State action to combat digital fraud: A strategic view

State action to combat digital fraud: A strategic view

by Nandkumar Saravade and Ajay Shah
Business Standard, 4 August 2025

The convenience of India's digital economy has gone with a frightening surge in criminal activity, from illegal loan apps to 'digital arrest' scams. Individual cases are sometimes resolved through investigations and prosecution, but the brainpower and effort on the part of the attackers is improving at an alarming rate.

We don't quite know how big the problem is. On one hand, the headlines report a significant loss of ₹22,845 crore in 3.6 million cases in 2024, a 42% rise in incidents. On the other hand, a recent reply in the Lok Sabha claimed the loss was just ₹580 crore in digital payment frauds over five years. This mismatch in figures points to lack of clarity and a proper taxonomy for the fraud problem. Such ambiguity allows the full scale of the problem to be understated.

The state has to do more to solve this situation. We do not individually provide for national defense; we rely on a coordinated state effort. The same logic applies to digital fraud. Security economics expert Ross Anderson has pointed out that Internet security has elements of a public good. One insecure machine can create costs for others (i.e. the market failure of negative externalities). Private persons have an incentive to shrug off the blame but we need the state to help internalise externalities.

The current response is reactive and fragmented. The burden of loss falls primarily on the victim. There is a mismatch between what an individual can do on her own and the scale and complexity of the attacks. The victim is left to manage the financial and emotional impact by herself. Regulators may view the problem as less severe, and banks often direct customers to the 1930 helpline. Law enforcement, with its own resource limitations, can have a hard time dedicating significant bandwidth to these cases. Telecom companies, a key point in the system, may cite low Average Revenue Per User (ARPU) as justifying low effort, when asked to meet higher standards.

In the Indian governance environment, by default, these problems will readily turn into the spiral of micro-management by the government through intrusive regulations that specify details of products and processes used by private persons, or even government monopoly systms. This approach is encouraged by the private sector as they get to shrug off responsibility: UPI fraud is the fault of the government. But central planning systems interfere with economic dynamism. Central planning is also a poor approach to cyber security, a field that is too complex and dynamic for a single, rigid government-designed security system. We suggest three ingredients for the way forward.

Ingredient 1: Clarity on Loss Allocation

A key step is to clarify the allocation of losses. When the victim bears the loss, other stakeholders have low incentive to improve the system. A shift in this approach is needed. Firms are the ones best placed to understand the emerging threat environment, to continuously innovate on precisely how security will be done, and make modifications to their products and processes in fighting back. For this, firms have to suffer losses when fraud takes place.

While the RBI's framework for limiting customer liability is a step in the right direction, its complexity and de-facto reliance on the customer to prove their innocence often undermines its intent. We should look to more robust, firm-centric models like those in Singapore and the UK. Singapore's proposed "waterfall" implementation for phishing frauds is an example. Responsibility is assigned to the party best positioned to handle it. The Financial Service Provider (FSP) is the primary custodian. If it fails in its duties (e.g., not providing transaction notifications), it is expected to pay out. If the FSP has fulfilled its duties, the responsibility shifts to the telecom company. This framework creates an incentive for all firms to be vigilant.

The UK's Authorized Push Payment (APP) fraud initiative further mandates a 50:50 reimbursement split between the sending and receiving Payment Service Providers (PSPs). This helps ensure the victim is reimbursed promptly and encourages both ends of the transaction chain to be proactive. It creates a direct, financial incentive for banks to be proactive in detecting and preventing fraud through real time data exchange, rather than simply passing the loss to the customer. Shifting financial liability incites effective market-based solutions by harnessing the incentives and global knowledge of firms.

Ingredient 2: Coordinated State Action

The second component is to address the fragmentation within the Indian state. The issue of digital fraud involves the economics complex (RBI, DEA), the online ecosystem (TRAI, telcos, platforms) and the security complex (police, cyber cells) at multiple levels (union, state, city). At present, there is low coordination between all these components of the Indian state.

A well-coordinated response would include clear work allocation and cooperation. This would allow stakeholders to share information in real time, build analytics to identify threats, and launch coordinated and targeted law enforcement efforts. A clear, collaborative framework is required where roles and responsibilities are defined and aligned.

Without a clear taxonomy, the ecosystem participants across the country cannot effectively share intelligence with another, and regulators cannot accurately measure the scale or nature of a new threat. The data on fraud categories in Bengaluru shows that a large part of the problem involves "investment fraud" and "digital arrest": it is not just a card or OTP problem. The choke points are transactions across payment accounts in sending and receiving institutions. By standardising definitions and sharing information on the modus operandi, we can build a collective defense that is stronger than any individual effort.

The Way Forward: An Expert Group

To attack this problem, we propose an expert group be set up to form a national strategy on digital fraud. This group would bring together skills in financial regulation, security economics, cyber defense, public communications, and an understanding of the Indian financial and security systems. It should lay the foundations for a coordinated approach by the Indian state in fighting digital fraud. It should have the objectives:

Define a national strategy, including a clear taxonomy, data-sharing protocols, and necessary legal and organisational changes;
Design coordination mechanisms and assign clear responsibilities between the economics and security complexes; and
Provide a project plan with specific timelines and milestones for the coming two years.

Back up to the media page for the year
Back up to Ajay Shah's home page