Fear mainly results in cyber frauds: State Bank of India's Nitin Chugh

Fear has replaced greed as the predominant factor, which makes people vulnerable to cyber frauds, said Nitin Chugh, deputy managing director and head of digital banking and transformation at State Bank of India (SBI), during a fireside chat with Business Standard Consulting Editor Tamal Bandyopadhyay at the Business Standard BFSI Insight Summit 2024 in November. Edited Excerpts:

 

Every day we hear about new cybercrimes. Can you tell us what is going on?

 

We're just seeing new variations of how fear is now being used more than greed.  In the earlier years, the predominant theme of financial scams was greed. What we are seeing now is a great deal of intimidation and fear, where people are being threatened; they are being told that something wrong has happened. That is what people are succumbing to – intimidation from calls like these. It's a new trend.

 

No matter how much we tell people that don't entertain these calls, don't give away your credentials, and the circumstances in which these calls are being made, people in a state of panic do not apply their minds rationally and give in. We have seen instances where over a period of three days, or four days, people are willingly going to branches and making RTGS, NEFT transfers because somebody has threatened them, saying that if you don't do this, we will place you under arrest.

 

Cases like these tell you that there are vulnerable human emotions that the fraudsters are playing around with. 

 

How are you seeing this play out?

 

We are seeing different kinds of modus operandi playing out right now. Wherever small ticket values are involved, you will not find the scammers making an effort to go through this whole process of intimidating, threatening, impersonating a dressed-up cop and having a video call. They will usually do that for high-value transactions. High value could be as many as a few crores of rupees. Small value frauds are the traditional phishing-based scams where people willingly give away their credentials or an account takeover. 

 

How do they pick their victims?

 

It's almost like a cold calling, carpet bombing mechanism. You call 100 people; you will get two or three victims. There are organised contact centers, which keep making calls. There are hundreds of ways the scams can happen. As far as social engineering frauds are concerned, what happens is somebody gets a call, saying I am a policeman, I am calling you for X, Y, Z reason and this is what you need to do. Today if you search for customer service handles on X or you search for contact center numbers, there are a lot of these fake call center numbers that customers end up calling a fake call center rather than a real one. 

 

How do we prevent this?

 

We live in a world that is now proliferating with tech everywhere. It is everyone's individual responsibility to be aware of the tech. Banks have a fiduciary responsibility to keep your money safe but then what happens when the customers themselves compromise credentials? That is where even the law does not help you beyond a point. Everybody should have a basic idea of what technology is being used. People sometimes just take pride in saying I don't understand. But when it comes to matters related to your own personal security and hard-earned money in your bank account, it is important to at least be aware of what can happen. Some basic checks are required, and most importantly, taking responsibility for your own actions is necessary. 

 

How do you deal with the issue of mule accounts?

 

Anyone who believes there is an incentive to allow their accounts to be used and falls for the idea of earning monetary gain by doing so is being recruited as a mule. They are pre-recruited and it is part of an organised setup. They are kept in readiness, saying that at some point in time, you will get a message, that there is a transaction in your account and the only thing that you need to do is withdraw that money, and a part of it you can retain and the rest has to be handed over.

 

Once money gets debited from the victim’s account, it gets distributed into 100 accounts. There are technology-led ways to prevent this. For example, for cross-border payments, Interpol has a setup called iGRIP (Global Rapid Intervention for Payments), which is cross-country. In July 2024, they actually stopped a $43 million scam, which happened because of a business email compromise. In India, through the Indian Cybercrime Coordination Centre (ICCC) and the National Cybercrime Portal, the next step is to prevent such incidents from happening. Once money moves from an account, the account holder gets alerted, or the bank’s risk management system triggers an alert. However, the key is to stop the transfer before the money is withdrawn from the 100 accounts. There needs to be a mechanism in place to prevent this from happening in real time. This is a new development that, hopefully, will help address the issue.

 

Are people from rural areas primary target for mule accounts?

 

I don't want to name a city or a specific case.  But we have even come across students of good colleges getting involved, unknowingly. Because these people invariably are always deal-hunting for something or the other. So, the mindset becomes very small-ticket gratification.

 

Maybe it's happening with the uneducated, the uninformed people, as well. But we are seeing that anybody who gives in to the temptation that I have to withdraw money that comes into my account and I can make Rs 500 in a matter of five minutes becomes a mule account.  The mule, invariably, gives in to greed.

 

What can banks do in this case?

 

The first thing we ask customers is to report back to the bank if they find any unusual credit in their account. But even to be able to pre-empt that this kind of transaction can actually take place, there is data science, which can help us in identifying or pre-identifying who are the people who are more vulnerable to something like this.

 

One, who are the people who are more vulnerable or susceptible to fraud, and second, who are the people who are more vulnerable to being used as mules? Now, this is where we are now actually having a discussion that in our desire to make everything seamless, frictionless, very easy, and very quick, why don't we bring in some amount of happy friction that builds some bit of necessary friction at least for vulnerable profiles, so that they have to go through some step of authentication, some more checks before they can actually move their money, willingly. If they are doing it unwillingly, then it's obviously an account takeover which can be through malware or some other thing, but if you are willingly giving away money, there should be some more checks for some vulnerable profiles, which usually will not be as part of your regular pattern of spending money.

 

Can banks punish mule accounts?

 

We obviously can't punish such accounts. As a bank, you can't punish an account holder. But you can report. So we re-verify the credentials of the account, we ask a few questions, and if the questions are not satisfactory, then we report the account as a suspicious transaction and a suspicious account. Then the law takes its own course. You can obviously go ahead and block a few accounts and we have recently done that in a different kind of issue that came up, which was around merchants, where we saw customers raising chargeback complaints. 

 

RBI is working on a digital intelligence platform. Can you throw some light on that?

 

I am not completely aware of this. The RBI has set up a committee to examine setting up a digital payments intelligence platform because real-time payments, as much as they are beneficial and good, are also being misused for sending money very quickly whenever there's fraud.