With a number of cybercrime cases increasing with each passing day, The Hindu spoke to Kuldeep Kumar Jain, Deputy Commissioner of Police, Bengaluru, who has experience solving such cases.
Mr. Jain is one among eight DCPs appointed by the government to enhance the capability of the city police in handling cybercrime and tackling narcotics cases effectively. He is part of Special Investigation Teams (SIT) tasked by city police commissioner to supervise specific cases assigned to them and for speedy disposal.
What is cybercrime?
Cybercrime is a crime where your information that is shared with somebody knowingly, or unknowingly, is being misused to siphon out money from your account. Digital means are employed in this type of crime.
When was the first cybercrime reported in Bengaluru?
Roughly, 15 years ago. Bengaluru Police had recorded a case of misuse of data. The culprit was an employee of the organisation that owned the data.
When was the cybercrime unit made into a separate cell?
Initially in Karnataka, CID had the first independent cybercrime police station. In Bengaluru, the first cybercrime police station was set up in 2014 or 2015. Slowly, with the advent of more crimes, in 2019, another 8 cybercrime police stations were established in Bengaluru. Across Karnataka, each district has one cybercrime police station.
But, cybercrime police stations are not stand-alone units. They also investigate economic offences and narcotics. They are a combination of cybercrime, financial fraud (economic offences) and narcotics. We call them CEN police stations.
Kuldeep Kumar R. Jain, Deputy Commissioner of Police, Bengaluru | Photo Credit: MANJUNATH H.S.
How has cybercrime changed since the first case?
Initially, it was only based on data… misusing it to gain an advantage. But as people started using debit and credit cards, and other such things, OTP fraud became rampant.
A criminal would pose as a bank official, call you on the pretext of information verification. During the course of the conversation, you are persuaded to share an OTP that would have come to your mobile phone. This OTP would be used to steal money from your account.
Then, it escalated to skimming, job fraud, matrimonial scams, targetting people buying and selling products online. Then, it slowly evolved into sextortion, where your images would be morphed, and you would be forced into paying money to keep them from going public.
Then came investment frauds where you are added to a Whatsapp group where all the people are fake and you end up investing. Everything is fraudulent.
In recent times, you hear of courier fraud where people call you claiming to be from a particular investigation unit, specially crime branch. They convince you that you have smuggled narcotics or some other contraband, and face arrest. You are told to share bank account details so that the ‘ínvestigation officer’ can confirm your innocence. In the bargain, money is stolen from your account.
Do cyber criminals target a certain section of the population?
To my understanding, it is based on your data. When they have some genuine data of yours, like may be an Aadhaar number or your phone number, or your exact name and address, based on that they strike a conversation… You might be lured into taking up some tempting offer or told to click some link after being persuaded that it is important or helpful. But, such offers or links would actually be a trap, which if you enter, you end up losing your money.
People keep getting such random calls or SMSes. We have to be very careful. The target is anyone who is using a mobile phone and other electronic devices, which is basically everyone these days.
How do cyber criminals get information about their victims?
These days, we give our Aadhaar card, or passport, or PAN card, or driver’s licence, as ID proof. When you have given a particular ID proof at some place, we do not know how that ID proof is used, or whether it is used for the purpose it was sought. Our investigation has revealed that cyber criminals obtain this information from people who handle such data.
These days, you go to any departmental store, or to buy anything, you have to give your mobile number to get an OTP. Every day, we are giving our personal information. That is how cyber criminals get your information. So, we have to be very careful since we have shared our information willingly at multiple places.
A piece of advice: Wherever you give your documents, basically a photocopy of your documents, you should specifically self-attest them. You should specifically mention that this document is meant for this purpose. So, if you write across that document that this document is meant for this purpose only, then the chances of that document getting used multiple times is nullified.
Is it more difficult to solve a cybercrime as compared to other crimes?
Yes, 100% it is more difficult to solve a cybercrime. The reason is that the culprits use digital technology to mask their identity. Second thing is, these scams involve multiple persons working in silos.
Someone sitting in India uses an account number in the state of Kerala to commit a fraud on a person staying in Jharkhand, Gujarat or Karnataka, or somewhere else.
Multiple people are involved. No one knows the next person in the link. One set of people only collect information. Another set of people will pass on that information to the next level for which they will get a commission, or salary. The information is fed to another person through people who are staying outside India. Using this information, money is transacted out of India.
If we consider cybercrime as a 5-storey building, we only cross maybe level 1 in 5% of the cases. In less than 3% of cases have we gone to level 2 or 3.
One of the questions that victims generally ask is, if my money has been removed from my account, there is some sort of digital footprint. So, why is it difficult to get my money back?
No doubt there is a digital footprint. But, when we trace the account holder, they claim that they do not operate the account at all. They say: ‘Some 6 months back, I had given my account login to somebody for some kind of investment. He gave me some money, and I have forgotten about it.’ This is a common element in cybercrimes, which leaves us at a dead end.
When we check IP logs, we learn that the transaction was carried out outside India.
So, you are right that there is a digital footprint, but we are unable to track down the person who actually carried out the transaction.
We have got some success where somebody withdraws money physically from accounts. But, even in such cases, the person would have acted on behalf of someone else who might have paid a commission for such withdrawals. The next person in the chain is not traceable.
Cyber criminals persuade gullible people into opening a bank account. Once that bank account is opened, the whole banking kit is taken by a middleman who then hands the same over to another person, and so on. Such account details are sold in the black market or on the dark web.
In some cases, bank officials have given account information to cyber criminals. In some cases, multiple accounts have been opened at different places using one ID card. Service providers have given multiple SIM cards using just one ID card.
Is it not possible to trace cyber criminals with their phone numbers?
Most of the phone calls are VoIP calls. VoIP is Voice over Internet Protocol. These are generated through the internet. The IP logs reveal that they originated outside India, and the place of origin cannot be traced easily.
In cases where an actual SIM is used, the number is used for some time before being switched off. The address linked to that number would be different from the actual location from where the call was made. That is because multiple SIM cards are issued using a single ID. The person whose ID was used may not even be aware of the multiple SIM cards.
In case of Whatsapp calls, when you call the same number on the mobile phone network to trace its location, that number would be switched off. That is because once a number is activated on Whatsapp, you can throw the SIM and use the WhatsApp through wi-fi.
So, basically the cyber criminal is not using that number at all. He is just using Whatsapp.
Do you get co-operation from police in other States?
Actually, tracking down the location of cyber criminals is a bigger challenge than coordination among police of different States.
What should a victim of cybercrime do to help police solve the crime?
Immediately dial 1930 to give your complaint. Then, go to the nearest police station to follow up. The golden hour concept – followed in accident cases – applies in cybercrime too. The moment you call 1930, we will write to the bank and see to it that the account is immediately blocked. That way, your money does not go any further, and out of your reach.
Is it possible to get the money back?
If you report within the golden hour, there is a high probability that your money would not have gone to the next account. We can try to block the account so that your money cannot go to any other account. The victim can move court to get their money back. If the crime is reported to the police immediately and the account is frozen on the same day, the next day, you can approach a court. Within the next 2-3 working days, you can get the money back.
Why do you have a separate number for cybercrime (1930)?
The evolving nature of cybercrime and the sheer volume of cybercrime necessitated a dedicated helpline. 112 is a national number for any kind of emergency where a generalist will attend your call and try to assess your problem before trying to address to it, or connect to the relevant department or unit. But in 1930, we have a team dedicated to acting as per the needs of cybercrime.
Do you have a separate criteria while selecting personnel for the cybercrime unit?
Unlike in a normal police station, there is no general kind of work in a cybercrime police station. In a normal police station, regardless of your interest or qualification, you are supposed to do all the work, which is general in nature. But for a cybercrime police station, we select personnel who are updated on technical advancements.
A cybercrime police station has two sets of people. One set works diligently indoors because you have to communicate with multiple agencies, banks and service providers, you have to write letters and communicate with them immediately…on the same day, within minutes of a crime, and follow up. Then, there is another set of personnel. They work on-the-field based on the technical evidence what we gather.