The call came early in the morning on Thursday. A neighbour of over two and a half decades, now in her mid-70s, asking for help. Her phone, she said, had been hijacked. Someone had seized control of her WhatsApp account. She could see messages coming in, but couldn’t reply. Even the housing society’s WhatsApp group—normally an endless stream of messages about plumber visits and festival donations—had gone silent. The settings had been changed. No one could post. Only the hijacker could broadcast.
When she called, she was already in a rickshaw, on her way to the police station with a friend. But her voice carried panic of the kind that comes from realising your private space has been invaded. By the time I got there, a young police officer had taken down all the details. He was calm and appeared methodical. Turns out, he had seen this before. It would take 10-12 hours, he said, the voice of experience on his side. The account would be restored. But the damage had already been done.
Also Read: Chandigarh resident loses ₹57 lakh to digital arrest scam
It had started with a message, seemingly from a friend with a simple request on WhatsApp: share an one-time password (OTP). There was no hesitation because of the familiar name flashing on her screen. After she did, in minutes, she got locked out of her phone.
The police officer explained this is standard practice now. Here, in Andheri, his station is witness to at least 5-6 cases like this every week. There are times when he handles 10-12. It was just one of the many flavours of digital fraud doing the rounds.
Once inside an account, the scammer would pose as the victim, sending urgent messages to contacts. The story was always the same: a crisis, a desperate request for money, a bank transfer link. If even one in four people fell for it, the scam paid off.
Also Read: Retd Air Commodore loses ₹1.45 cr to cyber fraud
The officer had watched these schemes evolve in real time. WhatsApp scams are common, but so are attacks on Instagram, where younger users are more trusting, less suspicious. And then there are bigger operations at play, ones that didn’t just lock people out of their accounts but depleted their bank balance.
The officer explained the new trend. Fraudsters didn’t need to steal passwords; they just needed access to a phone’s messages. Banks, eager to push loans, sent out pre-approved offers via SMS. The scammers would spot these, apply, and within minutes, bank would release funds. The victim would realise only later—usually when a collection agent called demanding repayment. Just last week, the officer had handled a case where ₹16 lakh had been disbursed this way. It happened more often than most people imagine.
How did the officer protect himself? He played the invisibility game. He had stopped using Net Banking a long while ago. “Too many weak links” he said. He used UPI instead. Unlike Net Banking, which depended on passwords and OTPs that could be intercepted, UPI was tied to a SIM card. Even if a fraudster had the credentials, they couldn’t authorize a transaction without the phone and biometric authentication.
Also Read: Cyber frauds worth ₹18.76 lakh lodged in city
Then there’s Truecaller? He doesn’t touch it. Most people think of it as a useful way to avoid spam calls. But Truecaller isn’t just a caller ID service; it is a data vacuum cleaner. The built-in directory works by collecting user contacts. Every time someone installs the app and grants permissions, their entire phone book gets uploaded to Truecaller’s servers. This means your number, your name, however it had been saved by someone else is now out in the open. And if the wrong person tagged you with the wrong label, that misidentification could spread. Truecaller isn’t just answering the question of “Who’s calling?”, it is shaping your digital identity, without your input.
Email? Gmail is a no-go. Too much data mining. Yahoo? Too fragile. Instead, he uses an email service designed by duckduckgo.com. This strips out tracking links before they ever reached his inbox. No marketer would know if he had opened an email. No scammer gets a read receipt.
Also Read: Noida police bust B2B scam, 13 held for duping Jammu-based businessman
Most people, he admitted, wouldn’t bother with this level of caution. They would keep trusting the familiar. Keep assuming it wouldn’t happen to them. Until, one day, it hits them.
What gave him the confidence of retrieving the WhatsApp account? By morning, his request to Meta Inc that owns WhatsApp would be processed. The company would track the IP address and work to recover the account. It would take 10-12 hours. Sometimes, even longer. Unfortunately, he said, they don’t reveal details of the scammer. This is why the scammer would already have moved on by then. And somewhere, someplace else, another phone will buzz. A new victim will see a message from a familiar name with a friendly request for an OTP. And another hijacking will begin.