The e-SIM phishing scam was conducted by calling customers to obtain their OTP and email address, and then convert their SIM card into an e-SIM.
Four out of five individuals arrested in a new e-sim phishing are from Jharkhand's Jamtara district, which is notorious for cyber-crime.
Faridabad police suspect the phishing racket was used to access over 300 accounts at state-run and private banks across five states — Punjab, Haryana, Bihar, West Bengal and Jharkhand, according to a report by The Indian Express.
The fifth individual arrested, who is from Punjab, allegedly orchestrated the scheme. He previously worked with a telecom company and a digital payments company, a source told the paper.
The police said many transactions ranging between Rs 10,000 and Rs 99,000 were made, the report said. The target was often ICICI Bank, and Airtel numbers were used to carry out the scam.
Also read: Is behavioural biometrics the answer to social engineering scams?
"The case is unique, with the use of e-SIMs as the main conduit and with preliminary investigations establishing procedural infirmities and lack of due diligence on the part of banks and telecom companies," O P Singh, Commissioner of Police, Faridabad, told the publication.
The report said the fraud is conducted by calling customers to obtain their OTP and email address, and then convert their SIM card into an e-SIM.
The police said the accused have confessed to controlling the victims' bank accounts through the e-SIM. The funds were transferred into mobile wallets on services on PhonePe, Ola Money, Paytm Payments Bank and Airtel Payments Bank.
"In addition to an OTP which is sent to his/her registered mobile number with us, the customer needs to enter the ATM PIN. Unless customers share this information it is not possible to login into their internet banking account. On a regular basis, we communicate to our customers to not share PIN, passwords or OTPs with anyone. Further, we would like to state that a bank cannot be held responsible for a SIM SWAP fraud," an ICICI Bank spokesperson told The Indian Express.
A PhonePe spokesperson said the company complies with National Payments Corporation of India (NPCI) guidelines on fraud prevention.
"We are awaiting more details on the specifics of the allegations being referred to in this case. We would also like to state that for PhonePe wallets, we are fully compliant with the requirements of KYC verification. PhonePe continues to be a safe and trusted platform for over 23 crore users across the country," the spokesperson said.
Faridabad police have issued summons to Paytm, ICICI Bank, and others, even seeking documents to assess if there were procedural lapses, the report added.
Airtel, Paytm and Ola Money had not yet responded to queries sent by The Indian Express.