Current Affairs for UPSC Preparation: India’s Cybercrime Challenge Explained | #cybercrime | #infosec

Question 1: What are the various forms of cybercrimes prevalent in India?

Recently the government’s flagship ‘Digital India’ programme completed ten years on July 1. In the last decade, India has made transformational changes in the adoption of digital technology. It has emerged as the fastest-growing digital economy. As it continues to expand, it has become a way of life for citizens. But this digital revolution has also produced some challenges not only for policymakers but also for the security apparatus. These challenges come in different forms of cyber crimes. 

In general cybercrime is defined as “Any unlawful act where a computer or communication device or computer network is used to commit or facilitate the commission of crime”.

Cybercrime encompasses a wide range of malicious activities, including identity theft, financial fraud, hacking, cyberstalking, and the distribution of harmful software, among others. Some of them are explained below:

1. Phishing: It is a common type of cyber-attack that targets individuals through email, text messages, phone calls, and other forms of communication. A phishing attack aims to trick the recipient into falling for the attacker’s desired action, such as revealing financial information, system login credentials, or other sensitive information. Fundamentally, these threats exploit human psychology rather than technical vulnerabilities.

2. Ransomware attacks: It is a specific type of malware. It typically locks the system to prevent users from accessing their own system or personal files. Only after receiving ransom demand by the attacker, the access is regranted to the user, without which data is permanently lost or, in some cases, made publicly available.

India has witnessed a sharp 55 per cent hike in ransomware incidents, with 98 recorded attacks in 2024. The highest number of such activities was reported in May and October. The latest figures were revealed by the ‘Ransomware Trends 2024: Insights for Global Cybersecurity Readiness’ report released by CyberPeace, a non-profit organisation for cybersecurity.

3. Whale Phishing: Unlike the typical phishing scams, whale phishing or spear phishing are focused on specific individuals. The difference between whaling and spear phishing is that whaling exclusively targets high-ranking individuals within an organization, while spear phishing usually goes after a category of individuals with a lower profile.

4. Smishing: It is a cyber-attack that targets individuals through SMS or text messages. The term is a combination of ‘SMS’ and ‘phishing’.

5. Vishing (short for voice phishing): It consists of phone calls from fraudsters pretending to be officials, such as bank representatives, trick victims into revealing OTPs or account details.

AI Revolution in Cybercrime

Cyber threats have transformed into sophisticated, AI-powered operations, meticulously designed to exploit human vulnerabilities. Ankita Deshkar of The Indian Express writes, “Latest attacks are becoming increasingly complex and difficult to detect. These aren’t just incremental improvements—they represent a fundamental reimagining of digital threat strategies.” Dr Chiranjiv Roy, global head of data science, machine learning and applied generative AI at C5i.ai, lists some common threats:

1. Personalised phishing: AI enables attackers to scrape social media profiles and create highly targeted phishing emails. For instance, a professional in Bengaluru might receive an email mimicking a local job portal, claiming to offer a high-paying job at Infosys.

2. Deepfake technology: AI-generated voices and videos are used in vishing calls to impersonate trusted figures. For example, deepfake voice calls of CEOs have been used to authorise fraudulent financial transfers in Indian companies too.

3. Polymorphic malware: AI-powered phishing campaigns can deploy malware that constantly evolves its code, bypassing traditional antivirus programs.

4. Chatbots for smishing: AI bots mimic human-like interactions in messaging platforms like WhatsApp or Telegram, making fraudulent schemes more believable.

During the COVID-19 pandemic, cyber attacks reached new heights. Smishing attacks claiming to offer COVID-19 relief funds were common and led to widespread data theft.”

Question 2: What are the key causes behind the growing number of cybercrimes in India?

With the rapid digitalisation, exposure to cyber threats and digital risks has increased, which are getting sophisticated day by day. The surge in digital fraud is a matter of concern. Frauds present multiple challenges for the financial system in the form of reputational risk, operational risk, business risk and the erosion of customer confidence with financial stability implications. It also presents a security challenge. In this context, to tackle the cybercrime challenge, first understanding the factors contributing to the surge in cybercrimes in India is essential.

One of the primary reasons for the increase in cybercrime cases is the exponential growth in the number of internet users. As more people conduct their financial transactions, social interactions, and professional activities online, the opportunities for cybercriminals to exploit vulnerabilities have multiplied. The sophistication of cyber attacks has also evolved, with criminals employing advanced techniques such as phishing, ransomware, and social engineering to breach security measures.

Additionally, the shift to remote work and increased online activities expanded the attack surface for cybercriminals. Many individuals and organisations were unprepared for the rapid digital transition, leaving gaps in their cybersecurity defences that were easily exploited.

Another contributing factor is the anonymity and borderless nature of the internet, which allows cybercriminals to operate from any location, making it challenging for law enforcement agencies to track and prosecute offenders. The lack of stringent cybersecurity laws and international cooperation in some regions further complicates efforts to combat cybercrime.

Question 3: What measures has the Government undertaken to address the growing threat of cybercrimes?

India has a comprehensive legal framework to address cybercrimes. The Information Technology Act, 2000 covers offences related to phishing, smishing, and vishing, prescribing fines and imprisonment. 

The three new criminal laws, namely, the Bharatiya Nagarik Suraksha Sanhita (BNSS), 2023, the Bharatiya Nyaya Sanhita, 2023, and the Bharatiya Sakshya Adhiniyam, 2023, repealed the British-era Indian Penal Code, the Code of Criminal Procedure, and the Indian Evidence Act, respectively, also address the evolving digital landscape and the growing threat of cybercrime.

Rameesh Kailasam writes, “The three laws enable the registration of electronic First Information Reports (FIRs) and establish electronic evidence as a primary form of proof. Under the BNSS, 2023, data collection is permitted for criminal identification. Additionally, it stipulates that all trials, inquiries, and proceedings may be conducted in electronic mode. The production of electronic communication devices, likely to contain digital evidence, will be allowed for investigation, inquiry, or trial.

The Bharatiya Sakshya Adhiniyam, 2023, appears to adapt to the digital age. It classifies electronic records as documents. Under the Indian Evidence Act, electronic records are classified as secondary evidence. However, under the new law, electronic records are categorised as primary evidence. It expands such records to include information stored in semiconductor memory or any communication devices (such as smartphones, and laptops).

The new laws facilitate the enhanced use of technology for efficient evidence collection and presentation. It is evident that these amendments to India’s legal framework will ease both investigation and the judicial process, particularly for cases related to cybersecurity.”

Other initiatives

The changing geo-political and economic shifts have also compelled the Indian government to take active steps to evolve in cyberspace. Thus, beyond the legal framework, various other measures have also been taken by the government.

1. Indian Cyber Crime Coordination Centre (I4C): It was officially inaugurated by Home Minister Shri Amit Shah on the 10th of January 2020, to combat Cybercrime in the country and strengthen the overall security apparatus to fight against Cybercrime.

In September 2024, four I4C platforms — Cyber Fraud Mitigation Centre (CFMC), the ‘Samanvaya’ platform, a Cyber Commandos programme and a Suspect Registry — were inaugurated by the Home Minister. 

The Central Suspect Registry serves as a central-level database with consolidated data on cybercrime suspects from across the country. The National Cybercrime Reporting Portal (NCRP) has been tasked with establishing the Suspect Registry. 

The CFMC focuses on addressing online financial fraud and scams. It looks to prevent cybercrimes by facilitating cooperation between various stakeholders such as major banks, payment aggregators, telecom companies, Internet Service Providers (ISPs), central agencies, and local police on a single platform.

The Samanvaya Platform, also known as the Joint Cybercrime Investigation Facilitation System, is designed as a single repository of data pertaining to cyber crimes.

2. Indian Computer Emergency Response Team (CERT-In): Under the provisions of section 70B of the Information Technology (IT) Act, 2000, the CERT-In is designated as the national agency for responding to cyber security incidents. The CERT-In plays a vital role in controlling cybersecurity incidents and coordinating incident response activities. It acts as the central agency for incident response, vulnerability handling, and security management in India’s cyberspace.

3. Cyber Swachhta Kendra: The Cyber Swachhta Kendra is an initiative that focuses on detecting and removing malicious botnet programs from computers and devices. It provides free tools for malware analysis and helps improve the security of systems and devices.

4. ‘bank.in’ domain for banks:  To combat the increasing number of digital payment frauds, in February this year, the Reserve Bank of India (RBI) announced the introduction of the ‘bank.in’, an exclusive internet domain for Indian banks. On 22nd April, the regulator decided to operationalise the ‘. bank.in’ domain for banks. A domain name is used to find websites. It is considered a symbol of national identity on the global internet.

This exclusive internet domain for domestic banks will minimise cyber security threats and will help in strengthening trust in the country’s digital banking and payment services. With the migration to the new domain, all banks in the country will have ‘.bank.in’ as the domain name. Currently, banks are either using ‘.com’ or ‘.co.in’ as their domain name, which is more generic. The RBI has given banks time till October 31, 2025 to migrate to ‘.bank.in’.

5. National Cyber Crime Reporting Portal: It is an initiative of Government of India to facilitate victims/complainants to report cyber crime complaints online. The portal caters all types of cyber crime complaints including complaints pertaining to online Child Pornography (CP), Child Sexual Abuse Material (CSAM) or sexually explicit content such as Rape/Gang Rape (CP/RGR) content and other cyber crimes such as mobile crimes, online and social media crimes, online financial frauds, ransomware, hacking, cryptocurrency crimes and online cyber trafficking.

6. Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS): It has been developed by the I4C and is operated by respective State/UT which brings together Law Enforcement Agencies of States/UTS, Banks and Financial Intermediaries on a single platform to take immediate action on the complaints regarding financial cyber frauds received through helpline number 1930.

7. New e-Zero FIR: I4C has introduced the new e-Zero FIR initiative to automatically converts cyber financial crime complaints with a cheating value above Rs 10 lakh, registered on the 1930 helpline or the National Cybercrime Reporting Portal (NCRP), into FIRs.

8. Sanchar Saathi: It is a citizen-centric initiative by the Department of Telecommunications (DoT) to empower mobile users and enhance their security. It offers various services, including tracing lost/stolen mobile devices, checking the number of mobile connections in one’s name, verifying the genuineness of mobile handsets, and reporting suspicious international calls with Indian numbers. The portal also facilitates reporting of unwanted or fraudulent connections.

9. MuleHunter.AI: On 6th December 2024, the Reserve Bank of India (RBI) announced that it has created an AI-powered model called MuleHunter.AI, which could reduce digital fraud by helping banks deal with the increasing problem of “mule” bank accounts. It has been developed by the Reserve Bank Innovation Hub.

In recent years, the government has also increased the budget allocation to cybersecurity. However, challenges remain. There is a need for effective utilisation, transparency, and accountability in fund allocation. Collaboration between the government, industry, and academia is vital for a robust approach.

It is also imperative for individuals, organizations, and governments to prioritize cybersecurity. This includes investing in robust security infrastructure, conducting regular security awareness training, and implementing strict data protection measures. Additionally, fostering international collaboration to share intelligence and best practices is crucial for effectively combating cybercrime on a global scale.

Post Read Questions

Prelims

(1) In India, it is legally mandatory for which of the following to report on cyber security incidents? (UPSC CSE 2017)

1. Service providers

2. Data centres

3. Body corporate

Select the correct answer using the code given below:

(a) 1 only

(b) 1 and 2 only

(c) 3 only

(d) 1, 2 and 3

(2) In India, under cyber insurance for individuals, which of the following benefits are generally covered, in addition to payment for the loss of funds and other benefits? (UPSC CSE 2020) 

1. Cost of restoration of the computer system in case of malware disrupting access to one’s computer

2. Cost of a new computer if some miscreant wilfully damages it, if proved so

3. Cost of hiring a specialised consultant to minimise the loss in case of cyber extortion

4. Cost of defence in the Court of Law if any third party files a suit

Select the correct answer using the code given below:

(a) 1, 2 and 4 only  

(b) 1, 3 and 4 only

(c) 2 and 3 only  

(d) 1, 2, 3 and 4  

(3) The terms ‘WannaCry, Petya and EternalBlue’ sometimes mentioned in the news recently are related to (UPSC CSE 2018)

(a) Exoplanets

(b) Cryptocurrency

(c) Cyber attacks

(d) Mini satellites

Mains

What are the different elements of cyber security? Keeping in view the challenges in cyber security, examine the extent to which India has successfully developed a comprehensive National Cyber Security Strategy. (UPSC CSE 2022)

Prelims Answer Key

1. (d)                           2. (b)                              3. (c)

(Sources: Exclusive: Indians losing Rs 1,000 crore every month to cyber frauds, Knowledge Nugget | ‘.bank.in’ domain for banks,  A look at digital banking scams, FatBoyPanel?, Unmasking digital deception, cybercrime.gov.in, static.cybercrime.gov.in, Knowledge nugget: MuleHunter.AI, India stares at a steep cyber crime challenge. Is it prepared?,sancharsaathi.gov.in)