I’m sure most of the readers must have watched the web series Jamtara released some 3 years back on Netflix in 2020.The web-series is based on real-life incidents around the widespread growth of phishing calls and organised cyber crimes of scamming. I too have watched it and was quite fascinated by the boldness of the characters and the sheer audacity to pull off a racket on a massive scale. Then, I had just reconciled myself saying this is not real life but just reel life. Well that was till a few days back.. Read on to know more…
Background
My parents, dad (82), mom (78) though live in the next building within the same colony premises, are proud to live a fiercely independent and active social life. They have their own independent house help and support staff. Till about a few years ago, my dad even preferred to take the public transport whenever possible. They manage their own banking groceries. When they step out together my mom drives their car while she prefers her scooter to run daily errands. They have been living a life of what is now-a-days called as Seenagers (click here to know more about Seenagers) totally oblivious of the story about to unfold..
Day-1 : Modus Operandi – Towards the end of last month, on a Saturday late into the evening, my mother got an innocuous looking SMS which asked her to complete her bank KYC by simply clicking on a link else be ready to endure blocking of her bank account. Since dad had just put out a couple of cheques towards a higher senior citizen interest rate bearing fixed deposit, she hurriedly clicked on the link and a ditto real life Jamtara unfolded.
She got an instant call from someone claiming to be from her bank and said he will extend all help to facilitate KYC updation. He informed her that he will “handhold” her as she follows simple steps.For this he enquired if she had anydesk on her mobile. Since she did not have it, he said he will “help” her by sending it across which she will have to install. Having gained her confidence, he asked her to login and enter passwords on a website on his computer via anydesk which had her bank’s look and feel. He had also pre-informed her that she will get OTPs which she will need to share and all will be done. She just followed all his instructions and the call got over within 15-20 minutes. My mom is an early to bed, early to rise type. Since she was already exhausted from the call and it was also already late for her, she straight away went to sleep without even informing my dad about what had happened.
D-2: Next day, early Sunday morning, she felt very uncomfortable about the entire episode. She came over to my place and she narrated the episode. I went into damage control mode. Quickly checked her phone for SMS and my worst fears came true. I could see multiple OTP, add beneficiary, followed by account debit SMSs. Having worked in the banking industry all my life I realised that within the 15-20 minutes he was on call with her, he had gained access to her bank accounts, added 2 beneficiaries and also got Rs 1 lakh transferred from both my parents accounts since my mom’s customer ID has also been linked to my dad’s account to facilitate ease of operations !!! She had become a Jamtara style victim in real life.
I quickly called the bank’s contact centre and went through the drill to report the fraudulent transaction. They were quite efficient in taking down the complaint. They requested us to report to the Police cybercrime number 0193 as well and revert with the complaint number for their records. The cybercrime number was not reachable in spite of multiple attempts. So I went online and googled the cybercrime reporting website and logged in. The site is quite comprehensive in terms of the details it captures all at one go.I Got a complaint number.
D-3: Next day on Monday I requested my parents to visit the cybercrime branch at BKC to lodge an FIR. They were directed to our local police station to file the FIR since the police seem to have started to segregate the filing of FIR based on the amounts involved. It seems BKC cyber crime handles cases upwards of Rs 10 lakhs. Our local police station took 5 hours. Even though all details were already filed in the cyber crime report shared with them, They wanted my mom to narrate so that they could handwrite the FIR in their own words in the state vernacular language. My parents were numbed and traumatised and were in a state of shock.
During the course of the day, I reached out to my banking connections to try and trace the money trail. I was successful in tracking one of the fund transfers to Khwaja, Bulandhser branch of another private bank. Tracking the fund flow led to some more surprises. Apparently, the beneficiary’s bank account, had many more transfer ins as well on the same day. Simultaneously, there were withdrawals from ATMs and transfer outs to other banks. Both the ATMs from where withdrawals had happened as well as the bank where the funds were onward transfered were in another city.
D-4: Damage Control- I decided to do a deep dive into this. I compared the add beneficiary and funds transfer processes across top four banks in India. I was baffled when I realised that while all banks have a compulsory min 30 min cooling period, only my parent’s bank allowed for instant new beneficiary addition. Also while their bank allowed funds transfer of max of Rs 1 lakh immediately on addition of a new beneficiary, other banks allowed much lower limits within the first 24 hours. This made their customers vulnerable which the fraudsters seem to have gained knowledge of. They seem to have targeted only their customers through spam SMSs to leverage this lacuna to their advantage.
D- 5: To prevent further contagion, I wrote to the top management at their bank about the laxity in their bank’s funds transfer processes and also looped in RBI, the regulator urging them to wake up and bring in systemic changes to plug the weak link at this bank. By now the fraud had snowballed into a much larger scam. Times of India reported over 80 customers loosing over Rs 100 lakhs. I reached out to the Times of India reporter who originally reported this story with follow ups.I also reached out to my cricketing contact who is a very prominent news anchor at one of the leading news channels.
D- 9: My efforts pay off- The bank called truce. I understood from them that they had only recently relaxed their norms on both the add beneficiary as well as the funds transfer limit only recently which the fraudsters seemed to have latched onto. They returned the money into my parents accounts and called them up to inform them about the introduction of a 30 min cooling period in their add beneficiary process along with downward revision in the limit of funds that could be transferred to newly added beneficiaries to half.
Lessons learnt – The Do’s and Don’ts
Prevention is better than running for a cure – The DON’Ts to start with.
- All official messages from banks or financial institutions ALWAYS come with a header wherein the bank’s or financial institution’s name appears. Do not click on a link shared via an unauthorised number wherein the bank’s name or financial institutions’ name does not appear. Similarly, all incoming official calls from authorised numbers of a regulated entity like a bank or insurance company or a mutual fund etc get automatically recognised by the teleco and the name of the institution gets flashed on your mobile screen as the phone rings.
2. Do NOT share OTP with anyone.
3. DO NOT provide access to your device via Any Desk or any other such software.
4. Do not fall for any of the OLX or Wineshop fraudsters who ask you to click on a Gpay link to pay them some initial amount with a promise of full refund later.
5. Similarly of late, there have been house rent fraud by fraudsters posing as Military personnel to gain confidence and then requesting for remittance of some initial amount to them to get your bank details with lure of payment of advance deposit.
The DO’s
In case of any fraud or breach of service I would suggest to following steps :-
step 1 – Act Fast- report within the Golden Hour (within 30 min of the incident) Ensure to complete all the protocols, especially report to your bank, cybercrime (https://cybercrime.gov.in/) or call 1930 within the golden hour (< 30 min of the incident). This can help the bank trace the money trail and seek a freeze on the beneficiary’s accounts to prevent the money withdrawal.
Step 2 – File FIR at the earliest (max. within 24 hours).Out of the 90 odd police stations in Mumbai, I understand only a few police stations like Powai, Oshiwara, Khar have dedicated personnel with expertise in handling cyber crimes who are known to have undertaken proactive steps to reach out to the bank’s Nodal officers for immediate action.
Step 3 – Check for any systemic deficiency on the part of the bank vis – a- vis regulations or industry practice.
Step 4- In case of any deficiency, bring it up to the senior / top management and the regulator, persist and pursue the matter to its logical conclusion.
RBI has taken care to issue comprehensive directions to all banks on the redressal mechanism for the customers. It also lays down the roles and responsibilities for the banks as well as for the customers (click here for the detailed circular).
RBI kehta hai, jankar baniye, satark rahiye. Stay alert and stay safe. Cheers !!
