Telcos responsible for phishing attacks on customers: Paytm

Telcos responsible for phishing attacks on customers: Paytm

Paytm has said that telcos' failure to prevent phishing scams has led to "financial and reputational loss" to the company

Paytm has once again blamed telecom operators for not doing enough to prevent its customers from falling victim to phishing scams. The e-commerce platform recently filed a plea before Delhi High Court claiming that millions of its customers are being defrauded due to phishing activities because of lacunae in telecom operators' conduct.

Paytm's advocate in the matter Karun Nundy, in a series of tweets on Tuesday, stated that telecom operators are violating their obligations under Telecom Commercial Communications Customer Preferences Regulations (TCCCPR), 2018, which was notified by the telecom regulator TRAI to curb problem of unsolicited commercial communications.

Nundy said that the legal regime is clear as per TCCCPR 2018 regulation, which mandates that telcos bear the responsibility to prevent and punish phishing as they are ones who issue bulk SIM cards, deceptive headers and SMS content that enable fraudsters.

"The pipes though, access by fraudsters, knowledge of their identity, are in the hands of Telcos. Customers of other banks & payment companies are also facing fraud. @Paytm's the first company moving for the legal regime & blockchain architecture to be implemented by Telcos (sic)," Nundy wrote in a tweet following steps taken by Paytm to prevent fraud on its platform.

Nundy's tweets were in response to an article by digital publisher The Morning Context, which claimed that Paytm customers have lost Rs 10 crore to fraudsters in the past one year. She said that the article did not mention relevant law and was riddled with errors and false assumptions.

One97 Communications Ltd, which runs Paytm, had moved Delhi High Court claiming that millions of its customers have been defrauded by the phishing activities over the mobile networks and the failure of the telecom companies to prevent the same has "caused financial and reputational loss" to it . The company had sought damages of Rs 100 crore from telecom firms. Earlier this month, the court sought an answer from the Centre and TRAI on the matter.

Phishing is a cyber crime where people are contacted by e-mail, phone calls or text messages by someone posing as a legitimate representative of an organisation to lure them to part with their sensitive data, including banking and credit card details and passwords.

Paytm has claimed that under the TCCCPR 2018 regulations, the telecom companies are required to verify purported telemarketers seeking registration (called registered telemarketers or RTMs) with them before granting access to their customer data and also take action immediately against all fraudulent RTMs.

The petition has contended that the telcos' "failure" to undertake proper verification prior to such registration enables fraudulent telemarketers to carry out phishing activities against customers of Paytm and its associate companies.

It has further contended that under the statutory regime it is the telecom companies' responsibility to prevent such fraud and deter the fraudsters through blocking and/or financial disincentives.

Explaining the modus operandi of the fraudsters, Paytm has said that such people or entities get registered with the telecom companies and get assigned themselves headers, like Paytm, PYTM, PTM, IPAYTN, PYTKYC and its derivatives, which are similar to official headers of Paytm -- including BPaytm, FPaytm, PAYTMB, Ipaytm and mPaytm.

Using the similar headers, they send messages to Paytm customers for getting their sensitive and private information, including account details and passwords, One97 has said in its plea.

The messages usually contain some link which when clicked installs a software on the phone allowing the fraudster to get the customer's financial account details stored on the device, the petition has said.

Some fraudulent RTMs call the customers and seek their private information under the pretext of completing their KYC (know your customer) requirements for making their Paytm wallets operational, it further said.

Paytm has sought directions from the court to TRAI to ensure complete and strict implementation of TCCCPR provisions to curb fraudulent unsolicited commercial communications sent over mobile networks and to take action against the telecom companies for violating their obligations to verify telemarketers under the regulations.

It has also sought direction to the Centre to ensure no SIM is sold without proper verification and to establish an inter-agency task force to coordinate action for limiting fraud taking place over telecom networks.

Paytm has alleged that even after violations were brought to the notice of the telecom companies they failed to take prompt action to block the fraudulent RTMs and impose financial disincentives against them.

It has sought a direction to the telecom companies to take effective action under the TCCCPR to block the phone numbers of the telemarketers who are sending unsolicited commercial communications.

Paytm has also claimed that certain TCCCPR provisions provide for action only against those telemarketers who make unsolicited communications in bulk and provide for only graded penalties and has sought an order declaring such regulations as unconstitutional and ultra vires the TRAI Act.

It has also sought a declaration from the court that under the regulations the telecom companies are obligated to put in place mechanisms to register reports of violations from customers.

(With PTI inputs)