In January 2025, when the Hulimavu police in Bengaluru raided a ‘call centre,’ they found a well-oiled machine, busy at work scamming people for the past one-and-a-half years. The owner of the call centre was a man named Jitendra from Bihar.
“He had bought a list of 3,000 phone numbers from a man in Kolkata with three types of numbers. Category A were regular numbers, Category B numbers were those of people who had money, and Category C were numbers of people who had demat accounts,” said a police officer, adding that the investigation would also cover the data theft and the man in Kolkata who had sold the numbers.
The 16 ‘employees’ – who hadn’t actually been given letters of appointment – were assigned work each day. They had to call a set of numbers, sound out the people, strike off the numbers of people who cut the call or were unresponsive, and pursue contact with those who appeared interested. Work hours began 15 minutes before the stock market opened at 9 am. One and a half hours after trading ended at 3 pm, the day’s progress would be evaluated and the next day’s targets assigned.
“There were charts with employees’ targets, the numbers assigned to each of them and the result of those calls. They did everything systematically. In 2024, they managed to scam Rs 140 crore. We’ve called about 250 of the numbers to count the number of victims. Many of them are in other states. Some of them simply did not believe that we were the police,” the officer said.
The Hulimavu call centre case is uncommon – the police have caught the accused and it appears to be an open-and-shut case. However, the majority of cyber financial fraud cases filed in Bengaluru in the past few years are stuck in investigation due to the sheer number of complaints filed.
Cybercrimes – mostly financial fraud carried out in a myriad different ways – have shot up starkly in the past nine years. From an average of three complaints a year in 2016 in the whole state, the number jumped to 48 such complaints a day in Bengaluru alone in 2023. Every third complaint (cybercrimes were 31 percent of total cases) the Bengaluru police registered in 2023 was a cybercrime case, data from the State Crime Records Bureau shows.
With cases piling up faster than they can investigate, the police are swamped. In the past five years, the police have had at least 20,000 cases on their hands, including those from previous years. In 2023, the number of cases under investigation had risen to 34,333.
One police inspector in Bengaluru drew an analogy to explain how they deal with cybercrime, particularly financial fraud. “When Covid-19 struck, we didn’t know what hit us. By the time we figured out something, the virus had mutated. Investigating cybercrime is like that.”
Crime data and conversations with the police suggest that most people are swindled not by the computer wizardry or fancy technology that one sees in the movies, but by elaborately designed cons. The fraudsters’ tactics work on people through a combination of what the South Indian Bank calls FIGHT: fear, ignorance, greed, haste, and trickery. Scamsters either scare their victims, such as in the digital arrest scams or steadily gain their trust in investment frauds.
While the state police are making little headway in tackling crime even as they build capacity and train the police and the judiciary in cybercrime investigation techniques and laws, what is uppermost in most of these cases is the recovery of the money lost. Advancements in banking technology and the centralised approach introduced by the union government in the past few years could offer some hope to those who fall prey to fraud.
Elaborate frauds
In 2024, people in Karnataka lost over Rs 2,000 crore to cyber criminals. Police say that the bulk of this amount is swindled through elaborate investment frauds in which some victims have even lost more than a few crores of rupees.
In a thread on X, a Bengaluru-based former HR professional detailed how one such scam worked. Something about it felt fishy and he quit before he lost any money. Ironically, he ended up scamming the scamsters.
Fraud Alert ⚠️
— Che_ಕೃಷ್ಣ❤️ (@ChekrishnaCk) April 7, 2023
I got a MSG from WhatsApp international number and they told they will pay 50 per task
I followed thier procedure and completed the tasks of liking three Instagram accounts. They asked me to follow a Telegram account name #Geetika And they actually paid me 150 rs pic.twitter.com/pobpKrKda2
He got a message from an unknown number on WhatsApp claiming to be from a company called Kickstarter in April 2023. “The job is simple and flexible and will not interfere with your current job. We are paying 50rs for every like a day you can get at least Rs 2000-2700. Are you interested from working from your phone? (sic)” the text read.
The HR professional was asked to “like” three Instagram posts for which he was paid Rs 150. Then he was asked to join a Telegram group to settle his commission and asked if he wished to continue. He did, and he was added to another Telegram group with 20-30 other people and all of them were asked to “like” more Instagram posts.
Then, things started to get elaborate. The screen he was shown had multiple columns, colour-coded text, and one column dedicated to “mission time” — creating an atmosphere that a golden opportunity would slip through if one didn’t act quickly. He now had to pay small sums of money to be eligible for the tasks for which he would be paid commission. He chose the Rs 1,000 option and made some money on that too.
At this point, the “tasks” got complicated, but he could still choose small amounts to "invest." He was now assigned a mentor who would guide him on the tasks that involved buying cryptocurrency.
It all looked very authentic. The screen was now modelled on that of a stock market trading app with red and green numbers indicating whether the price of the cryptocurrencies listed had decreased or increased.
At first, he “invested” individually, and he was later put into a group of four people. Once the group had “invested” the amounts, they would have to go through with the ‘task’, or else they would lose the money. The day ended, and he had made some money.
The next day, he was asked again if he wanted to do the “tasks”. But now, the stakes were higher. He was told that the minimum he would have to invest was Rs 6,000 to be eligible for the tasks. Until then, he had invested a maximum of Rs 3,000. He refused, and when they didn’t allow him to play, he quit. When they told him he would get a commission of Rs 4,000, he started to get suspicious. He privately talked to the group participants, who told him that they had paid up to Rs 75,000 and later got blocked.
On the tweet thread, the HR professional said that it all looked “very genuine." Asked what convinced him that it was a scam, he told TNM, “There’s no free lunch.” He reported the number to the police, and an officer called him, noted the details, and warned him against such activities, and that was the end of it.
Navigating the banking system
An IPS officer who spoke on condition of anonymity told TNM that investigating a scam involves tracking two things: the communication channel through a maze of intermediaries, and the financial transactions through the banking system at a snail’s pace.
The WhatsApp number from which the HR professional got a message was prefixed with +84, which is Vietnam’s international calling code. But the IPS officer said that the numbers from which scamsters make calls need not mean anything. “Scamsters usually use virtual numbers or VoIP numbers, which are internet-based, not tied to any physical location. SIM-based calls are decreasing,” he said.
Virtual numbers and VoIP numbers are internet-based numbers that can be obtained from services often hosted on international servers. Similarly, domain names for websites can be obtained from international providers. These companies are not obligated to respond to requests for information from law enforcement agencies.
“There is little that we can do to ensure that intermediaries or domain providers comply with requests for information,” the IPS officer said. He explained that the exchange of information for criminal investigations is governed by bilateral Mutual Legal Assistance Treaties (MLAT). As of December 2019, India had MLAT treaties with 42 countries.
Manjappa (name changed), a police officer handling cybercrime cases, told TNM that it’s a waiting game. “Even if I know that the guy I’m tracking is in a particular country, I have to follow procedure. I can’t just go to another country like Akshay Kumar in Bell Bottom and do whatever I want. Many times, law enforcement agencies take over a year to get back to us. They too have to investigate our requests. Cybercrime investigations take time.”
Obtaining evidence or information from foreign countries, even for conventional crimes, is difficult, says A Nagarathna, a professor of law at the National Law School of India. “Much also depends on political and diplomatic relationships,” she said, pointing out that even though India signed an MLAT with Canada in 1998, relations between the two countries have soured recently.
Following the trail of money comes with its challenges. Often fraudsters use mule accounts – bank accounts that they rent from the account holders. But often, Manjappa said, “The scamsters give the account number of one victim to another. In most cases that we come across, we find at least one or two such account numbers. We’re running around in circles.” These bank accounts are now easier to track through the I4C portal, he said.
Once the money has been transferred to the fraudsters’ account, it goes out in multiple layers, and a single case can sometimes involve 150 bank accounts. “According to the finance ministry rules, the banks have 15 days to provide us with the account information. With so many accounts, imagine how long that will take,” the IPS officer said.
Even when they get account holders’ information, the police are sometimes left stumped. “In one case we found an account registered to a poultry shop. How is it that an account of a poultry shop receiving crores of rupees does not raise red flags in the banking system?” the IPS officer said.
Several investigating officers blamed banks for not being thorough while conducting KYC checks and for allowing the opening of digital accounts with video KYCs. “Once we found a digital account in which the customer had sat in a hotel room and sent his video KYC. Banks need to be more thorough,” he said.
An inspector at a CEN (Cyber Economics Narcotics) station in Bengaluru said that obtaining information from banks was tough sometimes, especially when branches were in other states. “If the branch is here, we can visit it ourselves to remind them and put pressure. But when branches in other states don’t respond, all we can do is send emails or make calls.”
Another IPS officer told TNM that in a case she is supervising, she was considering booking them for non-cooperation and negligence. “Recently, the Supreme Court ruled that the police can book bank officials for negligence,” she said.
Officials at the Bengaluru headquarters of State Bank of India, the largest banking and financial services organisation in the country, that TNM reached out to, declined to speak for this story.
Tracking transactions in real time
Monitoring suspicious transactions in a bank is like looking for a needle in a stack of needles – thousands of transactions are made every minute in a bank.
The risk of fraud – committed internally by bank employees or by fraudsters using mule accounts – has always been there. But there’s been a massive rise in real-time digital payments, particularly UPI, after Covid-19 broke out, said Jayaprakash Kavala, chief product officer at Clarif5, a company that creates products to tackle banking financial crimes. From around 500 transactions per second on average in 2017-18, banks are now seeing 3,000 transactions per second – everything from large investments to double-digit amounts that people pay the vegetable vendor. All these transactions are monitored in real-time at around 20 banks that use Clarif5’s Enterprise Fraud Management Solution.
So how does a bank catch a suspicious transaction when people are voluntarily giving money to fraudsters? Potentially suspicious transactions can be caught through a combination of automated transaction monitoring, behaviour profiling, and human interventions, said Jayaprakash.
There’s been a massive rise in real-time digital payments, particularly UPI, after Covid-19 broke out, said Jayaprakash Kavala, chief product officer at Clarif5, a company that creates products to tackle banking financial crimes. From around 500 transactions per second on average in 2017-18, banks are now seeing 3,000 transactions per second
Banks profile the transactions in an account and flag ones that don’t fit the pattern. Jayaprakash cited the example of a state government employee whose account the system picked up due to an unusual transaction. The profile of the account over three years factored in his monthly salary, annual increases, and monthly payments such as EMI and other expenses.
“Suddenly one day, a new beneficiary, who is not a builder or real estate company, is added to the account. A test transfer of Rs 1,000 is done, followed by another transfer of Rs 1 lakh. That’s still fine. Within seven days, Rs 5 lakh is transferred. That’s when the system wakes up, because here is a customer who’s never done these kinds of large transactions,” said Jayaprakash.
Once a transaction is flagged, an automated process kicks in. Through an IVRS call, the bank asks the customer to confirm whether it was they who initiated the transaction.
In another case, bank officials intervened when a customer was about to make a transaction of Rs 50 lakh, Jayapakash said. After seeing an alert in the system, the bank official spoke to the customer to determine whether the transaction was business-related or investment-related.
“This stops the customer and makes them think,” he said. “But even after this, if customers go ahead with the transaction and later realise the money has gone to a fraudster, they raise a complaint.”
Once a complaint is filed, the process to recover the money starts. But in most cases, the money is simply gone. Home Minister G Parameshwara said in December that people in the state lost Rs 109.01 crore in 641 cases of digital arrests in 2024. Of this, Rs 9.45 crore – just 8.6 percent – had been recovered.
Why call the 1930 helpline?
According to the police, the victims’ best shot at recovering money they’ve lost is by calling 1930, the Citizen Financial Cyber Frauds Reporting and Management System helpline.
“When people come to us, we tell them to call the 1930 helpline. After that, we take their complaint,” says an inspector at a CEN station in Bengaluru.
The 1930 helpline is a centralised system for reporting all kinds of cyber-related crimes and is linked with banks across the country, which can take immediate action on the victims’ bank accounts. It is a part of the National Cyber Crime Reporting Portal and was inaugurated on April 1, 2021, as part of the union Ministry of Home Affairs’s India Cyber Crime Coordination Centre (I4C).
The public can report any kind of cyber-related crime, including crimes of a sexual nature against women and children, either over a phone call or by filing a complaint on the portal. It also allows the public to report suspicious numbers.
When someone files a complaint about financial fraud with 1930, the NCRP flags the complaint to the bank, but these still are being checked manually by employees at the end of the day, says Jayaprakash. “What we’ve done is automate this whole process. Earlier, tracing the funds would take 24 hours; now we can do it in 10 seconds,” said Jayaprakash.
Currently, this product is being used at Punjab National Bank, the second-largest public sector bank in India with 200 million customers, on a pilot basis. Jayaprakash said that since November, when the product was piloted at PNB, other banks have also expressed interest and the company is in touch with several other banks.
He explained that Clarif5 worked with I4C and banks to develop and finalise the APIs, which are software that allow two applications to talk to each other. In this case, the APIs would directly connect I4C and banks and trigger actions such as lien or debit freeze within the bank.
He said that this would enable banks to take quick action “within the golden hour”.
“We have to be able to decide on whether a transaction should be allowed or declined within 30-100 milliseconds,” he said, adding that this includes planning for higher volumes of transactions in the future. Currently, the product is evaluating 3,000 transactions per second at PNB but is capable of handling up to 10,000.
“If you can react within 45 minutes of the complaint being raised, there is a hope of the money not going out of the country. As long as the money is within the country and the financial ecosystem, the banks and the union Ministry of Home Affairs have the scope to get the money back to the victim. If the money goes out of the country, there is very little that our institutions can do as the money ultimately gets layered as cryptocurrency abroad,” Jayaprakash said.
Catching up with criminals
While this might present a gloomy picture, Karnataka has been proactive in tackling cybercrimes. It was the first state in the country to launch the Cyber Crime Incident Report, which considerably sped up the process of registering complaints. The state has also set up a CEN police station in each district and eight in Bengaluru.
In 2018, the state police signed a Memorandum of Understanding with the Digital Security Council of India. Since then, the DSCI has set up a cyber lab and the Centre for Cybercrime Investigation Training and Research at the Criminal Investigation Department headquarters in Bengaluru with high-end investigative tools that could keep the police one step ahead of people committing crimes using digital devices and tools.
Venkatesh Murthy, senior director at DSCI, who heads the lab, said that the forensic tools that the lab trains the police in are all open source and are nearly as good as commercially available ones. The CCITR has training courses with practical components for the police, prosecutors, and judicial officers.
DGP of CID MA Saleem acknowledged that the police had some catching up to do. “The police should be one step ahead of criminals. When it comes to murders, robbery, and even terror cases, our officers are experts, and they are far ahead of criminals. But with cybercrime, even officers with 25-30 years of experience are finding it difficult. The speed with which crimes are occurring is the reason that detection is less.”
Saleem said that officers were keeping track of the various types of cybercrimes and had identified 46 modi operandi. Along with the training in collaboration with the DSCI and regular meetings with the banks, the system was being set up for a smooth investigation. “Creating awareness is key. These crimes can be controlled.”
This story was republished from The News Minute as part of the NL-TNM alliance. It has been lightly edited for style and clarity.
With journalism and journalists under threat, we need your help. Your work can power our reportage and help us tell stories that matter. Click here to subscribe and join the tribe that pays to keep news free.
Newslaundry is a reader-supported, ad-free, independent news outlet based out of New Delhi. Support their journalism, here.
