Phishing tales

I watched 'Jamtara Season 1' with curiosity, amusement, and a fair amount of awe. It's hard to be unimpressed by the ingenuity of the cheeky cyber scammers hailing from this otherwise insignificant town in Jharkhand. However, by the time Season 2 dropped, phishing scams were running too close to home. Even as awareness of phishing scams increase, the scammers too find innovative ways of bypassing security measures. And in spite of the many promises made by the country's banking system, investigative agencies, and government machinery, the truth is that the hapless victim still has little to no hope of restitution. Let me narrate to you why.

Just a few months ago, when my mother back in Kolkata was in need of blood, a well-meaning friend volunteered to help arrange it. He found a certain Lions' Blood Bank on Google and had made an enquiry around 9 pm at night. By 8 am, a call came claiming to have arranged the crucial bags of blood. He'd have to pay a booking amount of Rs 5. A link was sent for a UPI payment of Rs 5; no password or OTP was shared with the caller. When the caller was asked in Bengali further details on how the blood should be collected, he promptly said that he wasn't from the city and doesn't speak the language, and that the doctor in-charge would call back. Something just didn't feel right. But before I could stop my friend, he had clicked the link. Within a second of the call ending, two swift text messages from ICICI Bank delivered the awful news. Rs 49,500 was debited twice and credited to a Shaheen Khatun! We'd been had; lo and behold the latest victims of the many phishing scams currently prevalent in India.

The bank was immediately notified and the debit card was deactivated. ICICI Bank had transferred the 'shadow' amount as lien into the account, which would be available only post-investigation after 45 days. It's a sickening feeling to be scammed; duped during a medical emergency that too, fooled for trying to help a friend. But no, it was not the time to lose hope we told ourselves. Citizens are protected if they act at the right time; at least that's what we had heard. Since my friend was visiting Bangalore at the time, the place of crime became the erstwhile 'Garden City'. Contacts were pulled, senior cops were called, a cyber crime complaint was registered online, quick visits were made to the local police station, bank branch, and to the main cyber crime cell of the city. All done within the so-called 'golden hour'. For the uninitiated, investigative authorities and banks say that if a complaint is made within 2-3 hours of the scam, i.e., the golden hour period, then the money would definitely come back and there would be a chance to even nab the culprit. We too believed this naiveté.

At the cyber cell, the officers found the perpetrator(s) to be from Jharkhand (Jamtara perhaps?), the Rs 99,000 had already been transferred out, they couldn't trace it. They said it's lucky to lose a little and spoke of senior citizens being robbed of several lakhs! Digitization is excellent but look at the problems it's created; we have way of controlling this phishing menace, the seasoned law officers conceded.

Meanwhile, the accused's bank had also been alerted but to no avail. ICICI Bank got back after 45 days concluding that password was willingly shared, even though no password or OTP was shared. The UPI transaction went through an alleged Paytm account; no details about that were shared with us. As a last resort, and following the law of the land, a complaint has now been registered by my friend with the RBI Ombudsman. The outlook remains bleak.

UPI (United Payments Interface), a boon to making payments and a case study for countries to follow, witnesses an alarmingly high number of frauds every month. Almost 65-75 percent frauds take place between 7 am and 7 pm (the peak hours for phishing). As per news reports, around 80,000 frauds happen every month resulting in loss of almost Rs 200 crore. In June alone, the government received 61,100 complaints of digital payment fraud, of which over half (33,712) were connected to UPI.

Scammers create credible looking phishing websites with URLs that nearly sound the same as the legitimate ones. Links are shared through WhatsApp, text messages, emails, and messengers. Personal details may be shared, phishing apps may also be used. The most educated and well-aware individual is ensnared. Cyber cells, banking grievance cells, police stations, even the national helpline to report cyber fraud can provide no redressal. In the hierarchy of crimes, online fraud is probably the lowest but the volumes are swelling, and this should have the administration up in arms.

My own saga proved just one thing — in actuality, there is no hope for victims of phishing. The money is long gone, the culprits are not caught, and even if they are, there are many taking their place in droves. Jamtara Season 2 got this right along with the clever, almost real schemes used by the scammers. In the face of such novel and elaborate scamming, how do we protect ourselves? Banks can claim insurance for the loss but why should they when they can now simply shrug off the blame. The banks send enough text message warnings, and wash their hands off the matter, their banking conscience clear. Meanwhile, hundreds of Indians continue falling victim to slick phishing operations every day.

The writer is an author and media entrepreneur. Views expressed are personal