The Price of a Click

India is the biggest daily internet user in the world, with 1 billion internet users in 2026, covering 86 per cent of households. Ironically, however, as the internet footprint is growing, so too are attacks by cyber criminals. In the year 2025 alone, there was a 24 per cent spike in cybercrime cases. UPI, the flagship digital payment gateway in India, has consolidated its position as the world’s largest real-time payment system, supporting approximately 491 million users and 65 million merchants. During 2025, UPI processed over 228 billion transactions annually and roughly 700 million transactions daily, covering 85 per cent of all digital retail payments.

This rapid digitisation has given birth to a sinister parallel industry—a highly organised, technologically adept cybercrime syndicate. Today, traditional methods of physical theft have largely been replaced by silent, digital burglaries. The weapons of choice are no longer lock picks in houses, but malicious Android Application Packages (APKs) and sophisticated Apple phone social engineering schemes. As this crisis reaches a boiling point across Indian cities and rural hinterlands alike, understanding the mechanics of these attacks and formulating a robust national defence strategy has never been more critical. Bharatpur in Rajasthan, Mathura in Uttar Pradesh, and Nuh in Haryana are now among the top cybercrime hotspots in India, surpassing the previously infamous Jamtara of Jharkhand. According to a Future Crime Research Foundation (FCRF) study, 10 districts contribute to 80 per cent of India’s cybercrimes, including Deoghar, Gurugram, and Alwar, mainly focusing on financial fraud.

In the Android operating system, apps are packaged as APK files and hold the lion’s share of the Indian smartphone market. Their system is built on an open-source framework. This openness is exactly what cyber criminals exploit. Generally, users download apps from the secure Google Play Store, but Android also allows users to install APKs from third-party “side-loading” processes. Cyber criminals are adept at leveraging “side-loading” to bypass the security checks of official app stores. The most dangerous permissions these apps seek are Accessibility Services, SMS reading permissions, or call forwarding. Once granted, the malicious app can silently read incoming One-Time Passwords (OTPs), hide SMS notifications from the user, and even remotely navigate the user’s banking app to transfer funds—all while the victim’s screen might simply appear frozen or show a fake loading screen.

This writer, on 8th May 2026, was duped of more than ₹2 lakh by cyber criminals through an APK file named “RTO Challan”. Though it was not fully opened, it was promptly blocked and reported, but it had already entered the phone. The hackers took control and entered a mobile number into the call forwarding facility, thereby gaining access to OTP messages. Through this, they used my Axis Bank credit card on Flipkart and ordered four Motorola mobile sets. What is interesting is that Flipkart immediately delivered, within five minutes, all mobile phones in Howrah by changing my address. I came to know within seven minutes about the crime, contacted the bank and asked Flipkart to cancel the order as it was fraudulent. What is most deplorable and intriguing is the fact that Flipkart refused to cancel the order, thus pointing to its possible connivance with the criminals. These online shopping companies are increasingly becoming part of the fraud ecosystem. One of the reasons companies like Flipkart may be compromised is that bank credit cards are aligned with foreign gateways like Visa and MasterCard, which are not sufficiently concerned about fraudulent transactions, often shifting the blame to cardholders.

Most people are under the impression that iPhones are immune to cybercrime. While Apple’s “walled garden” approach makes it difficult to side-load malicious apps, iPhone users are still vulnerable to variations of these crimes. Because scammers cannot easily force an iPhone user to download a malicious app, they redirect their strategy to attack the user directly. Instead of an app, the malicious link leads users to a meticulously crafted fake website that mirrors an Indian bank, the income tax portal, or an iCloud login page. They often trick iPhone users into dialling specific USSD codes (like *401# or similar), which activate unconditional call forwarding. When the victim attempts a UPI transaction or bank login, the automated voice call delivering the OTP is forwarded straight to the scammer. While the technical entry point differs from Android, the financial devastation is identical. The vulnerability lies not strictly in the operating system, but in the human interface.

Now, let us discuss the causes of this storm. The first is the poor digital literacy of Indians. While people know how to send money via UPI, their fundamental understanding of digital security, app permissions, and data privacy remains dangerously low. Secondly, there is the trust factor. Indians have a strong tendency to trust authority figures. When a caller claims to be from the bank, the police, the CBI, or customs, the natural instinct is to comply rather than question. Another reason is the lack of prompt action by government agencies and banks. While the government has launched initiatives like the 1930 cyber helpline, the sheer volume of cases often overwhelms local law enforcement. Jurisdictional issues complicate tracking criminals who operate across state lines. Furthermore, once money is siphoned off, it is instantly routed across multiple mule accounts, including cryptocurrencies, making recovery extremely difficult.

Indian citizens’ financial security should be paramount in digital governance. The menace of cybercrime is assuming threatening proportions, and both central and state governments must establish a National Investigating Agency-like organisation to tackle this menace. Since 80 per cent of the crime localities are known, this can be done in a coordinated manner with states and banks. Today, the moot question in the digital era is: why are people not getting their money back when all transactions can be traced? There is a definite complacency among state police and banks. States need to follow the Delhi Police, which has better records of tackling cybercrime. The Telecom Regulatory Authority of India (TRAI) must enforce stricter protocols on SMS headers. Agencies need to transition from a reactive to a highly proactive stance. This involves actively scraping the internet for malicious APKs targeting Indians and blocking command-and-control servers instantly.

The integration between the National Cyber Crime Reporting Portal (NCRP) and the banking system must be instantaneous. If a victim reports fraud on the 1930 helpline, the associated bank accounts should be frozen within minutes to stop the money trail. The government must launch massive, continuous public service campaigns across television, radio, and social media in regional languages. Banks must upgrade their fraud detection systems from basic rule-based checks to AI-driven behavioural biometrics. For instance, if an account suddenly transfers money to a new payee, or a credit card is used for a high-value transaction at a new address, the system should flag it and require secondary verification.

Views expressed are personal. The writer is a former IFS officer and Chairman of Centre for Resource Management and Environment