Identity Based Cyber Offences – SIM Swap | Deepfakes

SIM swap fraud is a type of cybercrime where fraudsters illegally takes control of an existing mobile phone number to a new SIM card. They commit this fraud by tricking the mobile service provider into transferring the mobile number to a new SIM card under their control by making them to believe that they are the legitimate subscriber, often by falsely claiming that the original phone or SIM card is lost or damaged. It allows the scammer to intercept calls and text messages, including one-time passwords (OTPs), and gain unauthorised access to the sensitive accounts such as banking, emails, or social media.

Fraudsters trick telecom providers into a SIM swap primarily through social engineering and exploiting weak authentication process. Fraudster gather a victim’s personal information before hand by convincingly impersonate the individual and persuade a telecom employee to transfer the phone number into a new SIM card under their control. This information is often acquired through phishing emails/messages, social engineering or by purchasing illegal data. Armed with the data, the fraudster contact the service provider for SIM replacement, posing as a legitimate account holder. They use the victim’s stolen personal information to answer security questions, bypass standard identity verification protocols, and convince the consumer service representative of their legitimacy. In some cases, fraudster may even bribe telecom employees to facilitate the unauthorised swap. To prevent such tricks, individuals should avoid sharing personal details and OTPs with unknown callers and activate sim-locking or port-locking features to add a layer of protection.

Common signs of a SIM swap include a sudden and unexpected loss of cell service on a device, an inability to make or receive calls and text messages, or receiving security alerts about SIM activation to an individual’s account. Individuals might find themselves unable to log into online accounts (such as banking or social media) or they may notice unusual transactions on bank statements. Additional waring signs includes receiving messages about SIM activation that you have not requested. If any such things occur, immediately contact your telecom provider to prevent further misuse.

The most immediate danger is unauthorised access to a person’s financial and personal accounts. Since many online services utilise SMS-based OTPs for two-factor authentication, fraudsters who gain control of your OTP can intercept with these codes. Once the fraudster gain access to the victim’s number, they misuse it to reset passwords, unauthorised transaction from bank accounts, and access email and social media profiles, thus leading to severe financial losses and identity theft. In some cases, attackers
misuse the victim’s identity to apply for loans, open new accounts, or impersonate the victim online to target friends and colleagues, extending risk to your digital reputation. To mitigate such risks, individuals should contact their telecom providers and alert their bank.

Mobile Number Portability (MNP) is a legitimate feature that allows and help individuals to switch mobile service providers while retaining their existing phone number. But the process can be misused by fraudsters by exploiting this feature in “port-out scams” by tricking the victim’s current provider into porting their number to a new service account or device controlled by the fraudster. They leverage stolen personal information to convince the company that the request is legitimate as porting transfers full control of the number to the new SIM which enables the attackers to receive OTPs and account alerts. To reduce such risks, users should enable port-out protection offered by telecom operators, avoid sharing personal details, and treating sudden “porting request’ message as red flags requiring immediate action.

Beyond social engineering and data breaches, fraudsters employ various techniques to collect information required for SIM – swap fraud. These include sending phishing emails or messages designed to trick individuals into revealing sensitive information, infecting devices with malware to harvest credentials, using fake identification documents, or even exploiting the mobile number portability process itself. Fraudsters often identify and target individuals with significant financial assets.

Yes, it can. In fact, unauthorised bank transactions is one of the primary objectives of SIM swap fraud. Once the fraudster gain access to the mobile number, he can bypass two-factor authentication system by intercepting OTPs and banking alerts sent to the hijacked phone number. This enables them to gain unauthorised access to bank accounts, payment applications, or cryptocurrency wallets, allowing them to drain funds or make fraudulent online purchases.

Yes, the Telecom Regulatory Authority of India (TRAI) has implemented specific measures to prevent SIM swap such as a 7-day restriction on SIM porting after a new SIM is issued. This 7-day “cooling-off” period aims to make it tougher for fraudsters to hijack a number and aware the victim of such request via text message. Additionally, the Department of Telecommunications (DoT) has introduced an enhanced KYC protocols for SIM swap and replacement procedures and launched platforms like ‘Chakshu’ for reporting such suspicious and fraudulent telecom activities which helps to detect and prevent such scams more efficiently.

Relying solely on SMS-based 2FA is risky because once fraudsters successfully gain control of your mobile number through a SIM swap, they can intercept the one-time passwords (OTPs) sent via text messages. This bypasses the security layer that 2FA is supposed to provide, allowing the attckers to gain access to your personal accounts simply by intercepting those codes even if you have a strong password.

The human element plays a significant role in SIM swap fraud as fraudsters heavily rely on social engineering tactics to manipulate victims into revealing sensitive and personal information to facilitate unauthorised SIM changes. This means that human susceptibility to deception or corruption can be one of the weakest links in the security chain. To avoid such risks, individuals can reduce such risks by staying alert to unsolicited calls/messages and refusing to share sensitive information. Additionally, telecom operator shall enforce strict verification and periodic training to minimise such risks.

A “port-out scam” refers to a type of SIM swap fraud where criminals trick a victim’s current mobile service provider into transferring their phone number to a new service account or device controlled by the fraudster, exploiting the legitimate mobile number portability feature. This enables to fraudster to hijack calls, messages, and OTPs linked to the number.

A sudden and unexpected loss of network (e.g., “No Service” or only 911 calls) is a primary warning indicator of SIM swap fraud. You should immediately contact your telecom provider from another phone or landline to block the compromised SIM and mobile number. Additionally, you should alert your bank for any unusual activity and temporarily freezing of high-risk transactions and change the passwords of your key account until you number is restored.

According to CERT-In, deepfakes are “synthetic media created using artificial intelligence (AI) to generate or manipulate realistic images, videos, and audio.”²⁰ In cybercrime, Fraudster use them to exploit human trust in visual and auditory information for various malicious activities, primarily social engineering, financial fraud, or disinformation campaigns.

Yes, notable incidents include a viral, manipulated video showing a woman with actress Rashmika Mandanna’s face entering a lift, which sparked a national outcry over non-consensual synthetic media. Another prominent case involved a fake video of veteran investor Madhusudan Kela promoting a fraudulent investment scheme. This highlights how deep fakes can be used to mislead the public and leads to financial harm and erosion of trust. Such cases underscore the need to re-check suspicious videos, verify financial and investment claims directly from official sources and immediately report such manipulated content to cybercrime portals.

Spoofing is a technique where cybercriminals disguise their communication via email, phone call, or website to appear as if it originates from a trusted source. Email spoofing specifically involves sending an email with the forged sender address to deceive the recipient into believing it came from legitimate source. It is the act of forging the “From” address in an email to mislead the recipient about the actual sender. The end goal is to trick the recipient into taking harmful actions like clicking malicious link, download malicious malware, or revealing sensitive information.

Email spoofing is a threat that includes sending emails with a fake sender’s address. Cybercriminals carry out email spoofing by altering the emails “FROM” name displayed into a familiar one, make it look like the message came from a trusted source. The Simple Mail Transfer Protocol (SMTP), which handles email delivery, lacks strong built-in authentication features, allows the attackers to bypass it and send message with a forged senders address. Through spoofed emails, fraudster heavily rely on social engineering tricks to scam the recipient by convincing the recipient that the message is real and the emails might carry a sense of urgency or links to fake websites to fraud recipient. To reduce such risks, users should always check the full email address, check links before clicking, and avoid downloading unsolicited attachments.

Email spoofing is an act of faking the sender’s email address, while phishing is a broader act of sending deceptive emails to trick recipient to reveal their sensitive information. Email spoofing is a threat that includes sending emails with a fake sender’s address. Phishing, on the other hand, is a broader social engineering attack that often use email spoofing as a method to steal sensitive information. Spoofing is a method used to make phishing attacks more believable.

Identity theft occurs when someone uses another person’s personal information—such as their name, address, credit card details, Aadhaar number, PAN, or even personal photographs—without their knowledge or consent, typically to commit fraud or other crimes. The primary goal is usually to gain illegal financial benefits or cause harm to the victim.

Types of identity theft includes financial theft, medical theft, criminal theft, and child identity theft, which often carried out through digital methods. Common types of identity theft include:

• Financial Identity Theft – The common type of identity theft uses unauthorised personal data to open accounts, obtain loans, or make unauthorised transactions.
• Child Identity Theft – Using a child’s identity to access benefits, loans, or credit, often remaining undetected for years.
• Criminal Identity Theft – Posing as another person during an arrest or to avoid legal consequences.
• Synthetic Identity Theft – Combining real and fake information to create a new, fabricated identity.
• Tax Identity Theft – Filing fraudulent tax returns using another person’s details.

Criminals acquire personal information through various illicit means Common methods include large-scale data breaches (where large datasets are leaked), purchasing stolen data from the dark web, using phishing or vishing scams to trick individuals to share sensitive details, ATM skimming (installing devices on ATMs to steal card details), and malware attacks that infect devices to steal data. Fraudulent emails, such as the “PAN 2.0 scam,” are also a significant vector to extract personal identifiers.

The “PAN 2.0 scam” is a specific phishing scam where fraudulent emails are circulated, falsely promising users an upgraded Permanent Account Number (PAN) card. These emails are designed to appear official, using forged seals and urgent language to pressurize the recipient. The email contains malicious links that redirect unsuspecting citizens to fake websites, which then prompt the fraudster to enter their PAN, Aadhaar, bank account details, and other personal data, leading to identity theft and financial fraud. To stay safe, users should avoid clicking links in unsolicited emails and always verify information on the official government websites or portals.

Deepfakes are considered a significant escalation in cybercrime because they employ advanced artificial intelligence to produce highly convincing video, image, and audio impersonations, making it much more difficult to tell real from fake compared to traditional text or email based spoofing. Because deepfake content can mimic voice tone, facial expressions, lip sync, shadows and other subtle cues, making it much harder for the average person to distinguish genuine content from fabricated media, unlike older spoofing attempt which could often be spotted as spelling mistakes, grammar errors or suspicious email addresses that often exposed older spoofing schemes are no longer enough to reliably detect fraud.

The “media trust crisis” refers to the blurring of lines between fact and fabrication due to AI-generated content like deepfakes. Public begins to doubt the authenticity of what they see and hear online as fake ai manipulative videos, audio clips, and images became increasingly realistic. This leads to erosion of trust and undermines confidence in legitimate news, public figures, and institutions. To navigate such crisis, individuals should rely on verified news or portals and cross-check sensational content before sharing.

Personal identity information (like PAN, Aadhaar, bank details) is considered the ultimate currency because it is not just a target in itself, but a primary enabler for a wide array of financial exploitation, including unauthorised transactions, opening fake accounts, and money laundering. Once the criminals/fraudsters obtains the relevant data, they can carry out unauthorised transactions, open fraudulent bank and loan accounts, or even engage in large scale money laundering.

Phishing is a social engineering attack where cybercriminals send deceptive messages (often emails) that appear to be from a trusted source to trick individuals into revealing sensitive personal information, such as login credentials, banking details, or personal identifiers, which is then be misused for identity theft or financial fraud.

To protect yourself from phishing scams like the “PAN 2.0 scam”, always verify the sender’s email address (legitimate government emails end in .gov.in or .nic.in), avoid clicking suspicious links or downloading attachments from unexpected or urgent-looking messages, and access government services only through official government portals, add extra layer of security by enabling two-factor authentication, and report suspicious emails immediately and delete it to prevent any accidental clicks.

Section 66C of the IT Act, 2000, specifically addresses “identity theft.” It penalises anyone who dishonestly or fraudulently uses other person’s electronic signature, password, or any other unique identification feature such as biometrics, OTPs, or digital IDs. The provision aims to protect individuals’ digital identities from abuse and illegal access.

Whoever commits identity theft under Section 66C can be punished with imprisonment of either description for a term which may extend to three years, and shall also be liable to a fine which may extend to rupees one lakh (Rs. 1,00,000).

Section 72 of the IT Act, 2000, deals with the “Penalty for Breach of confidentiality and privacy.” It states that any person who has gained access to any electronic record, book, register, correspondence, information, document, or other material in the course of their duties under the Act or its rules, discloses such information to another person without consent can be punished. This provision aims to safeguard the privacy of individuals, empower trust, and to ensure that sensitive information accessed through official capacity is not misused.