Haseeb, 19, was half an hour away from appearing for a college exam when he received a phone call from an unknown number. When he picked up, the caller introduced himself as an employee of the bank at which Haseeb had an account. The man asked some questions to confirm Haseeb’s bank details before asking him for his ATM pin, which Haseeb provided. Five minutes later, Haseeb had lost a total of Rs60,000 in three back-to-back transactions.

Although financial frauds and scams are punishable crimes in Pakistan, Haseeb thought it was his fault that he was “stupid” enough to give the fraudster his banking details. However, Haseeb’s case is, unfortunately, not an anomaly.

Several people in the country have received calls from individuals pretending to be bank employees over the past few years, and sometimes the callers even pretend to be calling from the State Bank of Pakistan (SBP). Most of the people the author spoke to said they had received calls from regular cellphone numbers, while two individuals stated that they got a call from the bank’s UAN (universal access number).

As in Haseeb’s case, the callers knew the bank where their victims had an account and their particulars e.g. Computerised National Identity Card (CNIC) number, full name and, sometimes, even their mother’s name (often used as a security question).

The fact that these scam callers are able to convincingly present themselves as bank employees, by providing personal details of their targets, begs the question: where are these criminals getting this information from?

Pakistan’s lack of data protection laws and incoherent cybercrime policy have resulted in gangs of scammers preying on the digital illiteracy of the masses. But how exactly are these gangs able to acquire an individual’s personal and bank details in order to carry out these scams? And can the authorities put an end to this menace?

How data theft occurs

There are dozens of groups on Facebook selling the National Database and Registration Authority’s (Nadra) data, such as family trees, SIM and phone records, and location data. According to the Federal Investigation Agency (FIA) Deputy Director Cyber Crime Asif Iqbal, many lists of mobile numbers have also been dumped online and are still publicly available.

Data available with national and provincial social safety net programmes, such as the Benazir Income Support Programme (BISP), is also being misused, Iqbal claims. The Ministry of Information Technology and Telecommunication did not reply to the author to confirm these claims.

On June 25, 2023, the FIA revealed that a crackdown had taken place against a gang in Gujranwala which would pose as courier company staff and ask for thumbprints from the receivers of courier deliveries. The criminals would then reproduce the thumbprints on a special paper that could be used to activate a cellular phone SIM on that person’s name.

They would then use the SIM to activate the banking app and withdraw money. Members of the gang told the FIA that a “bank data gang member” used to provide them with the necessary details. One of the suspects was a branch manager at a private bank.

Iqbal argues that data theft and misuse is a systemic and deeply entrenched issue within digital banking in Pakistan. A gang of petty criminals in Punjab who were carrying out small-scale phone banking scams now operate as an organised ring. The criminals are based in cities in Punjab such as Sargodha, Jhang, Chiniot, Pindi Bhattian, Hafizabad, Gujrat, Chichawatna, Layyah and Sheikhupura. Iqbal claims that those spearheading these operations “have purchased mansions spread over four kanals [about 2,000 sq metres], and expensive cars.”

FIA Deputy Director Cyber Crime Asif Iqbal argues that data theft and misuse is a systemic and deeply entrenched issue within digital banking in Pakistan. A gang of petty criminals in Punjab who were carrying out small-scale phone banking scams now operate as an organised ring. The criminals are based in cities in Punjab such as Sargodha, Jhang, Chiniot, Pindi Bhattian, Hafizabad, Gujrat, Chichawatna, Layyah and Sheikhupura As stated earlier, the majority of the people the author spoke to said that they had received these scam calls from regular cell phone numbers. But why do criminals feel they can freely scam people in this manner when tracing a phone number is so simple for the authorities?

Iqbal explains: “They have amassed significant political power over the years. They get tipped off if the FIA is about to conduct a raid. The authorities have been attacked multiple times when they went to conduct a raid.”

Contrary to what one might assume, the gambit used for these scams is pretty simple — exploit the vulnerabilities of the poor, naïve, uneducated and the fearful. Take this case for example. A poor woman goes to buy a SIM and the shopkeeper asks her for her thumbprint. The SIM is activated but he lies to the woman that there is a connectivity issue and asks her to come back the next day. He sells that SIM to fraudsters, while a new SIM is activated using the credentials the woman provided earlier.

“There is a network of such shopkeepers and franchise owners,” says Iqbal. When the FIA traces the SIM back to the franchise and goes there for initial questioning, the criminal has already been tipped off and is on the run.

Banking on the system

In many cases, the staff at the bank is involved in procuring this data as well. Haseeb, who lost Rs60,000, was told by the scam caller that he was following up on a complaint Haseeb had filed with the bank two days earlier due to a failed bank transaction. Several other people the author spoke to said they got such calls after receiving a significant amount of money through an international or local transaction.

The FIA has arrested several bank employees, including managers and senior staff, for being involved in banking scams. One of the major scams in Pakistan, a banking loan scam worth over Rs400 million, led to the arrest of employees of the National Bank of Pakistan (NBP). “Several bank employees are involved in leaking, selling and dealing with data and criminals who operate these scams,” says Iqbal. “I previously arrested the national manager of a bank.”

Bank staff in Faisalabad and Toba Tek Singh, among other cities, have also been arrested for their involvement in such activities. When asked if any banks have ever lodged a first-information report (FIR) with the FIA, or surrendered a potential criminal to the authorities after an internal investigation, Iqbal says no.

The central bank, however, has sprung into action. The SBP has released multiple advisories in the past two years, ordering banks to overhaul their digital systems security, and customer complaints and intimations. The documents include all basic guidelines needed for ensuring the security of banking networks and customers, such as biometric verification for digital banking, registration for usage on new devices, and only allowing a user and password change from a registered device.

The banks are also supposed to set ‘reasonable’ transaction limits for all digital banking channels and must allow customers to manage their limits after authentication. But, while the central bank has mandated banks must follow security measures that are robust and adhere to established standards, the fraudsters are using what the SBP calls ‘social engineering’ to beat the system.

Urooj, an educationist based in Karachi, received a call similar to the one Haseeb got. However, unlike Haseeb, she disconnected the call after suspecting that it was a scam. The person called again, misbehaved with her and threatened to block her account, saying, “Did you not hear what I said? Do you not understand? We will block your account!” The caller then proceeded to tell her he was speaking from the SBP, which he claimed was conducting an audit of all banks.

Urooj felt intimidated and eventually agreed to cooperate. The caller told Urooj to provide him with the user ID and old password of her banking app before telling her to make and share a new password. But Urooj finally mustered up the courage to disconnect the call and blocked the caller. In another similar incident, Urooj received a scam call from a woman. Urooj’s story falls in line with Iqbal’s assertion that scamming is a family business for such criminals, and both men and women are involved in carrying out these calls.

Nations like Pakistan are at an increased risk of falling prey to such scams due to a poor cybercrime policy, as well as a weak cyber security network. In the Global Security Index published by the International Telecommunication Union, which measures a country’s commitment to addressing cyber security issues, Pakistan was ranked 79 out of 182 countries

The scammer’s gambit

Common people are susceptible to falling for these scams because many of them receive a call from the bank UAN, which they instinctively trust. Urooj did too. The criminals are able to do this by using ‘soft SIMs’.

A ‘soft SIM’ has no physical or hardware parts and, unlike common SIMs, it does not require a dedicated SIM tray where the SIM card must be placed. Think of the soft SIM as a type of software. It lets the user put in any number they want, including a bank’s UAN number, or an international number. As a result, when a user places a call using this software, the number displayed on the receiver’s cellphone can be whatever the user wants it to be.

In communication systems design, security protocols are used at both the software and hardware level. According to the Global System for Mobile Communications, any SIM that does not have both these security components has an increased likelihood of being used for hacking. In Pakistan, soft SIMs are also used to scam vulnerable people into giving up their ATM pins. Iqbal warns that this is an easily available technology that anyone can access.

There are also a variety of other methods employed by such scammers to lull their targets into a false sense of security by gaining their trust.

For instance, the scammer might tell the target that they have won a lottery and can avail the prize money once they share some personal details. Another ploy that several Pakistanis have fallen victim to is one where they receive a call informing them that their family member had been abducted and would only be released after a quick transfer of money. In reality, no such abduction has occurred, and the scammers are hoping that the ‘high stakes’ nature of the conversation would hurriedly force their targets into sending the money.

Yet another common scam in Pakistan is one where a person receives a call from ‘abroad’ telling them that the caller is a relative or family friend. Using the victim’s data to win over their trust, the caller then proceeds to say that he accidentally transferred money into their account, sends a fake screenshot, and asks for the amount to be ‘returned’.

However, the tactics in Pakistan seem to change every two or three years. Around three years ago, the most common scam involved the one time password (OTP) generated to authenticate logins and transactions.

Amar, a development professional and student in the US, almost lost his money to such a scam when he was in Pakistan in 2019. He received a call from a person who said that an Easypaisa shopkeeper had mistakenly sent his money to Amar’s number and that when Amar gets an OTP he should share it with the caller. Amar refused since he had received no text or Easypaisa push notification, but the caller insisted and called repeatedly. He said he was from a small town in Punjab and could not afford to lose this money.

Upon hearing this, Amar agreed to cooperate, but he was smart enough to move his money out of the account before telling the caller the OTP he eventually received. Later, when Amar tried to log into his account, he couldn’t because the password had been changed. Eventually, after contacting the bank, Amar was able to access his account again. Amar says that he put his guard down because the OTP he had received did not mention anything about a password change.

It is these little details that the criminals exploit, all while the SBP and private banks release advisories upon advisories and send text messages warning against scams. As a result, the central theme of cybercrime in Pakistan continues to be data theft.

Pakistan, especially during the tenure of the previous government, touted itself as a country primed for a digital revolution because of increased internet penetration, an exciting start-up scene and the foreign investments flowing in for these ventures.

However, this happened alongside an increase in cybercrime and a lack of data protection laws. Many of the start-ups were fintech (financial technology) companies and/or digital wallets. Pakistan has experienced an increase in the usage of digital banking, but financial literacy still remains low. As a result, users of digital banking remain susceptible to volunteering their details to scammers if threatened or manipulated in a convincing way.

Iqbal says criminals are buying digital wallet franchises, which are used as fronts, specifically to have access to a wide set of data, including thumbprints. The FIA has the technical skills to trace some of these criminals, particularly those that use soft SIMS, but the main issue is presenting a comprehensive case against them in the courts. “They have well-paid lawyers,” Iqbal states. “They file writ petitions in courts against raids and arrests.”

In need of data laws

Pakistan has a cybercrime law to deal with such crimes, but it still does not have a data protection law. This means that hotels, restaurants, retailers, online stores etc. will freely ask you for your CNIC number in order to process a financial transaction and can deny their services if you refuse to comply. A data protection law would define what personal data is and what particulars can be used, stored and processed by businesses.

The European Union’s (EU) General Data Protection Regulation (GDPR) is usually referred to as the standard for what constitutes personal data rights, including the removal of personal details from third-party search engines. Without such a law, any government department, business or potential employer is free to ask for, store and use your data as they please.

Government websites, such as those of the Federal Board of Revenue (FBR) and vehicle registration departments, openly display people’s personal data. In 2021, FIA officials stated that Nadra’s data had been compromised, yet few have been held accountable. Banking details of customers have been hacked by hackers believed to be operating outside of Pakistan, and these details have been dumped on the dark web. The Ministry of Information Technology and Telecommunication did not respond to questions about progress on the Data Protection Bill, a draft of which has been on its website since 2016.

Iqbal says that, since around 2019, complaints regarding financial fraud, scams and hacking have increased significantly. According to data from 2022, 40 percent of the over 100,000 complaints received by the FIA in the country are related to financial fraud. According to an SBP complaints analysis document (2016-2019), the volume and value of e-banking transactions in Pakistan increased by 112 percent and 152 percent, respectively, and there was a 71 percent increase in e-banking users, from 24 million to 42 million.

The complaints in this time period lodged with the banks were about the non-payment of cash, provision of faulty cards, service disruption, etc. However, in 2021 the Banking Mohtasib received a total of 33,196 complaints about general and fraud issues, and there were 30,494 complaints pertaining to these issues in 2022. Out of the respective totals, fraud complaints specifically were 467 in 2021 and 1,392 in 2022.

Knowing Your Digital Rights

So what will protect people from getting scammed? “Digital and financial literacy,” according to Shmyla Khan, who is the research director at the Digital Rights Foundation (DRF). The DRF deals with

cyber harassment complaints, but it has been consistently receiving a rising number of financial crime complaints.

They received 319 such complaints in 2021 and 500 in 2022. After blackmail, this was the second highest type of case for which the DRF was contacted over those two years. The complaints included phishing scams, calls impersonating government/bank officials and problems with unregulated banking apps. This has led the DRF to conduct awareness sessions.

“However, the literacy campaigns need to be institutionalised at the state level,” according to DRF suggestions, “and made part of curriculum and mass awareness campaigns.” For instance, it is important for Pakistani citizens to know that if they ever fall prey to a cybercrime, they can register a formal complaint by dialling 1991 to get in touch with the FIA’s National Response Centre for Cybercrime.

Abid Qamar, spokesperson for the SBP, says that they have carried out mass campaigns and made it mandatory for banks and digital wallets such as Easypaisa and Sadapay to send messages to customers warning them not to share their ATM pins with anyone on their mobile phones.

But even if there is financial literacy, the common man does not consider it useful to go to the authorities, be it the bank or an investigation agency. Urooj called her bank to confirm whether the call she received from the UAN was from them, but she did not see the point in reporting the call to the FIA.

Haseeb went to a police station in Raiwind with his lawyer and showed them the screenshots after he was scammed out of Rs60,000, but the police said that cybercrime was not in their jurisdiction. Haseeb did not go to the FIA because he thought, “What is the point, and it was my mistake anyway. I was stupid enough to give them my pin.”

The SBP has, however, mandated that banks must create systems for customer care and complaints. Banks have a central platform where they can flag a transaction that is deemed or known to be fraudulent. The Fraudulent Transaction Dispute Handling (FTDH) system allows the bank to file a complaint from where the transaction is generated, while the bank which has received the fraudulent transaction has to address it. The SBP has multiple scenarios of accountability for each bank, depending on their response times and mechanisms.

The SBP also places a responsibility on the banks to inform customers about internet banking and complaint mechanisms. When Haseeb complained on the bank customer care number, they told him to go to the nearest branch and fill out a dispute form. They asked him whether he shared the information voluntarily, to which Haseeb said yes. They lodged the complaint but said it would proceed only once he filled out a dispute form. Haseeb did not follow through on this, and hence neither did the bank.

Ali Javed Darugar, a lawyer who focuses on technology and fintech related cases, said that the phrase “voluntarily” plays an important part in determining whether a bank is liable to compensate its customers following a scam. While transactions through hacking and other technical means are covered through insurance by international payment giants like Visa, MasterCard etc., a bank has no way to investigate whether the customer was scammed into giving out their information or whether they made the transaction themselves. This makes it difficult to ask banks to take responsibility when scams occur.

According to a 2022 report by the Banking Mohtasib, large banks in Pakistan presented objections in six different cases filed by customers following a scam. The report states, “The victims approached their respective bank branches to freeze their accounts and seek a refund. However, they were not provided any relief by the bank on the grounds that they themselves had shared their personal banking credentials with unknown callers.”

However, President Arif Alvi rejected the six objections filed by the banks and asked them to compensate the customers in full. The amount totalled a million rupees. The Banking Mohtasib’s report reveals that, “In all six cases, the president found the bank negligent of its duty to inform the account holders about the pros and cons of activating the electronic funds transfer (EFT) facility as required by the mandatory guidelines of the SBP.”

According to the Banking Mohtasib, it has ruled in multiple cases in favour of customers, ordering the bank to compensate in full. The authority cited the banks’ lack of timely complaint redressal and follow-up, and inability to inform customers about safety measures regarding internet banking as concrete reasons as to why the banks should be held responsible.

As the world grapples with increasing hacking attacks and scams, many countries have finally placed an importance on regulating data. These include tough regulations introduced by the EU on data use and storage by Big Tech companies, such as Facebook and Google. Australia has threatened to penalise these companies too if they breach the country’s data use laws.

Nations like Pakistan are at an increased risk of falling prey to such scams due to a poor cybercrime policy, as well as a weak cyber security network. In the Global Security Index published by the International Telecommunication Union, which measures a country’s commitment to addressing cyber security issues, Pakistan was ranked 79 out of 182 countries.

Pakistan needs a digital policy that deals with legislation pertaining to cybercrimes and tech, and data protection. Additionally, the country needs to clearly define the functions and jurisdiction of the Pakistan Telecommunication Authority (PTA), which deals with the internet and telecom, and must also revisit the performance of the FIA’s cybercrime wing.

The writer is a freelance journalist and researcher. A former computer engineer, she reports on cybercrime, disinformation and human rights

Published in Dawn, EOS, July 16th, 2023

Header illustration by Shafaq Bashir