#FactCheck -Old 2016 Madame Tussauds Wax Statue Video Misrepresented as PM Modi Being “Made Up” by Team

Executive Summary:

Cyber incidents are evolving along with time, they are designed to attract and lure people through social networking sites and/or messaging services. In the recent past a spate of messages alleging that TRAI is offering ‘3 months free recharge with free voice calls and internet for 4g/5g with 200 GB free data’. These messages display the TRAI logo with attractive offers to trick the users into revealing their personal details. This blog discusses the functioning of this free mobile recharge scheme, its methods and guidelines on how to avoid such fake schemes. This blog explains the importance of vigilance and verification when receiving any links, emphasizing the need to report suspicious activities and educate others to prevent identity theft and protect personal information. 

Claim:

The message circulated an  enticing offer: free mobile recharge for 3 months which provides unlimited  free voice calls with 200GB 4G/5G data with TRAI logo. The key characteristics of the false claims are

• Official Branding: The logo of TRAI has been viewed as a deceptive facade of credibility. 

• Unrealistic Offers: It is accompanied by a free recharge , which is intended for an extended period indefinite period, like most fraudsters’ bait. 

• Urgency and Exclusivity: The offer is for a limited time to make urgency forcing the receiver to take the offer without confirmation. 

 The Deceptive Scheme:

Organized systematically, the fraudulent campaign usually proceeds in several steps, all of which aim at extracting  the victim’s personal data. Here’s a breakdown of the scheme:

1. Initial Contact:  Such messages or calls reach the users’ inboxes or phone numbers through social media applications such as WhatsApp or through text messages. These messages further implies that the user was chosen for the special offer from TRAI, which elicits the interest of the user. 

 2. Information Request: To claim the purported offer, users are directed to a website or asked to reply with personal details, including:

•  Phone number 
•  State of residence 
•  SIM provider details 

This is useful for the scammers as they harvest information which can be used to conduct identity theft or sold to others on the shady part of the internet known as the ‘Dark Web’. 

3. Fake Confirmation: After providing all the information, a congratulatory message appears on the screen showing that their phone number is eligible for the offer. The user is compelled to forward the message to many phone numbers through whatsapp to get the offer. 

 4. Pressure Tactics: The  message often implies a sense of time constraint or fear which psychologically produces pressure to provide all the user information. For example, users are given messages such as that if they do not ‘act now’, they will lose their mobile service. 

Analyzing the Fraudulent Campaign 

The TRAI fraudulent recharge scheme case depicts that  social engineering is used in cyber crimes. Here are some key aspects that characterize this campaign:

• Sophisticated Social Engineering 

Scammers take advantage of the holders’ confidence in official bodies such as TRAI. By using official TRAI logos, official language they try to deceive even cautious people. 

• Viral Spread 

The user is compelled to share the given message to friends and groups; this is an excellent strategy to spread the scam. It not only spreads the fraudulent message but also tries to extract the details of other people. 

• Technical Analysis

• Domain Name: SGOFF[.]CYOU
• Registry Domain ID: D472308342-CNIC
• Registrar WHOIS Server: whois.hkdns.hk
• Registrar URL: http://www.hkdns.hk
• Updated Date: 2024-07-24T18:50:48.0Z
• Creation Date: 2024-07-19T18:48:44.0Z
• Registry Expiry Date: 2025-07-19T23:59:59.0Z
• Registrar: West263 International Limited
• Registrar IANA ID: 1915
• Registrant State/Province: Anhui
• Registrant Country: CN
• Name Server: NORMAN.NS.CLOUDFLARE.COM
• Name Server: PAM.NS.CLOUDFLARE.COM
• DNSSEC: unsigned

Cloudflare Inc. is used to cover the scam. The real website always uses the older domain while this url has been registered recently which indicates that this link is a scam.  

‍

‍

The  graph indicates that some of the communicated files and websites are malicious.

CyberPeace Advisory and Best Practice:

In light of the growing threat posed by such scams, the Research Wing of CyberPeace recommend the following best practices to help users protect themselves: 

1. Verify Communications: It is always advisable to visit the official site of the organization or call the official contact numbers of the company to speak to their customer care and clarify about the offers. 

2. Do not share personal information: No genuine organization will call the people for personal information.  Step carefully and do not provide personal  information that will lead to identity theft when dealing with such offers. 

3. Report Fraudulent Activity: If one receives any calls or messages that seem to be suspicious, then the user can report cyber crimes to the National Cyber Crime Reporting Portal on www. cybercrime. gov. in or call on 1930. Such scams are reportable and assist the authorities in tracking and fighting the vice. 

4. Educate Others : Always raise awareness among friends by sharing these kinds of scams. Educating people helps to avoid them falling prey to such fraudulent schemes. 

5. Use Reliable Resources :  Always refer to official sources or websites for any kind of offers or promotions.

Conclusion:

The free recharge scheme for 3 months with the logo of TRAI is a fraudulent scam. There is no official information from TRAI or in their official website about this free recharge scheme. Though the scheme looks attractive, it is deceptive.  Through this, the scammers are trying to collect personal details of the individual. Before clicking any links, it is necessary to check the authenticity of the information, report these kinds of incidents to spread awareness among people. Always be safe and be vigilant.  

‍

Introduction

The much-awaited DPDP Rules have now finally been released in the official Gazette on 3rd January 2025 for consultation. The draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) invites objections and suggestions from stakeholders that can be submitted on MyGov (https://mygov.in) by 18th February 2025.

DPDP Rules at Glance 

• Processing of Children's Data: The draft rules say that ‘A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child’. It entails that children below 18 will need parents' consent to create social media accounts.
• The identity of the parents and their age can be verified through reliable details of identity and age available with the Data Fiduciary, voluntarily provided identity proof or virtual token mapped to the same. The data fiduciaries are also required to observe due diligence for checking that the individual identifying themselves as the parent is an adult who is identifiable, if required, in connection with compliance with any law for the time being in force in India. Additionally, the government will also extend exemptions from these specific provisions pertaining to processing of children's data to educational institutions, and child welfare organisations.
• Processing of Personal Data Outside India: The draft rules specify that the transfer of personal data outside India, whether it is processed within the country or outside in connection with offering goods or services to individuals in India, is permitted only if the Data Fiduciary complies with the conditions prescribed by the Central Government through general or specific orders.
• Intimation of Personal Data Breach: On becoming aware of a personal data breach, the Data Fiduciary must promptly notify the affected Data Principals in a clear and concise manner through their user account or registered communication method. This notification should include a description of the breach (nature, extent, timing, and location), potential consequences for the Data Principal, measures taken or planned to mitigate risks, recommended safety actions for the Data Principal, and contact information of a representative to address queries. Additionally, the Data Fiduciary must inform the Board without delay, providing details of the breach, its likely impact, and initial findings. Within 72 hours (or a longer period allowed by the Board upon request), the Data Fiduciary must submit updated information, including the facts and circumstances of the breach, mitigation measures, findings about the cause, steps to prevent recurrence, and a report on notifications given to affected Data Principals. 
• Data Protection Board: The draft rules propose establishing the Data Protection Board, which will function as a digital office, enabling remote hearings, and will hold powers to investigate breaches, impose penalties, and perform related regulatory functions.

Journey of Digital Personal Data Protection Act, 2023

The foundation for the single statute legislation on Data Protection was laid down in 2017, in the famous ‘Puttaswami judgment,’ which is also well recognised as the Aadhar Card judgment. In this case, ‘privacy’  was recognised as intrinsic to the right to life and personal liberty, guaranteed by Article 21 of the Constitution of India, thus making ‘Right to Privacy’ a fundamental right.  In the landmark Puttaswamy ruling, the apex court of India stressed the need for a comprehensive data protection law. 

Eight years on and several draft bills later, the Union Cabinet approved the Digital Personal Data Protection Bill (DPDP) on 5th July 2023. The bill was tabled in the Lok Sabha on 3rd August 2023, and It was passed by Lok Sabha on 7th August, and the bill passed by Rajya Sabha on 9th August and got the president's assent on 11th August 2023; and India finally came up with the ‘Digital Personal Data Protection Act, 2023. This is a significant development that has the potential to bring about major improvements to online privacy and the handling of digital personal data by the platforms.

The Digital Personal Data Protection Act, 2023, is a newly-enacted legislation designed to protect individuals' digital personal data. It aims to ensure compliance by Data Fiduciaries and imposes specific obligations on both Data Principals and Data Fiduciaries. The Act promotes consent-based data collection practices and establishes the Data Protection Board to oversee compliance and address grievances. Additionally, it includes provisions for penalties of up to ₹250 crores in the event of a data breach. However, despite the DPDP Act being passed by parliament last year, the Act has not yet taken effect since its rules and regulations are still not finalised.

Conclusion

It is heartening to see that the Ministry of Electronics and Technology (MeitY) has finally released the draft of the much-awaited DPDP rules for consultation from stakeholders. Though noting certain positive aspects, there is still room for addressing certain gaps and multiple aspects under the draft rules that require attention. The public consultation, including the inputs from the tech platforms, is likely to see critical inputs on multiple aspects under the proposed rules. One such key area of interest will be the requirement of verifiable parental consent, which will likely include recommendations for a balanced approach which maintains children’s safety and mechanisms for the requirement of verifiable consent. The Provisions permitting government access to personal data on grounds of national security are also expected to face scrutiny. The proposed rules, after the consultation process, will be taken into consideration for finalisation after 18th February 2025.  The move towards establishing a robust data protection law in India signals a significant step toward enhancing trust and accountability in the digital ecosystem. However, its success will hinge on effective implementation, clear compliance mechanisms, and the adaptability of stakeholders to this evolving regulatory landscape.

References

• Draft DPDP Rules; https://egazette.gov.in/(S(rszckzjqxkns41cjzagebonx))/ViewPDF.aspx
• DPDP Act 2023; https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

Introduction

The Telecom Regulatory Authority of India (TRAI) has directed all telcos to set up detection systems based on Artificial Intelligence and Machine Learning (AI/ML) technologies in order to identify and control spam calls and text messages from unregistered telemarketers (UTMs).

The TRAI Directed telcos

The telecom regulator, TRAI, has directed all Access Providers to detect Unsolicited commercial communication (UCC)by systems, which is based on Artificial Intelligence and Machine Learning to detect, identify, and act against senders of Commercial Communication who are not registered in accordance with the provisions of the Telecom Commercial Communication Customer Preference Regulations, 2018 (TCCCPR-2018). Unregistered Telemarketers (UTMs) are entities that do not register with Access Providers and use 10-digit mobile numbers to send commercial communications via SMS or calls.

TRAI steps to curb Unsolicited commercial communication

TRAI has taken several initiatives to reduce Unsolicited Commercial Communication (UCC), which is a major source of annoyance for the public. It has resulted in fewer complaints filed against Registered Telemarketers (RTMs). Despite the TSPs’ efforts, UCC from Unregistered Telemarketers (UTMs) continues. Sometimes, these UTMs use messages with bogus URLs and phone numbers to trick clients into revealing crucial information, leading to financial loss.

To detect, identify, and prosecute all Unregistered Telemarketers (UTMs), the TRAI has mandated that Access Service Providers implement the UCC.

Detect the System with the necessary functionalities within the TRAI’s Telecom Commercial Communication Customer Preference Regulations, 2018 framework.

Access service providers have implemented such detection systems based on their applicability and practicality. However, because UTMs are constantly creating new strategies for sending unwanted communications, the present UCC detection systems provided by Access Service providers cannot detect such UCC.

TRAI also Directs Telecom Providers to Set Up Digital Platform for Customer Consent to Curb Promotional Calls and Messages.

Unregistered Telemarketers (UTMs) sometimes use messages with fake URLs and phone numbers to trick customers into revealing essential information, resulting in financial loss.

TRAI has urged businesses like banks, insurance companies, financial institutions, and others to re-verify their SMS content templates with telcos within two weeks. It also directed telecom companies to stop misusing commercial messaging templates within the next 45 days.

The telecom regulator has also instructed operators to limit the number of variables in a content template to three. However, if any business intends to utilise more than three variables in a content template for communicating with their users, this should be permitted only after examining the example message, as well as adequate justifications and justification.

In order to ensure consistency in UCC Detect System implementations, TRAI has directed all Access Providers to deploy UCC and detect systems based on artificial intelligence and Machine Learning that are capable of constantly evolving to deal with new signatures, patterns, and techniques used by UTMs.

Access Providers have also been directed to use the DLT platform to share intelligence with others. Access Providers have also been asked to ensure that such UCC Detect System detects senders that send unsolicited commercial communications in bulk and do not comply with the requirements. All Access Providers are directed to follow the instructions and provide an update on actions done within thirty days.

The move by TRAI is to curb the menacing calls as due to this, the number of scam cases is increasing, and now a new trend of scams started as recently, a Twitter user reported receiving an automated call from +91 96681 9555 with the message “This call is from Delhi Police.” It then asked her to stay in the queue since some of her documents needed to be picked up. Then he said he works as a sub-inspector at the Kirti Nagar police station in New Delhi. He then inquired whether she had recently misplaced her Aadhaar card, PAN card, or ATM card, to which she replied ‘no’. The scammer then poses as a cop and requests that she authenticate the last four digits of her card because they have found a card with her name on it. And a lot of other people tweeted about it.

Conclusion

TRAI directed the telcos to check the calls and messages from Unregistered numbers. This step of TRAI will curb the pesky calls and messages and catch the Frauds who are not registered with the regulation. Sometimes the unregistered sender sends fraudulent links, and through these fraudulent calls and messages, the sender tries to take the personal information of the customers, which results in financial losses.