solve the whole issue.
Prevention of scams If collecting evidence doesn’t work, the same tech will at least help prevent a scam. It will be harder for a scammer to claim to be calling from Mumbai if the app says he’s calling from Jharkhand. If it’s from a scam hotspot, the app can even alert the potential victim to be careful.
Pooling Info: I think this is the most difficult part of the exercise as it involves cutting through the notorious bureaucracies of India. Banks and telecoms should be mandatorily required to give access and information about the scammers to the task force taking on this job. They should be given access to telecom records that reveal the identity and location of people involved in the scam. As for banks, they should allow the task force to trace the money from the time it leaves the scam victim’s account and is transferred to other accounts or withdrawn from an ATM. The task force should have access to CCTV feeds to identify the person withdrawing the money.
Invest in a high tech facility: Since the data collected is confidential and massive, the government should set up a high-security base with the latest supercomputers and other equipment that can crunch through vast amounts of data. Access to this high-security base should be limited to the task force members, and there should be safeguards put in place to ensure the task force members themselves do not misuse this access.
Make a noise in media If something drastic like the above is implemented, sooner or later, the cops will get a breakthrough. They must arrest the whole network of scammers, right from the ladies sitting at home and making scam calls, to the bank officials who help them, and the small fry who go to the ATM. The cops need to impound their bank accounts, sell off assets like houses bought with this ill-gotten wealth, and then make a big noise about in the media.
That will put the fear of God into the whole scammer industry, and may cause most of them to quit except for the real hardcore criminals. But with the infrastructure in place, these too can be targeted and brought down.
All the above may be impractical but the principle isn’t. The scammers are successful because they are thinking out of the box. The law needs to do the same. Now it’s time to do a reality check.
Who are these scammers anyway?
It seems 80% of the cyber crimes in India have their roots in a small town called Jamtara with a population of 8 lakh in the state of Jharkhand. Till a few years ago, it was a very poor town surrounded by a forest. The difference is the huge number of mobile towers that have sprouted up in the last few years. This is an indication of how the scamming industry is booming locally and how widespread it is. The money from scams has also led to palatial houses springing up all over the place. There are still many ramshackle houses, but inside they too are stocked with the latest luxury TVs and so on.
The people in Jamtara are not very educated but they know how to operate phones, and spyware, and most of all how to cover their tracks. With so many of the locals involved, it’s hard for cops to pin down the scammers. Jamtara has become so notorious that Netflix has made a fictional TV crime series called Jamtara. The video below is the trailer for this fictional series (in Hindi but with English subtitles) but it does give a factual overview of Jamtara’s scammers.
How to avoid scammers
UPI transactions These are where most scams are happening. One way of reducing the chance of being scammed is to avoid talking and switch to written communication. Tell him you are busy and ask him to text or email or send money to your UPI ID. Unlike a genuine caller, scammers don’t like written communication. It gives the victims time to think and easily spot the flaws in the scammer’s arguments. (Don’t give him your primary email but use a rarely used email or an alias). That buys you a little time to assess a situation and not get rushed into making a mistake.
If he calls back, cut the line and text, “Can’t take calls. Please send text or email.” If they say they have an issue with your email or UPI ID, say “My UPI is fine. Another payment just came through. Check your side.” Scammers get easily exposed by the content and quality of their messages, or simply don’t have the patience to type messages, and give up hassling you.
App permissions I have a strong suspicion X’s phone was hijacked in some manner. I believe this is more likely to happen on Android as an iPhone feels a bit more secure. But it’s subjective. Anyway, there are apps that let a hacker get remote control of your phone, read your messages (think OTP), give away your location, turn on your microphone or camera, and so on.
I deleted most of the Chinese apps on my phone some time ago. These days, I avoid installing apps unless I’m sure it’s from a reliable source. Android phones now make it easier to check and deny unnecessary permissions that an app has. Like in the example below, I have given permission to the Truecaller app to view my call logs as it gives me info on the caller. But I see no reason why WhatsApp should see who is calling me so I have denied it permission to view my call logs. I was in two minds about Google but I let it be.
Stay away from unknown links and URLs: As far as possible, don’t click on any links from unknown sources. These could install spyware on your phone, or clone your hard disk, or install a keylogger (to capture what you type), or simply let the scammer control your phone. This means he could do stuff like see what you are typing or intercept your OTPs before it reaches your phone. Websites that offer pirated stuff or porn are notorious for these kinds of links.
These days, a lot of such URLs come to me, especially by SMS. Sometimes, it’s easy to tell it’s a scammer because of the bad grammar or poor spelling. But as a rule, I avoid all of such messages like the plague, unless I’m 100% sure the sender is genuine. For good measure, I also report most of these SMS as spam to TRAI, and often get replies from TRAI saying they have been warned.
Use only ‘Trusted’ sites for financial transactions: Always double-check the URL to make sure it matches the site you are using. It has to have the ‘https’ secure identification and the lock symbol. Like if it’s Airbnb, the URL should have Airbnb.com or so. Scammers often clone genuine sites perfectly and it’s only the URL that is a dead giveaway. The scam victims get scammed when they assume it’s the usual website where they do their business and type in their password and username on the site. That’s what happened to this lady.
Hide your ATM card code An ATM card is useless to a scammer without its code. So while using it at an ATM or to pay at the checkout line at a supermarket, it’s advisable to cover the hand that’s typing out the code with your other hand. Scammers have been known to install cameras and cloning machines at ATMs. So look out for such devices when you are at the ATM.
Contactless cards based on radio waves are also available. This is the feature where you wave the card over the machine instead of swiping it, and the payment goes through without the PIN code. I don’t know how safe it is so I have turned it on only on one of my cards which allows only small amounts.
Cardless ATM Transactions Many banks now give an option to withdraw money from the ATM without using your card so that might be safer.
Never share your credit card number or CVV I don’t waste time debating with these callers. Instead, I thank them, inform them point-blank that I will go to the bank and get the card updated, and cut the line.
Use virtual cards with limited funds The other day, my kid wanted to buy something that was being sold via Instagram. I hadn’t heard of the site, and it was only accepting card payment so online wallets and UPI were out. My kid said the site had good reviews but I wasn’t willing to take a risk.
So I loaded the amount required for the transaction on a virtual debit card from my bank and used it for the transaction. If it was a scam, my loss would be limited to the money loaded on that card. The card is supported by VISA, and the transaction went through. It turned out to be a genuine seller. Maybe I was paranoid. But you know, rather safe than sorry.
Never share your Aadhaar or other ID cards If you think your Aadhaar is compromised, you can go to this site, scroll down to the lock/unlock option, and lock the option to use your Aadhaar for verification. You can unlock it later at the same site once you feel it’s safe.
Block spammers and scammers If you get a call and think it’s fishy, just cut the line and block the number. I don’t think accepting a call will install any malware on a phone. But I would rather not be the one who proves this is possible. So I just cut the line and block the number. I currently have thousands of blocked numbers on my phone.
Keep track of scamming trends I regularly get calls from people pretending to be from my bank, saying my credit card has to be updated and asking for my card details. Another favorite tactic is the one where they offer money instead of asking for it. A scammer knows you will be less suspicious if someone is trying to give you money. There are many variations of this from the crude “You have won a prize” to the generous Nigerian who wishes to share an unexpected inheritance worth millions. My latest encounter was a guy who saw I was trying to sell something on OLX and called up, asking for my bank account details so he could pay me money. Even the scam that got X was a variation of this.
Scammers also observe current trends and quickly repackage their old tricks to fit in with the new trends. For instance, with Covid vaccines in the news, they came up with a new scam as this unverified message that I received on WhatsApp, indicates.
Scam for COVID Vaccine has started in India: Senior citizens are getting a call from the so called “ Drug Authority of India” and telling them that their vaccine allocation is ready. Then they confirm the adhaar and ask for your OTP. Based on that they access your bank accounts. One of a friend’s father lost about 12 lacs in 2 hours. Please do not fall for any such calls. The vaccine protocol is not clear yet.
Online banking has a brought a lot of convenience to our lives. But it also comes with the risks involved in navigating uncharted territory. We can’t completely avoid those risks. But if we are cautious, stay updated, and don’t take any unnecessary risks, we can minimize the chances of being scammed.
But be warned. As of now, X still hasn’t recovered his money.
Update (Recreating the scam)
Based on comments from @raghunath18 and another chat I had with X, I have sort of recreated how the scam happened to X (using two of my bank accounts).
Below left is the scammer’s phone. Below right is X’s phone screen. The scammer sends a payment ‘collect’ request. In the remarks, the UPI app allows a sender to type whatever remark he wishes.
The scammer craftily types ‘Refund for speaker.’
When X gets the message, the scammer directs X’s attention to the ‘Refund for Speaker.’ X sees that and is confused. The scammer tells him that when he clicks ‘Pay,’ the payment will be sent to his bank account. X gets more confused, and the scammer keeps distracting him, and drawing his attention to the ‘Refund for Speaker.’
Finally, X hesitantly taps ‘Pay.’ At this point, the app asks for his UPI code. X is surprised. The scammer tells X that he needs to enter the code if he wants his payment. Pay, payment… what the scammer says seems to make sense. X can’t think properly because the scammer is speaking non-stop and distracting him.
At this point, the confused and distracted X loses his patience and makes a vital mistake. He types in his UPI code.
Remember, the UPI code is never required to receive money. It’s designed as a security check to confirm you want to send out money from your account. The moment X typed the code, his ₹87,000 was gone.
Apps are beginning to police transactions
There’s some welcome news for worried online Indians. Things are changing.
I used the BHIM app on the ‘scammer’s’ phone and Google Pay for the ‘victim,’ to run the recreated scam. Seeing that money was going out of the account, Google Pay warned me several times to be careful. For some reason, my second phone didn’t have my name in its contact list (possibly because the UPI ID is not in my address book or I have never sent money to myself). This may be why, along with the Collect message, Google Pay warns me this might be a scam. When I click ‘Pay,’ Google Pay tells me “I’m sending money,” not receiving it. It repeats that the “request is suspicious and advises me to proceed with caution. ”
I go ahead and click ‘Send’ to see what happens next. Google Pay again asks me, “Are you sure? By continuing, you will be transferring money to Mr ABC.” I click continue. There’s yet another warning which I again ignore (it went off before I could screen capture it).
At this, Google Pay has had enough. It concludes I’m an idiot, stops the transaction, and sends me a message saying ‘Payment failed.’
To avoid being reported as spam, I click ‘Decline’ and quit the app.
Just hope I don’t get blacklisted by Google Pay.
Conclusion
It’s comforting to see that Google’s famous algorithms and software are trying to protect customers. But Google can’t help if you don’t read what they say. I don’t know if my friend was using Google Pay. Or maybe the scammer just told him to ignore the warnings.
Anyway, forewarned is forearmed. The internet is a dangerous place so please take care when doing any money transfer, be it sending or receiving.
