PAKISTAN’S WEB OF CYBER SCAMMERS
Haseeb, 19, was half an hour away from appearing for a college exam when he received a phone call from an unknown number. When he picked up, the caller introduced himself as an employee of the bank at which Haseeb had an account. The man asked some questions to confirm Haseeb’s bank details before asking him for his ATM pin, which Haseeb provided. Five minutes later, Haseeb had lost a total of Rs60,000 in three back-to-back transactions.
Although financial frauds and scams are punishable crimes in Pakistan, Haseeb thought it was his fault that he was “stupid” enough to give the fraudster his banking details. However, Haseeb’s case is, unfortunately, not an anomaly.
Several people in the country have received calls from individuals pretending to be bank employees over the past few years, and sometimes the callers even pretend to be calling from the State Bank of Pakistan (SBP). Most of the people the author spoke to said they had received calls from regular cellphone numbers, while two individuals stated that they got a call from the bank’s UAN (universal access number).
As in Haseeb’s case, the callers knew the bank where their victims had an account and their particulars e.g. Computerised National Identity Card (CNIC) number, full name and, sometimes, even their mother’s name (often used as a security question).
The fact that these scam callers are able to convincingly present themselves as bank employees, by providing personal details of their targets, begs the question: where are these criminals getting this information from?
Pakistan’s lack of data protection laws and incoherent cybercrime policy have resulted in gangs of scammers preying on the digital illiteracy of the masses. But how exactly are these gangs able to acquire an individual’s personal and bank details in order to carry out these scams? And can the authorities put an end to this menace?
How data theft occurs
There are dozens of groups on Facebook selling the National Database and Registration Authority’s (Nadra) data, such as family trees, SIM and phone records, and location data. According to the Federal Investigation Agency (FIA) Deputy Director Cyber Crime Asif Iqbal, many lists of mobile numbers have also been dumped online and are still publicly available.
Data available with national and provincial social safety net programmes, such as the Benazir Income Support Programme (BISP), is also being misused, Iqbal claims. The Ministry of Information Technology and Telecommunication did not reply to the author to confirm these claims.
On June 25, 2023, the FIA revealed that a crackdown had taken place against a gang in Gujranwala which would pose as courier company staff and ask for thumbprints from the receivers of courier deliveries. The criminals would then reproduce the thumbprints on a special paper that could be used to activate a cellular phone SIM on that person’s name.
They would then use the SIM to activate the banking app and withdraw money. Members of the gang told the FIA that a “bank data gang member” used to provide them with the necessary details. One of the suspects was a branch manager at a private bank.
Iqbal argues that data theft and misuse is a systemic and deeply entrenched issue within digital banking in Pakistan. A gang of petty criminals in Punjab who were carrying out small-scale phone banking scams now operate as an organised ring. The criminals are based in cities in Punjab such as Sargodha, Jhang, Chiniot, Pindi Bhattian, Hafizabad, Gujrat, Chichawatna, Layyah and Sheikhupura. Iqbal claims that those spearheading these operations “have purchased mansions spread over four kanals [about 2,000 sq metres], and expensive cars.”
FIA Deputy Director Cyber Crime Asif Iqbal argues that data theft and misuse is a systemic and deeply entrenched issue within digital banking in Pakistan. A gang of petty criminals in Punjab who were carrying out small-scale phone banking scams now operate as an organised ring. The criminals are based in cities in Punjab such as Sargodha, Jhang, Chiniot, Pindi Bhattian, Hafizabad, Gujrat, Chichawatna, Layyah and Sheikhupura As stated earlier, the majority of the people the author spoke to said that they had received these scam calls from regular cell phone numbers. But why do criminals feel they can freely scam people in this manner when tracing a phone number is so simple for the authorities?
Iqbal explains: “They have amassed significant political power over the years. They get tipped off if the FIA is about to conduct a raid. The authorities have been attacked multiple times when they went to conduct a raid.”
Contrary to what one might assume, the gambit used for these scams is pretty simple — exploit the vulnerabilities of the poor, naïve, uneducated and the fearful. Take this case for example. A poor woman goes to buy a SIM and the shopkeeper asks her for her thumbprint. The SIM is activated but he lies to the woman that there is a connectivity issue and asks her to come back the next day. He sells that SIM to fraudsters, while a new SIM is activated using the credentials the woman provided earlier.
“There is a network of such shopkeepers and franchise owners,” says Iqbal. When the FIA traces the SIM back to the franchise and goes there for initial questioning, the criminal has already been tipped off and is on the run.
Banking on the system
In many cases, the staff at the bank is involved in procuring this data as well. Haseeb, who lost Rs60,000, was told by the scam caller that he was following up on a complaint Haseeb had filed with the bank two days earlier due to a failed bank transaction. Several other people the author spoke to said they got such calls after receiving a significant amount of money through an international or local transaction.
The FIA has arrested several bank employees, including managers and senior staff, for being involved in banking scams. One of the major scams in Pakistan, a banking loan scam worth over Rs400 million, led to the arrest of employees of the National Bank of Pakistan (NBP). “Several bank employees are involved in leaking, selling and dealing with data and criminals who operate these scams,” says Iqbal. “I previously arrested the national manager of a bank.”
Bank staff in Faisalabad and Toba Tek Singh, among other cities, have also been arrested for their involvement in such activities. When asked if any banks have ever lodged a first-information report (FIR) with the FIA, or surrendered a potential criminal to the authorities after an internal investigation, Iqbal says no.
The central bank, however, has sprung into action. The SBP has released multiple advisories in the past two years, ordering banks to overhaul their digital systems security, and customer complaints and intimations. The documents include all basic guidelines needed for ensuring the security of banking networks and customers, such as biometric verification for digital banking, registration for usage on new devices, and only allowing a user and password change from a registered device.
The banks are also supposed to set ‘reasonable’ transaction limits for all digital banking channels and must allow customers to manage their limits after authentication. But, while the central bank has mandated banks must follow security measures that are robust and adhere to established standards, the fraudsters are using what the SBP calls ‘social engineering’ to beat the system.
Urooj, an educationist based in Karachi, received a call similar to the one Haseeb got. However, unlike Haseeb, she disconnected the call after suspecting that it was a scam. The person called again, misbehaved with her and threatened to block her account, saying, “Did you not hear what I said? Do you not understand? We will block your account!” The caller then proceeded to tell her he was speaking from the SBP, which he claimed was conducting an audit of all banks.
Urooj felt intimidated and eventually agreed to cooperate. The caller told Urooj to provide him with the user ID and old password of her banking app before telling her to make and share a new password. But Urooj finally mustered up the courage to disconnect the call and blocked the caller. In another similar incident, Urooj received a scam call from a woman. Urooj’s story falls in line with Iqbal’s assertion that scamming is a family business for such criminals, and both men and women are involved in carrying out these calls.
Nations like Pakistan are at an increased risk of falling prey to such scams due to a poor cybercrime policy, as well as a weak cyber security network. In the Global Security Index published by the International Telecommunication Union, which measures a country’s commitment to addressing cyber security issues, Pakistan was ranked 79 out of 182 countries