While cybercrime is evolving rapidly, with new scams, frauds and digital threats emerging every day, looking at their modus operandi and the involvement of criminal gangs, there is a need to use laws like the Maharashtra Control of Organised Crime Act (MCOCA) for cybercrime cases, says Nandkumar Saravade, engineer and a retired officer from the Indian Police Service (IPS). Renowned cyber and privacy lawyer advocate Dr Prashant Mali echoed the need to apply stringent laws like the Goonda Act of Telangana. They were speaking at a seminar organised by Moneylife Foundation in Mumbai on "Unmasking Cyber Crimes: Protect Yourself from Digital Threats".
Mr Saravade, who led high-profile roles in organisations such as NASSCOM, Citibank and ICICI Bank, focusing on cyber security and financial crime prevention, says, "Cybercrimes are different from traditional crimes. Cybercrimes by nature, are cross-border crimes. Investigation as a way to deal with traditional crimes is not going to work for solving cybercrime cases. We have to go upstream, prevent crimes and ensure that fewer crimes happen. Since cybercrimes are happening in an organised manner, we have to think about applying acts like MCOCA, which have stringent provisions for arrest and bail."
"We live in a world where there are no boundaries. Anyone can call you from anywhere in the world. The attackers are way ahead in terms of how they are going to attack. As individuals, none of us have full knowledge of all the frauds that exist. The onus goes back to the people who have all the resources, responsibility and means to solve the problem. It is clearly a regulatory and government problem," he added.
Sharing several examples of cybercrimes and frauds, where the victims include high-profile persons like judges, civil servants and top bankers, advocate Dr Mali, who holds a PhD in Cyberwarfare & International Cyberlaw, says today the cybercriminals are well-funded, well-equipped, well-scripted and managed. "They are using profile-based scripting created with the help of artificial intelligence (AI) to target the specific victim. It is not people losing; it is people (criminal syndicates and ecosystem) earning huge money, which is a big hindrance in stopping these crimes. Cybercrimes, as we call it, are everything, including social engineering crime, money laundering and organised gang crime. Why are the police not imposing organised crime laws in cybercrime cases?"
"In Telangana, when the same criminal is caught a second time for the same crime, police apply the Telangana Prevention of Dangerous Activities of Bootleggers, Dacoits, Drug Offenders, Goondas, Immoral Traffic Offenders and Land Grabbers Act of 1986 (Goonda Act), which is non-bailable. It means, the person detained under the Goonda Act will not get bail for six to eight months. As a defence lawyer, I tell clients involved in fraud not to commit the same crime in Telangana!" advocate Dr Mali said.
In his introductory presentation, Yogesh Sapkale, deputy editor of Moneylife shared the latest crime data from the Union ministry of home affairs (MHA). During the first nine months of 2024, Rs11,333 crore were lost in cybercrimes, including Rs4,636 crore in stock trading scams, Rs3,216 crore in investment scams and Rs1,616 crore in digital arrest scams.
He said, "The 'hit and run' approach used by fraudsters is dwindling as cybercriminals are now operating as gangs running organised crime business. As it happens with crime syndicates, cybercriminals are also able to garner resources in a big way. Be it mule accounts, SIMs, email IDs, and even costumes, everything is easily available for a fee. Except in a few cases, law enforcement agencies (LEAs) still investigate cyber fraud as a single incident. Many times, they keep playing jurisdiction games, while the crime proceeds move rapidly from one account to another across borders."
"The organised syndicate system allows criminals to play a long game with the victim, known as pig butchering. For example, online dating or matrimony frauds, bumper 'assured' return or investment scams are good examples of pig butchering. In these cases, fraudsters engage with the victim and gain trust by using authentic-looking credentials and sometimes even making a small payment," he added.
Mr Sapkale also touched upon the efforts taken by the government to prevent cybercrimes. He stressed on reporting when something unexpected or suspicious happens so the police and LEAs could investigate and potentially respond to threats before it could cause more harm. "Early warnings from vigilant users can help protect less sophisticated users as well as kick off a threat hunt before the attackers are able to fully exploit others."
According to Mr Saravade, who also served as chief executive officer (CEO) of Reserve Bank Information Technology Pvt Ltd (ReBIT) from 2016 to 2021, we need to have an innovative approach while creating awareness among people about cybercrimes. "Reserve Bank of India (RBI) has asked banks to do internal phishing attacks, where the bank exposes its own employees to phishing mails and tells them not to click on any link in the mail. Employees who click on the link in the email are called out, sent for training and told not to click links next time in phishing emails. Gradually, the number of employees clicking links in such emails dropped. Can this be done for customers? Those clicking on links can be trained or guided by banks about the dangers of phishing emails and not to click these links."
He quoted a famous line of Urdu poet, editor and translator, Jaun Elia that says, "Kaun seekha hai sirf baaton se, Sabko ek hadsa zaroori hai." "Hadsa in a controlled situation is very useful. It can be used by banks (some are already using it) in gamification, where if you do something, you get a reward. Gamification can be used where people will learn things that are of their interest. The laypersons need to be brought into the learning situation and create a teaching moment. However, there are efforts, costs and driving involved, which can be done by those who have resources."
Advocate Dr Mali, while sharing information on how people easily fall prey to video sextortion scams, gave some practical advice. "If you receive a friendship request on Facebook, Instagram or a message on WhatsApp from a good-looking person, the first question you should ask yourself is why me? You can check the profile of the sender and on Facebook also check friends and when the account was created. Most importantly, you can report the profile. Everyone can do a good social service by reporting bad posts and profiles to the service provider."
"In case, the 'friendship' turns into threats or sextortion of uploading your 'compromised' photos or videos on social media like YouTube, don’t be afraid. If these are obscene or nude videos, they will be uploaded, but YouTube will remove them. If it doesn't, then you, along with two-three of your friends, report the video as porn or nudity. The video will be deleted by YouTube. In the meantime, even if few people watch it, you can always say it is a deepfake or that someone is blackmailing you! Don't fall for these stupid threats from fraudsters about making public your morphed videos or photos," he added.
