At the heart of a cybercrime, there’s often something deceptively small—a SIM card.
Tucked into every phone, this tiny chip can unlock the internet, link bank accounts, and connect you to the world. But in the hands of cybercriminals, it becomes something far more dangerous —a tool to defraud, impersonate, and vanish without a trace.
An individual can legally obtain up to nine SIM cards in India. Some take advantage of this limit —buying multiple SIMs in their own name, only to sell them to cybercriminals who use them to run scams, impersonate officials, or open fake bank accounts.
Others, meanwhile, become victims themselves, with SIM cards issued in their name without their knowledge, thanks to forged documents and complicit Point of Sale (PoS) agents. These are known as ghost SIMs—mobile numbers that exist on paper, but are used in the shadows.
A PoS agent is a person or small business representative who is authorised by telecom companies to sell and activate SIM cards.
A ghost SIM, hence, becomes the perfect digital disguise: activated using stolen documents, routed through shady Point of Sale agents, and passed along to scammers running rackets across borders. By the time the fraud is traced, the trail leads back to an innocent person—not the criminal.
These aren’t just isolated incidents. In May, the Central Bureau of Investigation unearthed a massive network of such ghost SIMs, linking 39 PoS agents to 1,100 fake numbers, with more than 64,000 forged SIMs flagged in the larger investigation.
To understand the inner workings of this growing threat, Decode spoke with DSP Ankush Mishra of the Special Task Force, Uttarakhand Police, who has been closely tracking the changing landscape of cybercrime across India.
Speaking to Decode, Mishra breaks down how PoS agents exploit the eKYC process, reveals who benefits from this illicit trade, and—most crucially—shares what ordinary citizens must do to stay safe in a world where your identity can be sold for a few hundred rupees.
Here are the edited excerpts from the interview.
What are the common ways in which SIM cards are misused in cybercrimes today?
We typically see two kinds of cases. First, where a person gets multiple SIM cards—up to nine—issued in their own name and then sells them to bad actors for malicious activities. The second type is less common and elaborate to execute, which makes it more alarming.
Here the person doesn’t even know that SIMs have been issued in their name. This usually happens when PoS agents are operating in collusion with cybercriminals.
These agents often sit roadside under umbrellas and offer SIM cards. They’ll take your biometric for eKYC and then claim there’s been a network failure. They will ask you to give your thumbprint again, but in reality, they’re using both sets of biometrics to issue two SIM cards under your name. One is handed to you, and the other—a ‘ghost SIM’—is sold to fraudsters.
How has the SIM verification process evolved in India, and where do vulnerabilities still exist?
India has gone through three phases of KYC (Know Your Customer) for issuing SIM cards. About 15 years ago, we had a paper-based KYC, where a photo and signature were submitted, and the PoS agent filled in the form manually. But as cybercrime grew, we moved to digital KYC—this required the person to be physically present and submit an Aadhaar copy. The agent had to ensure the real-time photo matched the one on the Aadhaar.
However, fraudsters found a loophole. They would morph Aadhaar images—replacing the original photo with their own—making identity verification nearly impossible. This is compounded by the fact that UIDAI, the central agency issuing Aadhaar numbers, does not share its data with anyone, including law enforcement.
Finally, the Department of Technology adopted eKYC, which uses biometrics. Here, the person gives a thumbprint which is instantly verified against Aadhaar data in real time. eKYC has definitely made it harder to misuse someone’s identity. However, even this process is being gamed by rogue agents who fake technical errors to collect double biometric scans.
Could you share an example from your own investigations to show how these networks operate on the ground?
Yes, there was a similar case in Haridwar where certain agents were going from village to village, targeting women. They would offer gifts like tea sets or crockery in exchange for their biometric data and photographs. Many women were lured into this scheme without fully understanding what they were giving away.
These SIM cards were then used in scams targeting people overseas. After some R&D and fieldwork, we discovered that the same local shopkeeper was behind issuing all these SIMs. The women became key witnesses, and eventually, the shopkeeper confessed. He admitted he was working under pressure—he had a target to meet for SIM issuance.
What policy reforms do you think are needed?
I believe law enforcement agencies should be granted limited access to unmasked biometric data during investigations. Currently, when we request information from telecom providers, the biometric data is masked, which limits our ability to accurately trace how many SIM cards are linked to a single identity. This level of access was available until 2019 but has since been withdrawn, making investigations more challenging.
Beyond that, raising public awareness is crucial. Areas known for such fraudulent activities need constant monitoring and regular crackdowns. The network behind these crimes is complex, involving corrupt PoS agents, imposters posing as genuine customers, and even criminals acting as PoS agents themselves. Since everyone is motivated by incentives, many vanish before a thorough investigation can take place.
Therefore, consistent inspections combined with educating the public are essential steps to effectively combat this growing problem.
What can citizens do to protect themselves?
It is crucial for individuals to actively monitor the number of SIM cards issued under their name to prevent misuse. The Department of Telecommunications offers a helpful tool called the Sanchar Saathi portal, which includes a sub-portal named TAFCOP. By entering their mobile number and verifying via an OTP, users can instantly see all the SIM cards linked to their identity.
If anyone notices unfamiliar or suspicious SIM cards registered in their name, they should immediately take action by filing a formal written complaint with their local cyber police station.
Additionally, they should register a case of identity forgery to initiate an official investigation. Regular vigilance and prompt reporting can help prevent further fraud and protect one’s digital identity.
