The Data Behind India’s Digital Fraud Surge
India’s Rapid Digital Expansion
Over the past decade, India has experienced a rapid digitalisation process. The rise of digital financial services, affordable internet costs, and the penetration of smartphones have transformed the way people communicate, transact and do business online.
Online payment systems, including Unified Payments Interface (UPI), have enabled real-time transactions between banks and financial systems. As much as these systems have enhanced access to finance and efficiency, they have also created new opportunities for cybercriminals.
Cybercrime has evolved alongside the shift of financial and social interactions to digital platforms. The fraud attacks on online payments, online banking, and personal information have become common and increasingly costly.
To analyse the scale and trend of cybercrime in India, this analysis will use the datasets released by the National Crime Records Bureau (NCRB) and financial fraud data released by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs.
The Rise of Cybercrime in India
The Rise of Cybercrime in India
Source: National Crime Records Bureau – Crime in India Reports
The data released by the NCRB documents cybercrime incidents registered by the police at the national level under the Information Technology Act, 2000 (IT Act) and criminal provisions covering offences such as cheating, impersonation, and digital fraud. In the past, the offences were listed in the provisions of the Indian Penal Code (IPC). Following criminal law reforms in India, on 1 July 2024, the Bharatiya Nyaya Sanhita (BNS), which replaced the IPC, came into force. Section 419 (cheating by impersonation), IPC, would be related to BNS Section 319 and Section 420 (cheating and dishonestly inducing delivery of property), which would be related to BNS Section 318(4). Similarly, crimes involving forgery and use of forged documents or electronic documents, which were previously contained in the IPC Sections 465-471, are dealt with in BNS Sections 335-340.
The data published by the NCRB represent the number of crimes that reached the point of the First Information Report (FIR) registration, meaning they reflect only cybercrime cases that were formally presented to the law enforcement system to investigate, rather than all complaints reported. The data shows that cybercrime cases increased from 27,248 in 2018 to 86,420 in 2023, a 3.17-fold increase in 5 years.
Two structural shifts are visible: the post-pandemic jump and subsequent acceleration.
However, these figures likely underestimate the true scale of cybercrime because many incidents are reported only through online complaint portals and may not result in FIR registration.
The Financial Scale of Digital Fraud
The Financial Scale of Digital Fraud
This dataset tracks financial fraud complaints reported through the National Cyber Crime Reporting Portal (NCRP) and the estimated financial losses associated with those complaints.
The financial losses reported between 2021 and 2024 increased by 41 times over four years, compared to 2021, from 551 crore to 22,848 crore. At the same time, the number of complaints rose from 262,846 to over 1.9 million, an increase of ~623%, indicating both rising victimisation and greater public awareness of reporting mechanisms.
The contrast between these two trends is striking:
While complaints increased by around 7 times, financial losses increased by over 40 times.
Distribution of Cyber-Fraud Complaints and Financial Losses by Fraud Type
This divergence implies an uneven relationship between the number of incidents and the financial damage that they inflict. Most cyber fraud incidents involve relatively small transaction values; however, a smaller group of fraud categories result in disproportionate numbers of financial losses.
Distribution of Financial Losses Across Major Cyber-Fraud Categories in India
As reported by The Indian Express, based on the data compiled by the I4C, investment-related scams alone account for roughly 77% of reported cyber-fraud losses, followed by smaller shares from “digital arrest” scams (8%), credit card fraud (7%), sextortion (4%), e-commerce fraud (3%), and malware or app-based fraud (1%). This distribution means that even though scams with lower values, like phishing, OTP fraud, and small payment fraud, produce a high proportion of complaints, few categories of fraud produce most of the financial losses.
Analysis
1. Cybercrime is expanding faster than most traditional crimes: The fact that cybercrime cases have tripled in five years shows that cyber offences are presently becoming a significant element of Indian crime. Unlike conventional crimes that require physical proximity, cybercrime can be conducted remotely and at scale, enabling perpetrators to target large numbers of victims simultaneously.
2. Financial losses are concentrated in a small set of fraud categories: As cases of cybercrimes have been on the increase, the monetary losses of digital fraud cases have been increasing at a higher rate. The fact that the number of reported financial losses has increased 40 times in 4 years indicates that cybercrime has a very high economic impact.
3. Complaint volumes and financial damage follow different patterns: When comparing complaints and financial losses, it is evident that cyber fraud losses are unevenly distributed across types of incidents. Most of the prevalent scams reported, including phishing or OTP fraud, involve relatively small transaction values but yield a high portion of complaints. Conversely, fewer categories of fraud, especially investment-based schemes, contribute a significantly higher percentage of total financial losses.
4. Digital financial infrastructure has expanded the attack surface: India’s rapid adoption of digital payment systems, mobile banking and digital financial systems has dramatically increased the number of potential victims of cybercriminals. The scale of online transactions creates new vulnerabilities that organised cybercrime networks take advantage of.
5. Reporting improvements reveal previously hidden crime: The expansion of national reporting systems has enhanced the transparency in the trends of cybercrime. The increase in the number of complaints recorded is partially due to improved reporting systems and not necessarily to the increased criminal activity, meaning that previous data might have understated the magnitude of cyber fraud.
Recommendations
1. Move from reactive policing to proactive cyber-risk monitoring: The conventional models of policing focus on investigation of crimes that have already taken place. With such a magnitude and pace of cyber fraud, India should have systems that are designed to detect and prevent the fraud at its early stages, such as real-time observation of suspicious patterns in transactions by financial institutions.
2. Strengthen financial intelligence sharing across institutions: There are a lot of instances of cyber fraud that use more than one bank, payment system, and telecommunication provider. To detect new networks of fraud sooner, it can be suggested to establish more information-sharing measures between the financial institution and law enforcement agencies.
3. Target organised cyber fraud networks rather than individual incidents: Many digital scams operate through organised networks that coordinate phishing, mule accounts, and fake payment channels. The solution in regard to this involves dismantling these networks through investigative procedures instead of treating incidents on a case-by-case basis.
4. Improve recovery mechanisms for stolen funds: The recovery of the funds lost is one of the most difficult issues in cases of cyber fraud. Expanding systems such as the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) can improve the speed at which fraudulent transactions are frozen or reversed.
5. Strengthen digital financial literacy: A significant percentage of cyber frauds are based on social engineering methods that take advantage of user behaviour as opposed to technical weaknesses. Victimisation can be greatly reduced through specific public awareness efforts on typical scam schemes.
Conclusion
India’s experience illustrates a broader global trend: as economies digitise, crime increasingly follows the flow of digital money. While cybercrime incidents are rising steadily, the much faster growth in financial losses suggests that cybercriminals are becoming more organised, technologically sophisticated, and economically motivated.
References:
- https://indianexpress.com/article/india/indians-lost-rs-53000-crore-fraud-cheating-cases-six-years-maharashtra-2025-10452185/
- https://www.pib.gov.in/PressReleasePage.aspx?PRID=2226441®=3&lang=2 -
- https://www.ncrb.gov.in/crime-in-india.html
- https://i4c.mha.gov.in/index.aspx
- https://i4c.mha.gov.in/index.aspx
Related Blogs
Introduction
Valentine’s Day celebrates the bond between people, their romantic love, and their deep relationships with others. The increasing use of digital platforms in modern relationships has created a situation where cybercriminals use this time of year to exploit human emotions for money-making schemes. The period around 14 February often sees a rise in online romance scams, phishing attacks, and fake shopping websites that specifically target people who are emotionally vulnerable and active online. People need to be aware of these scams because this awareness helps them protect their personal information and their financial resources.
The Rise of Romance Scams
Modern romance scams have evolved from their original form because criminals now execute their schemes through more advanced methods. Fraudsters create authentic-looking fake identities, which they use to deceive victims through dating applications, social media platforms and networking websites. The profiles use stolen images and fake job histories, together with convincing emotional stories, which help them establish trust with potential victims.
Scammers usually begin their deception after they have built an emotional connection with their targets. Once trust is established, they introduce a crisis or an opportunity that pressures the victim to act quickly. This is often presented as a problem that needs urgent help or a chance that should not be missed, such as:
- A sudden medical emergency that requires money for treatment
- Requests for travel expenses to finally come and meet in person
- Fake investment opportunities that promise quick or guaranteed returns
- Demands for customs, courier, or clearance fees to release a supposed package or gift
They make the victim give money to them and buy gift cards and handle personal banking details. The scam takes place for several weeks or months until the victim starts to show doubt about what is happening. The psychological manipulation that occurs in romance scams causes severe harm to their victims. Victims experience two types of damage because criminals steal their money, and they suffer emotional pain, and their social standing gets damaged.
Fake E-Commerce and “Valentine’s Deals”
Valentine's Day marks the beginning of a shopping rush, which leads people to buy various gifts, including flowers, jewellery and customised products, as well as making reservations for events. Cybercriminals create fake websites to exploit this demand by providing fake discounts and temporary promotional offers.
Common warning signs include:
- Newly registered domains that lack valid user reviews
- Websites that contain multiple spelling mistakes and display poor design
- Payment requests through methods that cannot be tracked
- Online platforms that lack secure payment processing systems
Consumers who make purchases on such sites face the risk of losing money while their card information is stolen for future fraudulent activities.
Phishing in the Name of Love
During the holiday season, phishing campaigns increase their focus on particular targets. Users may receive:
- Valentine's Day discount emails
- Messages that claim to show secret admirer intentions
- Links that lead to supposed romantic surprises
- Delivery notifications that inform about unreceived gifts
Malicious links result in credential theft, malware installation and unauthorised financial transactions. At first glance, these attacks show resemblance to authentic brands and logistics companies, which makes them hard to identify.
Investment and Crypto Romance Fraud
A rising type of romance scams now uses cryptocurrency and online trading platforms as their new approach. Scammers who establish trust with their victims will convince them to invest in digital assets that appear to generate high returns. The fake dashboards display excellent investment results to convince investors to commit more funds. The process stops when they block all withdrawal requests and stop all contact with the user. The combination of emotional manipulation with financial fraud shows how cybercrime develops according to technological advancements.
Why Seasonal Scams Work
Seasonal scams succeed because they match the predictable behaviour patterns that people exhibit during specific times of the year. During Valentine’s season:
- People experience their highest emotional vulnerability
- People shop more frequently through online platforms
- People use digital platforms at increased rates
- Users will decrease their level of scepticism while trying to establish connections with others
Cybercriminals use urgent situations together with emotional ties and social norms as their primary attack methods. The combination of psychological triggers and digital convenience creates fertile ground for deception.
CyberPeace Recommendations for Staying Safe This Valentine’s Season
The digital platforms provide people who search for connections with valuable opportunities to connect with others, yet users must remain careful about their online activities. People can protect themselves from online fraud by following these steps:
- They should confirm identity details before they give away their private data.
- They should not send money to people whom they met only through internet platforms.
- They should verify website ownership and examine customer feedback before making online purchases.
- They should activate multi-factor authentication for their social media accounts and financial accounts.
- People should treat unexpected links with great care, especially those links that create a sense of urgency.
- The Cybercrime reporting portal www.cybercrime.gov.in with 24x7 helpline 1930 is an effective tool at the disposal of victims of cybercrimes to report their complaints.
- In case of any cyber threat, issue or discrepancy, you can also seek assistance from the CyberPeace Helpline at +91 9570000066 or write to us at helpline@cyberpeace.net. Immediate reporting protects victims and helps to combat cybercrime.
Conlusion
Online safety during festive seasons requires shared responsibility among multiple parties. Digital resilience is strengthened through the combined efforts of platforms, financial institutions, regulators, and civil society organisations. The digital ecosystem becomes safer through three essential elements, which include awareness campaigns, stronger verification systems, and timely reporting mechanisms.
Valentine’s Day centres on the building of trust between people who want to connect with each other. To maintain trust in digital environments, users need to practice digital literacy skills, which should be shared by everyone. People who stay updated about cybersecurity threats can celebrate Valentine’s Day more safely, because their expressions of love remain protected from online scams.
References
- https://www.cloudsek.com/blog/valentines-day-cyber-attack-landscape-exploiting-love-through-digital-deception
- https://about.fb.com/news/2025/02/how-avoid-romance-scams-this-valentines-day/
- https://www.fbi.gov/contact-us/field-offices/sanfrancisco/fbi-san-francisco-warns-romance-scams-increasing-across-the-bay-area-this-valentines-day
- https://abc11.com/post/romance-scams-surge-ahead-valentines-day/18581079/
- https://www.moneycontrol.com/technology/5-common-online-scams-you-should-avoid-this-valentine-s-day-article-13820108.html
The Digital Personal Data Protection (DPDP) Act, 2023, operationalises data privacy largely through a consent management framework. It aims to give data principles, ie, individuals, control over their personal data by giving them the power to track, change, and withdraw their consent from its processing. However, in practice, consent management is often not straightforward. For example, people may be frequently bombarded with requests, which can lead to fatigue and eventual overlooking of consent requests. This article discusses the way consent management is handled by the DPDP Act, and looks at how India can design the system to genuinely empower users while holding organisations accountable.
Consent Management in the DPDP Act
According to the DPDP Act, consent must be unambiguous, free, specific, and informed. It must also be easy for people to revoke their consent (DPO India, 2023). To this end, the Act creates Consent Managers- registered middlemen- who serve as a link between users and data custodians.
The purpose of consent managers is to streamline and centralise the consent procedure. Users can view, grant, update, or revoke consent across various platforms using the dashboards they offer. They hope to improve transparency and lessen the strain on people to keep track of permissions across different services by standardising the way consent is presented (IAPP, 2024).
The Act draws inspiration from international frameworks such as the GDPR (General Data Protection Regulation), mandating that Indian users be provided with a single platform to manage permissions rather than having to deal with dispersed consent prompts from every service.
The Challenges
Despite the mandate for an interoperable platform for consent management, several key challenges emerge. There is a lack of clarity on how consent management will be operationalised. This creates challenges of accountability and implementation. Thus, :
- If the interface is poorly designed, users could be bombarded with content permissions from apps/platforms/ services that are not fully compliant with the platform.
- If consent notices are vague, frequent, lengthy, or complex, users may continue to grant permissions without meaningful engagement.
- It leaves scope for data fiduciaries to use dark patterns to coerce customers into granting consent through poor UI/UX design.
- The lack of clear, standardised interoperability protocols across sectors could lead to a fragmented system, undermining the goal of a single, easy-to-use platform.
- Consent fatigue could easily appear in India's digital ecosystem, where apps, e-commerce websites, and government services all ask for permissions from over 950 million internet subscribers. Experiences from GDPR countries show that users who are repeatedly prompted eventually become banner blind, which causes them to ignore notices entirely.
- Low levels of literacy (including digital literacy) and unequal access to digital devices among women and marginalised communities create complexities in the substantive coverage of privacy rights.
- Placing the burden of verification of legal guardianship for children and persons with disabilities (PwDs) on data fiduciaries might be ineffective, as SMEs may lack the resources to undertake this activity. This could create new forms of vulnerability for the two groups.
Legal experts claim that this results in what they refer to as a legal fiction, wherein consent is treated as valid by the law despite the fact that it does not represent true understanding or choice (Lawvs, 2023). Additionally, research indicates that users hardly ever read privacy policies in their entirety. People are very likely to tick boxes without fully understanding what they are agreeing to. By drastically limiting user control, this has a bearing on the privacy rights of Indian citizens and residents. (IJLLR, 2023).
Impacts of Weak Consent Management:
According to the Indian Journal of Law and Technology, in an era of asymmetry and information overload, privacy cannot be sufficiently protected by relying only on consent (IJLT, 2023). Almost every individual will be impacted by inadequate consent management.
- For Users: True autonomy is replaced by the appearance of control. Individuals may unintentionally disclose private information, which undermines confidence in digital services.
- For Businesses: Compliance could become a mere formality. Further, if acquired consent is found to be manipulated or invalid, it creates space for legal risks and reputational damage.
- For Regulators: It becomes difficult to oversee a system where consent is frequently disregarded or misinterpreted. When consent is merely formal, the law's promise to protect personal information is undermined.
Way Forward
- Layered and Simplified Notices: Simple language and layers of visual cues should be used in consent requests. Important details like the type of data being gathered, its intended use, and its duration should be made clear up front. Additional explanations are available for users who would like more information. This method enhances comprehension and lessens cognitive overload (Lawvs, 2023).
- Effective Dashboards: Dashboards from consent managers should be user-friendly, cross-platform, and multilingual. Management is made simple by features like alerts, one-click withdrawal or modification, and summaries of active permissions. The system is more predictable and dependable when all services use the same format, which also reduces confusion (IAPP, 2024).
- Dynamic and Contextual Consent: Instead of appearing as generic pop-ups, consent requests should show up when they are pertinent to a user's actions. Users can make well-informed decisions without feeling overburdened by subtle cues, such as emphasising risks when sensitive data is requested (IJLLR, 2023).
- Accountability of Consent Managers: Organisations that offer consent management services must be accountable and independent, through clear certification, auditing, and specific legal accountability frameworks. Even when formal consent is given, strong trustee accountability guarantees that data is not misused (IJLT, 2023).
- Complementary Protections Beyond Consent: Consent continues to be crucial, but some high-risk data processing might call for extra protections. These may consist of increased responsibilities for fiduciaries or proportionality checks. These steps improve people's general protection and lessen the need for frequent consent requests (IJLLR, 2023).
Conclusion
The core of the DPDP Act is to empower users to have control over their data through measures such as consent management. But requesting consent is insufficient; the system must make it simple for people to manage, monitor, and change it. Effectively designed, managed, and executed consent management has the potential to revolutionise user experience and trust in India's digital ecosystem if it is implemented carefully.To make consent management genuinely meaningful, it is imperative to standardise procedures, hold fiduciaries accountable, simplify interfaces, and investigate supplementary protections.
References
Building Trust with Technology: Consent Management Under India’s DPDP Act, 2023
Consent Fatigue and Data Protection Laws: Is ‘Informed Consent’ a Legal Fiction
Beyond Consent: Enhancing India's Digital Personal Data Protection Framework
Top 10 operational impacts of India’s DPDPA – Consent management
Introduction
The United Nations (UN) has unveiled a set of principles, known as the 'Global Principles for Information Integrity', to combat the spread of online misinformation, disinformation, and hate speech. These guidelines aim to address the widespread harm caused by false information on digital platforms. The UN's Global Principles are based on five core principles: social trust and resilience, independent, free, and pluralistic media, healthy incentives, transparency and research, and public empowerment. The UN chief emphasized that the threats to information integrity are not new but are now spreading at unprecedented speeds due to digital platforms and artificial intelligence technologies.
These principles aim to enhance global cooperation in order to create a safer online environment. It was further highlighted that the spread of misinformation, disinformation, hate speech, and other risks in the information environment poses threats to democracy, human rights, climate action, and public health. This impact is intensified by the emergence of rapidly advancing Artificial Intelligence Technology (AI tech) that poses a growing threat to vulnerable groups in information environments.
The Highlights of Key Principles
- Societal Trust and Resilience: Trust in information sources and the ability and resilience to handle disruptions are critical for maintaining information integrity. Both are at risk from state and non-state actors exploiting the information ecosystem.
- Healthy Incentives: Current business models reliant on targeted advertising threaten information integrity. The complex, opaque nature of digital advertising benefits large tech companies and it requires reforms to ensure transparency and accountability.
- Public Empowerment: People require the capability to manage their online interactions, the availability of varied and trustworthy information, and the capacity to make informed decisions. Media and digital literacy are crucial, particularly for marginalized populations.
- Independent, Free, and Pluralistic Media: A free press supports democracy by fostering informed discourse, holding power accountable, and safeguarding human rights. Journalists must operate safely and freely, with access to diverse news sources.
- Transparency and research: Technology companies must be transparent about how information is propagated and how personal data is used. Research and privacy-preserving data access should be encouraged to address information integrity gaps while protecting those investigating and reporting on these issues.
Stakeholders Called for Action
Stakeholders, including technology companies, AI actors, advertisers, media, researchers, civil society organizations, state and political actors, and the UN, have been called to take action under the UN Global Principles for Information Integrity. These principles should be used to build and participate in broad cross-sector coalitions that bring together diverse expertise from civil society, academia, media, government, and the international private sector, focussing on capacity-building and meaningful youth engagement through dedicated advisory groups. Additionally, collaboration is required to develop multi-stakeholder action plans at regional, national, and local levels, engaging communities in grassroots initiatives and ensuring that youth are fully and meaningfully involved in the process.
Implementation and Monitoring
To effectively implement the UN Global Principles at large requires developing a multi-stakeholder action plan at various levels such as at the regional, national, and local levels. These plans should be informed and created by advice and counsel from an extensive range of communities including any of the grassroots initiatives having a deep understanding of regional challenges and their specific needs. Monitoring and evaluation are also regarded as essential components of the implementation process. Regular assessments of the progress, combined with the flexibility to adapt strategies as needed, will help ensure that the principles are effectively translated into practice.
Challenges and Considerations
Implementing these Global Principles of the UN will have certain challenges. The complexities that the digital landscape faces with the rapid pace of technological revamp, and alterations in the diversity of cultural and political contexts all present significant hurdles. Furthermore, the efforts to combat misinformation must be balanced with protecting fundamental rights, including the right to freedom of expression and privacy. Addressing these challenges to counter informational integrity will require continuous and ongoing collaboration with constant dialogue among stakeholders towards a commitment to innovation and continuous learning. It is also important to recognise and address the power imbalance within the information ecosystem, ensuring that all voices are heard and that any person, specifically, the marginalised communities is not cast aside.
Conclusion
The UN Global Principles for Online Misinformation and Information Integrity provide a comprehensive framework for addressing the critical challenges that are present while facing information integrity today. Advocating and promoting societal trust, healthy incentives, public empowerment, independent media, and transparency, these principles offer a passage towards a more resilient and trustworthy digital environment. The future success of these principles depends upon the collaborative efforts of all stakeholders, working together to safeguard the integrity of information for everyone.
References
- https://www.business-standard.com/world-news/un-unveils-global-principles-to-combat-online-misinformation-hate-speech-124062500317_1.html
- https://www.un.org/sustainabledevelopment/blog/2024/06/global-principles-information-integrity-launch/
- https://www.un.org/sites/un2.un.org/files/un-global-principles-for-information-integrity-en.pdf
- https://www.un.org/en/content/common-agenda-report/assets/pdf/Common_Agenda_Report_English.pdf
