Modus Operandi in Cyber Crimes

Some of the modus operandi followed by the fraudsters and criminals through investment / part time job / Ponzi schemes, wherein the transactions are routed through the banking channels are given hereunder:

Sr. No. Modus Operandi in Cyber Crimes
a Victims are lured through part-time job offers and other advertisements on Internet and / or messaging platforms, etc. and are promised high commissions / returns.
The advertisements / SMS messages usually contain a link, prompting for chat. Mobile applications, bulk SMS messages, SIM-box-based Virtual Private Network (VPNs), phishing websites, cloud services, virtual accounts in banks, Application Programming Interfaces (APIs), etc. are used to carry out financial frauds.
b ‘Earn Online’, ‘Part Time Job’, etc. are the key words used by fraudsters and criminals to match their advertisements. Such advertisements are generally displayed from 10 am to 7 pm, i.e. the peak time for internet use by Indian public. These websites used by fraudsters generally have domains – ‘xyz’ and ‘wixsite’. These sites either redirect to a messaging platform or to a website which has embedded messaging platform link which, on clicking, again redirects to a chat.
c Multiple Indian numbers were used for communications with victims. On analysis, it was observed that mobile number holder was not aware about messaging platform being operated in his / her name. In some cases, the mobile number holder knowingly shares OTP in return for some money from the fraudsters.
d The fraudster sends an investment link over chat. Each person has a referral code. Fraudster generally communicates in English. Google Translate is also used to communicate with the victims.
e A screen-shot needs to be sent to the person over the messaging platform to activate the account. Once the account is activated, a task is given to the user to gain confidence of the person. Mandatory condition to do a task is to load money through Payment Gateways which are not authorised to operate in India. All payments are made through UPI. Some of the UPI addresses belong to companies registered with Ministry of Corporate Affairs (MCA). Generally, a call centre is used to interact with the victims for communication regarding tasks. For instance, on failure to load funds on investment website, the call centre executive initiates a call.
f Once the task is completed, the victim is asked to withdraw the money. Money is withdrawn through various Payment Aggregators.
g On getting the first refund, the victim is now lured to do more tasks which involve loading of more money. The process continues and once a big amount is loaded by the victim, the person (fraudster) stops responding over chat.
h UPI details are updated daily on the fraudulent websites. Investment websites keep changing. Source code remains same but domain changes.
i Bank accounts opened by money mules using real / fake identification are used to receive stolen funds from compromised bank accounts, through sharing of OTPs, etc. Rented accounts are sourced by agents and account owners (money mules) are given fixed rent or commission or lumpsum amount for the account.
j Layering of transactions is carried out by account to account transfers. Bulk payments / APIs are also used for this.
k From the intermediate account, money is diverted to multiple sources / assets like crypto currencies, bullion, payout accounts (for gaining confidences and hiding laundering), foreign money transfer, person-to-person transfer, etc.
l Instances have been observed where Shell Companies with dummy directors, rented companies with MCA registration certificates, fintech companies, payment gateways, SMS aggregators are reported to be involved in carrying out such financial frauds, mostly using UPI as payment mode. Main objective of opening Shell Companies is to create a current account or a fintech company for accepting or paying out proceeds of frauds. Most of these Shell Companies appear to be Technology Companies.
m UPI addresses are used to create layering behind Payment Aggregators thereby, facilitating end of day settlement.
n Aggregator on aggregator concept is used by these players (fraudsters) in order to conceal their identities. The merchants onboarded on the fintech players (Eg. ABC company onboarded on Payment Aggregator) are frauds. The network of fraudsters start creating Payment Aggregator business in collaboration with banks directly or with other fintech companies. The fraudster would be sitting behind the payment aggregator as sub-aggregator or directly as a merchant. The money collected by the fraudsters, as sub-aggregator and / or as merchant, is remitted to the Payment Aggregator wherefrom the API (app) based payouts take place. After the aggregator network is set-up, the accounts are operated for making the payouts by the fraudsters based outside India.
p Gold, crypto currencies, international money transfers are observed by LAW Enforcement Agencies (LEAs) to be usual termination points of the fraud trails.