Jaudat Baig, a student at Allama Iqbal Medical College Lahore, received a call from a fraudulent bank helpline that asked for her personal information. She noticed that the calling number had an extra zero at the start, which raised her suspicions. So she ended the call and dialled her bank's helpline to investigate. She was informed that the bank never requests personal information over the phone. She later learnt that her siblings had also received similar calls but they did not share any personal information. "We are surprised at how the callers obtained our personal data, family tree information, CNIC number, and ATM card number," she said.
While Baig prevented a scam from happening by refusing to share sensitive data on the phone, many do not even realise they are being defrauded because the callers have enough of their personal information to make them believe they are genuine callers.
Sharing an incident of fraud with this scribe, a resident of Muslim Town in Lahore, Rakhshanda Bibi, said that she had 32,000 rupees in her Jazz Cash account. A working woman in her 50s, Bibi received a call from an unknown Jazz network number. The caller said to her, “You are the lucky one because you have won a Jazz Cash lucky draw.” He explained to her that the amount in her account would be doubled as a result of her winning this lottery. However, he mentioned that he needed to verify her account before transferring the money. He instructed her to share a 4-digit one-time password (OTP) she’d receive on her phone.
“It was the end of the month, and I was delighted at the prospect of doubling my money, so I shared the number without giving it a second thought,” Bibi said. After receiving the OTP, the caller informed her that she would have to wait for two hours for transfer completion. After waiting patiently for two hours, Bibi tried calling the number back, but there was no response. Instead, she got the notification that money in her account had been withdrawn. “I was so embarrassed that I didn't tell anyone at home about the incident and decided to visit the Jazz Cash office from my workplace,” Bibi explained. “There, I recounted the whole incident, but they told me that such scams were common nowadays and that they had not announced any such scheme. Unfortunately, they couldn't assist me in any way.”
Safeguards needed
The theft and sale of personal data on the dark web is a serious problem in Pakistan, with millions of people's data having been compromised in recent years. This data can include names, addresses, phone numbers, email addresses, and even financial information, and can be used for a variety of purposes, including identity theft, fraud, and extortion.
However, Pakistan remains without a comprehensive data protection law, despite the prevalence of data breaches and cybercrime in the country. The government has yet to finalise and enact a law to regulate matters relating to the processing of personal data, leaving crucial data security measures in limbo.
The Prevention of Electronic Crimes Act, 2016 (PECA) is currently the primary legislation that provides a legal framework for addressing electronic crimes, including unauthorised access to personal data. However, it has been demonstrated that PECA falls short of effectively curbing financial crimes stemming from data breaches.
Miqdad Mehdi, an advocate at the Lahore High Court and a human rights activist shared details of two cases in which he represented the complainants. The first case involved a woman who received a call from a fraudulent bank helpline. The scammers possessed minute details about her, including her CNIC number, ATM information, and even knowledge about her request to change her house address. With such information at hand, she fell victim to the scam, shared her passwords, and lost 400,000 rupees. She filed a complaint with the Federal Investigation Agency’s (FIA’s) Cybercrime Wing. Interestingly, the bank manager was also implicated in this case, so in order to protect himself, he returned her money.
The FIAs’ Cybercrime Wing is guided by laws under PECA 2016, which directly receives complaints and takes legal measures against cyber criminals
"In another case, a fraudulent individual fled from Pakistan to Dubai,” Mehdi said. “During the investigation in Pakistan, evidence emerged against the fugitive, leading the FIA to freeze his identity card and passport. However, the accused managed to unfreeze his passport and identity card through an appeal in the high court, filed by his brother on human rights grounds. This was because identity is considered a fundamental human right that cannot be taken away from anyone."
Why criminals to go unpunished?
Mehdi responded, “Actually, in Pakistan, we don't have data protection laws, and our information is easily leaked at any stage. For instance, every other person, institute, or business asks for a copy of the Computerized National Identity Card (CNIC), including hotels, hostels, booking offices, hospitals, and court offices. A CNIC is the primary source of our personal information, making a person vulnerable to fraud.”
In most cases, people don't register complaints due to language barriers, laziness, lack of trust in institutions, lengthy processes, or if they email the FIA, they never follow up or visit zonal offices to pursue the case due to the cumbersome procedures.
Mehdi said, “First and foremost, we should establish strict data protection policies and take measures to secure personal data against unauthorised access, disclosure, alteration, or destruction. Secondly, the complaint system is neither swift nor victim-friendly. It takes too long to lodge a complaint, language can also be a barrier, and the process is complicated, from registering a First Information Report (FIR) to an inquiry. Thirdly, we need to spread education and awareness at the grassroots level, especially launching campaigns in schools, colleges, and universities, as well as for the elderly population, as retired or elderly individuals are often prime targets of such scams.”
Kaukab Zuberi, chairperson of the Department of Criminology and Forensic Sciences and Director of the Digital Forensics Research and Service Centre at Lahore Garrison University, explained that criminals employ social engineering techniques to ensnare their victims. Typically, elderly individuals or those less familiar with technology are more susceptible to falling into such traps. At times, shopkeepers generate duplicate SIM cards for vulnerable individuals and use them for fraudulent purposes. It's even possible to change our IMEI numbers through the black market.
With the advancement of technology, fraudulent systems have also evolved. Criminals now utilise masking technology to appear as a number closely resembling the real one (helpline). “In the aftermath of an incident, if we have the culprit's phone or laptop, we can trace the history of their location, target numbers, and the number of times they attempted to contact them. This is an ongoing process, and a proactive approach is necessary to address phone fraud scams,” Zuberi continued.
The Pakistan Telecom Authority (PTA) has established a system for filing complaints and an online system for reporting fraud calls and SMS to prevent financial fraud. “We receive thousands of complaints every day," Khurram Mehran, director of complaints PTA told The Express Tribune. He stated that as a regulatory body, PTA blocks numbers, CNICs, and IMEIs based on repeated complaints after issuing a warning to the violator. “So far, PTA has blocked 5,286 phone numbers, 4,483 IMEIs, and 153 CNICs over the past eight months [from January to August 2023].”
However, the PTA cannot initiate criminal proceedings against such individuals and often they get new SIMs and mobile phones and continue their malicious activities.
Mehran said, “At the second level, one can register a complaint with the State Bank or the relevant bank's helpline regarding the scammers' numbers. The State Bank of Pakistan also guides and educates consumers or complainants about financial fraud. Ultimately, complainants can also file complaints with the FIA Cybercrime Wing, where such cases are investigated and litigated.”
Shmyla Khan, a researcher and lawyer, stated, "The FIA is the only option to prosecute when a phone fraud occurs. The victim goes to the Cybercrime Wing and lodges a complaint. Even PECA treats such frauds as criminal offences. However, the problem arises when phone fraud is made possible due to negligence or lack of security by institutions. Telecommunication companies often leak the personal information of consumers, while government institutions may not directly commit any crime, the leaked personal data becomes a weapon due to negligence."
She continued, "A data protection law is crucial to hold these institutions accountable and impose fines on them. Alongside the data protection law, which is still in the drafting stage, it's essential to establish an independent commission that can make unbiased decisions regarding these institutions and impose fines. If the commission is both independent and robust, there will be effective enforcement of the law."
"A data protection law can be beneficial in cases such as widespread availability of NADRA information, which can be purchased for very small amounts, allowing individuals to exploit this personal information in scams and instances where women's phone numbers, names, and other details are leaked by telecom company employees, leading to harassment and blackmail," she added.
Experts who have worked on the draft of the data protection law say that the main issues are that the law needs to provide for a strong personal data commission, make consent requirements more user-friendly, and include additional provisions that require businesses and government entities to be transparent about how they use data.
Policy review
The Digital Rights Foundation (DRF) has prepared a policy review of the draft of 2023 Data Protection Bill — the fifth such draft prepared by the government since 2018. Program manager and researcher at DRF Zainab Durrani explained, “This bill will be enacted under Article 14 of the Constitution of Pakistan. In this bill, the clause of consent has been inserted in section 6, but an exception has also been provided in section 6-g of the same clause. While the consent of the 'data subject' [individual whose personal information is concerned] is deemed necessary, the vague term 'legitimate interest' is also used, which raises many questions. This can be considered a legal loophole. Any organisation that collects data will seek the data subject's consent, but the data subject remains unclear about the limitations or the circumstances under which 'legitimate interest' will come into play or be imposed.”
“Furthermore, the provision for third-party sharing should also be clarified. If a person has submitted their personal information with a bank or an educational institution, and a data breach occurs, it is essential to determine who will be responsible for security protocols. This is crucial because data may intentionally be leaked and used for harassment or hacking WhatsApp,” she added.
“The third concern pertains to whether the federal government will directly control cases related to data breaches through a National Commission for Personal Data Protection (NCPDP). Section 35(2) of the bill stipulates that NCPDP should be under the administrative control of the federal government. NCPDP is a committee tasked with making decisions on data breaches. It's essential to ensure its strength and autonomy, allowing it to make independent and impartial decisions in the interest of the 'data subject,' without succumbing to government pressure.”
With the draft of the 2023 Data Protection Bill still pending, it is imperative that the incoming government takes swift action to enact a robust data protection law that not only establishes a personal data commission but also addresses consent, legitimate interest, and third-party sharing concerns. Only through these crucial steps can Pakistan hope to combat the growing threat of phone fraud and data breaches and provide its citizens with the security they deserve in the digital age.
Rabbia Arshad is a multimedia journalist based in Lahore. She can be reached at rabbiyanews1@gmail.com
All facts and information are the sole responsibility of the writer