Sahaya Novinston Lobo By Express News Service CHENNAI: Even as the Anti-Bank Fraud wing of the Tamil Nadu police’s Central Crime Branch receives hundreds of complaints regarding crores of rupees being swindled through the famous ‘SIM swap’ method, investigation officers have struggled to identify the networks behind such crimes and put the criminals behind bars. Senior police officers said different gangs have used the SIM swap method in India to swindle over Rs 200 crore in the past four years. Police said they know of two types of SIM swaps currently. “One is where the fraudsters send a phishing email to the victim. Once the victim clicks on the link, the fraudsters send a malware to the system to collect all their personal information. The second is where the gang tracks a person for a while, and collects details. In both scenarios, the gang applies for a duplicate SIM card in the victim’s name and transfers money from the bank account linked to the victim’s mobile number. Hence the name SIM swap,” explained an investigation officer. While the criminals appear to target persons likely to have access to a company account, they also target others. Meanwhile, victims are unable to recover the stolen cash as banks wash their hands off, claiming no responsibility for the loss. Recently, the anti-bank fraud wing of the Chennai city police caught a break. They arrested a five-member gang for swindling more than Rs 1.5 crore from four businessmen in the city. Inquiries revealed a massive network of cybercriminals is operating across the country, targeting businessmen and huge private firms. Since then 10 others, part of different networks, have been arrested in similar cases. However, the police have been unable to track down the kingpins behind any of these networks. Network problems, a red flag Let’s take the case of Martin Wilson (name changed), an accounting manager at a financing company, in Chennai. The company bank account was linked to his mobile number. One Saturday evening, his mobile network was disconnected and Martin did not receive any messages or calls. Martin thought it was just a network issue. Since it was a weekend, he did not mind that his office number was not working. “On Monday when he went to work, he found `1 crore debited from the company account. When Martin enquired with the bank, he was told that the money has been transferred to 10 different accounts in a span of 12 hours and that the One Time Password (OTP) had been sent to his registered mobile number,” recounted the intelligence officer of the private bank, which directed Martin to the Anti-Bank Fraud wing. Martin approached his mobile service provider and learnt that a duplicate SIM had been issued at his request and only after his Aadhaar card was given to the agent at the outlet. “The fraudsters had sent an email or a text message to Martin, which he had clicked on. Once the link has been clicked, the fraudsters send a malware virus into the system which collected the details of every transaction he had made and details of unique identification cards such as Aadhaar. With those details, they were able to get a duplicate SIM card to receive the OTP,” said the investigation officer. No need to phish In the case of Saravanan, manager of a huge tech firm, the mobile number was registered with the company and not an individual. When he went to work on a Monday, he realised money had been debited. The arrest of a Nigerian and his aides, in February this year, revealed that the gang had targeted persons like Saravanan and tracked them for a while. Once they got hold of their mobile number and email id, the gang created a fake company letter pad. “They would write to the mobile service provider stating that the mobile was lost and they should block the mobile number immediately. The service providers only ask basic questions such as the mobile number and the name of the person with whom the number is registered. Once the verification is done, a member of the gang approaches the service provider in the guise of a senior official from the company and collects the SIM card,” said a police officer. Further, the Aadhaar number of a person can be purchased for just `500. The Aadhaar portal can either be hacked for the information or just misused by anyone who works at the common service centre. Since bank accounts are now linked to Aadhaar numbers, criminals are able to extract all bank information with just the Aadhaar number, said the police officer. Another senior police officer, added there there are places on the darkweb where such data is available for sale. Global network with a focus on developing world Police inquiries with those arrested have revealed that the network of criminals using the SIM swap method is global. “Some of the main bases are in Nigeria, while Indian sub-bases are in Gurgaon, Uttarakhand, Kolkata and Jharkhand. The person who collects the basic information and the one who collects the duplicate SIM cards do not know each other. The gang has a team of hackers, allowing them to constantly change their IP addresses the globe so as to confuse police officers,” said an investigation officer. The criminals take advantage of a few factors, police said. First, banks do not work on weekends. Second, people usually ignore calls or messages that come late in the night. Third, in developing countries like India, police investigations are often delayed by jurisdiction issues. “When money is lost through online fraudsters, the money is mostly withdrawn from a different state. When the victim approaches the bank and the police, they face the problem of jurisdiction. With all the work they have, officials in other states hesitate to take on the effort of tracking a case registered elsewhere,” noted a police officer. Interestingly, experts say that not a very high-level of hacking skills are required for these crimes but the criminals benefit from a lack of technical know-how on part of police, who have to rely on help from hackers and techies employed at IT firms. Further, only now is the department collaborating with tech firms and high-level intelligence officers to train some personnel in cyber security. ‘Man in the middle’ attack While police call the M.O. SIM swap, experts call it a ‘man in the middle attack’. “The fraudsters hack the system and silently note down the bank transactions of an individual. Once the transaction is requested from a person, the hackers collect the details of the bank account and once the message is received from the bank, they hack the OTP and CVV numbers. Since this happens outside the firewall of the bank, it is difficult for them to identify such malware,” said V Rajendran, chairman of Digital Security Association of India and cyber advocate. The fraudsters also create duplicate bank websites and when an individual enters the website, he provides it with all the bank details that can be captured by the fraudsters. “When we enter a bank’s website online, it is always better to verify if that is the authentic bank website,” Rajendran said, adding that corruption at private firms also puts people at risk “Whenever a low-level employee is ready to share company data, the information of the customers is compromised,” pointed out Rajendran.

Stay updated with all the Chennai Latest News headlines here. For more exclusive & live news updates from all around India, stay connected with NYOOOZ.