At 11:39 am on March 7, 2023, I received a phone call from FedEx stating that a parcel I sent had been stopped from being delivered. A man called Kiran Sharma, (who said his ID number was 943210), confirmed my Aadhaar card details which he already had. He said a parcel containing three passports, four pan cards, and four ATM cards was sent with my details from a plot in Dadar, West Mumbai to a Mandeep Singh in Oak Park, Toronto. He even recited this Mandeep Singh’s phone number)
Sharma then said that it seemed that I was the subject of a scam where my Aadhaar and PAN Card details had been misappropriated and asked me to speak to the officers in Dadar Police Station to sort the situation out. As I live in Delhi, he offered to connect me directly to what he said was the emergency hotline number for Dadar Police Station.
I spoke to an officer called Bhupendra Nagar, who gave me the landline number of the police station so that I could verify that I was speaking to the right person (this was on his initiative – it had not occurred to me to verify this). He then called me on Whatsapp video, asked me to lock my doors and do a 360 degree video to show him no one was around, so he could be sure nobody had coerced me into making this complaint. He then asked me to send him pictures of me holding my Aadhaar card and PAN Card on the WhatsApp number he had called from.
I believed him and then complied.
He then called me from another number and we spoke for over 48 minutes on a call he said was being recorded. He registered my complaint, the details of the mystery package, personal details such as the names, numbers and occupations of my husband, son and in-laws, my address and occupation. When he asked where all I might have used my Aadhaar, I could only remember doing so to check in to a hotel. He then scolded me for my supposed foolishness for doing so.
At this point Nagar received an ‘emergency call’ from some superior on what sounded like a walkie-talkie. I heard the man say, “Officer, immediately arrest Noor Anand Chawla,” saying I was the named accomplice in a case of money laundering and drug smuggling associated with criminal Jai Kumar, an employee of State Bank of India, recently detained in Mumbai for laundering lakhs of rupees. The caller added I needed to be taken into custody for at least 90 days. At this point, though scared, I got suspicious and surreptitiously Googled ‘Jai Kumar + money laundering’ and nothing turned up.
I asked Nagar for proof that he and his caller were actually policemen. Nagar said he owed me no proof, and he’ll contact the police station nearest to me in Delhi to send a woman officer to arrest me immediately. He cut the call and I realised I had been duped. I immediately deleted the photos I had sent to Nagar on WhatsApp but they had already been saved on the other end.
I was shaken but it seemed no actual harm had been done. I filed a complaint with the online cybercrime cell, and a woman officer called me after two weeks. Through rounds of questions she understood I hadn’t been extorted and put the case to rest. I thought it was the end of the matter.
A few weeks ago, exactly three months after the scam call, I was contacted on Instagram by a person called Sunny Dand (@findingmyversion2). He alerted me to the fact that my photos holding my Aadhaar card were being used as scare tactics in a new scam. Dand wrote, “Heyy sorry I don’t usually use Instagram as you can see but someone tried to scam me using your ID posing as [a] narcotics officer. They have all your Aadhaar and pan card details and they got mine as well by threatening. Was just informing you to be aware and if possible let’s report this to cyber cell [.] these guys can stoop low on levels unimaginable I’m glad I didn’t panic and let them fool me.”
He shared those photos of me holding up my Aadhaar card along with the conversation he’d had with the scammers. One of the images had “Mrs Noor Anand Chawla Ma’am (Narcotics Department)” captioned beneath it. A cursory Internet search had revealed my real credentials as well as my social media handles to Dand, who could easily call the scammer’s bluff. Fortunately, he was good enough to tell me. I filed a new complaint with the online cybercrime cell while waiting to see what the police do next, I decided to delve deeper and discovered how an increasingly sophisticated network of scammers had turned a simple text fraud from the United States into an elaborate web in India.
Each person involved is assigned a specific role and they work in tandem. A wealth of research goes into concocting a realistic scenario, often using names of actual arrested criminals. In 2017, when Interpol first noticed these scams, the agency said they relied on ‘social engineering’ tactics. They exploited a person’s trust to wrongfully obtain money or confidential information to enable another crime at a later date. The FedEx and identity theft scam rely on social engineering of the highest order.
After 2020, lakhs of unsuspecting Indians have been scammed in innovative ways. By the time news of one scam leaks out, another one is already brewing.
In December, 2020, Mumbai-based PR professional Nupur Bajoria received a phone call from FedEx claiming a package she sent had been stopped, and was similarly connected to a Mumbai ‘police station’ in Mumbai. They had her Aadhaar card, and said her name was associated with drug cartel.
“It was scary,” said Bajoria. She immediately went to the cybercrime branch, who verified the calls were from scammers. “They suggested I change my Aadhaar card photo and file an FIR as the old one could be misused,” she said. She was asked to keep a low profile on social media, and get rid of her display photo on Whatsapp.
Bajoria fortunately hasn’t faced an identity theft problem.
Fitness trainer Tushar Bhatia from Delhi acted even faster. When he received the phone call in late June 2023, he actually was expecting a package from abroad and entertained the call at first. But alarm bells rang when the caller insisted Bhatia stay on hold while transferring the call to the supposed Mumbai police station.
“He repeatedly asked me not to hang up saying "Sir, aap phone pe ho na? Kahin jaana mat, mein connect kar raha hu." I got worried that they were trying to hack my phone or take some data away because I believe that a person needs to stay on the phone for a certain amount of time for the hacking to take place. I hung up and immediately rebooted my phone.”
Writer and communications specialist Mangala Dilip, from Bengaluru, was not as fortunate. She believed the scammers and eventually lost a couple of lakhs of rupees.
She recounted in a detailed blog post a story eerily similar to mine, where the supposed police made her read from documents stating her she was under investigation for money laundering and drug trafficking and, during this investigation could not stray 10 kms away from her home. The scammers name-dropped Mohammed Nawab Mohammed Islam Malik, a Maharashtra NCP member under arrest for money laundering.
She was then connected to a Dr. Balsing Rajput, supposedly the DCP of Cyber Police in Mumbai, who asked to transfer money from her “legal” bank account for them to ascertain it was legitimate. Rajput said they would transfer the money back to her.
Minutes after Dilip transferred the money she realised she had been scammed.
When Dilip raised a complaint, the police instead of advising her on what to do next seemed more keen to victim-blame.
“The police and bank officials asked me ‘why did you turn your camera on?’, ‘why did you get scared when you knew you had done nothing wrong?’. I don’t have answers for these questions. These scammers played on various emotions like fear, anger, disbelief, compassion,” Dilip told me on the phone.
“They knew which buttons to press and how to play on my mind. They kept highlighting that my unemployed status may have made me want to work with criminals. When I looked tense they even tried to be nice, assuring me they were there to help. I was looking for jobs and I was afraid of having a potential criminal record. So, I listened to them.”
The action taken by law enforcement agencies seems woefully inadequate. As revealed in a recent Right to Information (RTI) Act query, of the total 22,57,808 cybercrime complaints received from around India between the period January 2020 to May 2023, only 2% have resulted in actual First Information Reports being filed. As technology grows, so does the problem in scale and scope, and our law enforcement mechanisms aren’t equipped to deal with it.
“Cybercrime threats are the single most significant crime threats that enforcement agencies face currently,” says Dr. Pavan Duggal, a cyber law expert, advocate practicing at the Supreme Court of India and Chairman of the International Commission of Cyber Security Laws. He adds, “Indian law enforcement isn’t proactive on cybercrime complaints, because they are inundated with them. They have been given no sensitisation, they are too short-staffed and don’t have the bandwidth to deal with so many complaints, and neither do they have the skillsets in many cases.
Cyber law expert and lawyer Arvind Gopal said, “The world of technology is twenty steps ahead of anything we currently know about or engage with. Change happens in the fraction of a second.”
“Since 2017 there has been a sea change in how cybercrimes are dealt with. One can now file complaints online and through the helpline, which wasn’t the case earlier. There are also educational videos and social media awareness campaigns. Yet, there is still a huge lack of infrastructure. We need to be robust and have dynamic legislation and policies in place to deal with this,” Gopal added.
He takes the example of the basic law of fraud – Section 420 of the Indian Penal Code. The very premise of a charge under Section 420 of the IPC, explained Gopal, rests on the victim making a complaint and providing evidence of a wrongful loss having taken place. In a cybercrime without any monetary loss, this is difficult to establish, as the victim may be in a different location from the jurisdiction of the crime, and the evidence is difficult to obtain as technology protects the scammers.
Decode reached out to Dr Triveni Singh, who is currently appointed as the Superintendent of Police, Cyber Crime, Uttar Pradesh, but received no response.
In the absence of a foolproof safeguard, all experts agree that the onus of protection is on oneself. Duggal advocated following basic cyber hygiene habits. This includes sharing personal information only on a need-to-know basis. “Don’t vomit everything out. Learn to inculcate an element of distrust in your minds,” he says. He advised not to respond to a call whose number you don’t recognise or click on any unknown link, even if it means losing out on potential business opportunities.
Other measures include using two-factor authentication on all social media websites, being careful never to save your bank credentials or card details anywhere on your phone or WhatsApp, appropriately backing up your data at least once a week, installing a good anti-virus programme for your phone, a good firewall, and a Virtual Private Network (VPN) for a secure network.
Apparently, my Aadhaar card photo poses no real threat. According to information shared by the Unique Identification Authority of India (UIDAI), “Just by knowing your Aadhaar number, no one can harm you. It’s just like any other identity document such as passport, voter ID, PAN card, ration card, driving license, etc., that you have been using freely for decades with service providers.”
“Just remember that any situation that attempts to create an element of urgency or panic is something to be cautious of. Inculcating cyber security needs to be a way of life for all of us going forward. You are alone in facing the unknown dark challenges of cyberspace, and you must be conscious and careful of your own security,” Duggal said.