India needs to take a comprehensive stance against increasing digital fraud

State action overhaul: Three policy suggestions

The convenience of India’s digital economy has been met with a frightening surge in criminal activity, from illegal loan apps to “digital arrest” scams. Individual cases are sometimes resolved through investigation and prosecution, but the brainpower and effort on the part of the attackers is improving at an alarming rate. On the one hand, headlines report a significant loss of ₹22,845 crore in 3.6 million cases in 2024, a 42 per cent rise in the number of incidents. On the other hand, a recent reply in the Lok Sabha claimed a loss of a mere ₹580 crore in digital-payment frauds over five years. 

This mismatch in figures points to lack of clarity and a proper taxonomy for the fraud problem. Such ambiguity allows the full scale of the problem to be understated. The state has to do more to solve this situation. We do not individually provide for national defence; we rely on a coordinated state effort. The same logic applies to digital fraud. Ross Anderson, an expert on security economics, has pointed out that internet security has elements of a public good. One insecure machine can create costs for others (ie the market failure of negative externalities). 

The current response is reactive and fragmented. The burden of the loss falls primarily on the victim. But there is a mismatch between what an individual can do personally and the scale and complexity of the attack. The victim is left to manage the financial and emotional impact on her own. Regulators may view the problem as less severe, and banks often direct customers to the 1930 helpline. Law enforcement, with its own resource limitations, can have a hard time dedicating significant bandwidth to these cases. Telecom companies, a key point in the system, may cite low average revenue per user (Arpu) as justifying low effort, when asked to meet higher standards. 

By default, these problems will readily turn into a spiral of micro-management by the government through intricate regulations that specify details of products and processes used by private persons. This approach is encouraged by the private sector as they get to shrug off responsibility: UPI (unified payments interface) fraud is the fault of the government. But central-planning systems interfere in economic dynamism. Central planning is also a poor approach to cyber security, a field that is too complex and dynamic for a single, rigid government-designed security system. We suggest three ingredients for the way forward. 

Ingredient 1: Clarity on loss allocation 

A key step is to clarify the allocation of losses. When the victim bears the loss, other stakeholders have a low incentive to improve the system. A shift in this approach is needed. Firms are the ones best-placed to understand the emerging threat environment, to continuously innovate on precisely how security will be done, and make modifications to their products and processes in fighting back. For this, they have to suffer losses when fraud takes place. 

While the Reserve Bank of India’s (RBI’s) framework for limiting customer liability is a right step, its complexity and de facto reliance on customers to prove their innocence often undermines its intent. We should look to more robust, firm-centric models like those in Singapore and the United Kingdom (UK). Singapore’s proposed “waterfall” implementation for phishing frauds is an example. Responsibility is assigned to the party best-positioned to handle it. The financial service provider (FSP) is the primary custodian. If it fails in its duties (eg not providing transaction notifications), it is expected to pay up. If the FSP has fulfilled its duties, the responsibility shifts to the telecom company. This framework creates an incentive for all firms to be vigilant. 

The UK’s initiative — Authorised Push Payment — further mandates a 50:50 reimbursement split between the sending and receiving payment service providers. This helps ensure the victim is reimbursed promptly and encourages both ends of the transaction chain to be proactive. It creates a direct, financial incentive for banks to be proactive in detecting and preventing fraud through a real-time data exchange, rather than simply passing the loss to the customer. Shifting financial liability incites effective market-based solutions by harnessing the incentives and global knowledge of firms. 

Ingredient 2: Coordinated state action 

The second component is to address fragmentation within the Indian state. The issue of digital fraud involves the economics complex (the finance ministry and the RBI), the online ecosystem (the telecom regulator, telcos, and payment platforms), and the security complex (police, cyber cells, etc) at multiple levels with low coordination. 

A well-coordinated response would include clear work allocation and cooperation. This would allow stakeholders to share information in real time, build analytics to identify threats, and launch coordinated and targeted law-enforcement efforts. A clear, collaborative framework is required where roles and responsibilities are defined and aligned. 

Without a clear taxonomy, the ecosystem participants across the country cannot effectively share intelligence with one another, and regulators cannot accurately measure the scale or nature of a new threat. The data on fraud categories in Bengaluru shows that a large part of the problem involves “investment fraud” and “digital arrest”. It is a matter of not just a card or an OTP (one-time password). The choke points are transactions across payment accounts in sending and receiving institutions. By standardising definitions and sharing information on the modus operandi, we can build a collective defence that is stronger than any individual effort. 

The way forward: An expert group 

To attack this problem, we propose an expert group be set up to form a national strategy on digital fraud. This group would bring together skills in financial regulation, security economics, cyber defence, and public communications, and an understanding of the Indian financial and security systems. It should lay the foundations of a coordinated approach by the Indian state in fighting digital fraud. It should have the objectives: (a) defining a national strategy, including a clear taxonomy, data-sharing protocols, and necessary legal and organisational changes; (b) designing coordination mechanisms and assign clear responsibilities between the economics and security complexes; (c) providing a project plan with specific timelines and milestones for the coming two years. 

The authors are, respectively, researcher at XKDR Forum; and cofounder, DeepStrat, and founding CEO, Reserve Bank Information Technology Pvt Ltd