The Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs has issued a fresh set of advisories warning citizens about a rise in cyber frauds that are causing real financial damage and widespread misuse of everyday digital platforms. These are not abstract risks. They are based on patterns emerging from complaints filed on the National Cybercrime Reporting Portal.
And the pattern is clear.
Many of today’s frauds don’t rely on hacking systems or exploiting software weaknesses. They rely on people doing what systems are designed to allow, just nudged in the wrong direction, at the wrong moment.
The advisories flag three broad scam categories that are becoming increasingly common. Misuse of matrimonial and dating platforms for investment and cryptocurrency frauds. USSD-based call forwarding scams carried out through delivery or courier agent impersonation. And WhatsApp Web account renting scams promoted through social media advertisements.
Different surfaces. Same underlying problem.
For CIOs and digital leaders, this framing matters. It changes how risk needs to be understood.
When compliant behavior becomes the vulnerability
Take the WhatsApp Web account renting scam. There is no breach. No technical compromise. Victims are persuaded, often through social media ads promising easy income, to scan a legitimate WhatsApp Web QR code. In doing so, they hand over live session access voluntarily.
From the platform’s perspective, everything looks compliant. From a governance perspective, the user’s account is now being misused for fraud, sometimes at scale, without the user fully understanding what they’ve enabled.
The call-forwarding scams follow a similar logic. Victims receive calls posing as delivery or courier agents. They’re asked to dial USSD codes that telecom operators themselves support. No malware. No suspicious app installs. Once activated, calls, OTPs, and verification messages are silently redirected to the fraudster.
Again, the system behaves exactly as designed.
Matrimonial and dating platform scams are slower, but often more damaging. Fraudsters build trust over time, then steer conversations toward fake investments or cryptocurrency opportunities. There’s no technical shortcut here. The platform works as intended. It’s trust, not technology, that is exploited.
That’s the uncomfortable truth running through all three advisories. These frauds succeed precisely because systems are functioning correctly.
Identity is the real attack surface
Across complaints analyzed by authorities, attackers consistently target identity rather than infrastructure. Phone numbers. Messaging accounts. Emotional credibility. Trust in familiar institutions like banks, courier companies, or even the platforms themselves.
Once an identity is compromised, or simply borrowed for a while, everything downstream assumes legitimacy. Financial systems accept requests. Communication platforms deliver messages. Verification workflows proceed as normal.
For CIOs overseeing consumer-facing digital platforms, this presents a hard problem. Traditional security controls like encryption, access management, and anomaly detection are still necessary. But they struggle when abuse looks indistinguishable from valid use.
Why advisories stress precautions, not just awareness
Each advisory issued by I4C does more than describe the scam. It breaks down the modus operandi and lays out specific precautions for citizens. Don’t scan unknown QR codes. Don’t dial call-forwarding commands at someone else’s request. Be cautious of investment advice originating from dating or matrimonial platforms.
That emphasis is telling.
It reflects a recognition that more data collection, tighter KYC, or additional alerts won’t automatically prevent these incidents. When a user willingly takes an action, the system records compliance, not compromise.
This is also why education alone has limits. Under urgency, persuasion, or emotional pressure, people act first and reflect later. Fraudsters know this and design their scripts accordingly.
The emerging liability problem
One issue the advisories indirectly surface is downstream liability. In WhatsApp Web account renting cases, for instance, the account holder may find themselves under investigation when their number is used to scam others. Proving that access was misused by a third party can be difficult.
This creates a troubling gray zone. Users can be victims and suspects at the same time. Platforms are forced to assess intent, not just activity. Organizations get pulled between privacy obligations, compliance requirements, and law enforcement demands.
For enterprises building digital services tied closely to identity, this is no longer a corner case. It’s a governance challenge.
The takeaway for CIOs
The message from these advisories is not just about citizen caution. It’s about how digital trust works in practice.
Threat models need to assume that legitimate users will sometimes be persuaded into risky actions. Identity cannot be treated as a static, binary state. Context matters. Timing matters. So does intent, even if it’s hard to infer.
Platform design choices now carry security weight. Features that can be misused easily will be misused eventually. Friction, when applied thoughtfully, can be a safeguard, not a flaw.
And responsibility has to be shared. Expecting users alone to absorb the consequences of misuse is neither realistic nor sustainable.
The bigger picture
What the I4C advisories make clear is that India’s cybercrime problem has shifted. It’s no longer primarily about attackers breaking systems. It’s about attackers shaping behavior.
They don’t need better exploits. They need better stories.
For CIOs, that means security strategy must evolve to take human behavior as seriously as technical vulnerabilities. The organisations that recognize this, and design for it, will be far better positioned as digital platforms continue to expand their role in everyday life.