- Get a list of active phone numbers from darknet
- Can be a curated list of numbers within a circle, or which have active bank account
- Buy set of SIM cards, Android mobile or SIM box
- SIM card can be bought against any legal document, no Aadhar required, courtesy our honorable supreme court which struck down said provision of Aadhar act as
- privacy > other considerations
- The other legal documents have no biometrics, so you can fake one if resourceful
- prepaid SIM doesn't need physical verification of address
- Cold call numbers from the list in step 1
- Sweet talk into making the target click on a link
- When link is clicked
- Create a request to UPI/wallet for charging payment
- Gaslight target into accepting the information in the guise of it helping the target
- If victim realises s/he has been defrauded
- Gaslight again and repeat step 4
- Block the number from calling back through Android feature
- Keep the amounts scammed low so that
- neither the victim makes a complaint - money lost is lesser than fear of harassment
- nor police go through the effort of investigating - When there are scams of crores to be cracked, why go after small ticket scams?
- Form a network of scamsters and keep milking the list of step 1
- Many fake call call centers have mushroomed all over as per news reports
- Doesn't have a deep understanding of newer payment models
- Financially uneducated, Digitally illiterate, informationally uninformed
- Gullible and can be easily manipulated into believing the stranger
- Has 1 number and Has a UPI / wallet linked to the primary number
- Legal Institutional
- Make Aadhar seeding mandatory for mobile phones
- Was tried but failed legal challenges
- Needs to be brought in on security and criminal grounds
- Take issue seriously
- This hurts the credibility of digital transactions
- Can lead to people going for cash over blackboxes they see as unreliable
- Registry for reporting such incidences and effective investigation
- Tried to find helpline numbers where to report this call but none seemed handy
- The DOT website doesn't help - the grievance redressal option is against the officers, not against the internet provider
- The citizen's charter corresponds to 2017-18 and is directed towards ISPs and telecom operators.
- The TRAI website didn't help either - it has complaints sections targetted towards the telecom operator, its Value added services
- Same is true of the NPCI website
- Hence need cross agency system to tackle issues on confluence of multiple Regulator
- Retail consumer apps
- Most wallets etc simply say we do not send unsolicited mails
- Introduce a challenge to identify a communication was from you or not
- Similar to an OTP - send an SMS / app notification and make it SOP to have this challenge in all communication to establish 2-way trust
- Create industry body to lobby for better tracking mechanisms
- Customers should only need to notify their apps that someone tried to (ab)use their name for a scam
Few options come to mind:
- Cold call a list number to check if its active - disconnect before its picked up - this dead weight on the telecom networks allows the check for free, one only needs SIM multiplexers to do this call in automated manner
- Somehow get hold of excels from another telecom shop / business concerns - many a times the staff can extract files with limited list of subscribers for internal marketing purpose, which can get leaked in hands of scamsters
- Get hold of data from a contact - while you may install only relevant apps on your device, one of your contacts may've installed a shady app on their device, which (the app) in turn used the contacts permissions to harvest all numbers
- Send one-off SMSes with unique URLs, which if clicked, means that the number is active.
Now, I neither have an account ending in those last few digits, nor am I expecting a sum in that range to be transferred. But someone who is in a hurry and didn't realise the reality of the number can definitely be taken for a ride. In this case, the scamster have used only an actual number instead of a 6-character alphanumeric registered senderid, which makes things easier to identify.