Since President Donald Trump’s return to the Oval Office, leaders from across the world have visited the new president. In February, it was the turn of Narendra Modi, India’s prime minister. In the joint statement released by the White House, it was highlighted how the two leaders had committed to strengthen, among other things, ‘law enforcement cooperation to take decisive action against […] organized crime syndicates […] as well as other elements who threaten public and diplomatic safety and security’.

While this objective may encompass a number of priorities, it should include a focus on online fraud and how generative AI can serve criminal interests. Now is the time for India and the United States, both exploited by online scammers, to show global leadership in jointly tackling this growing threat.

A global rise in cyber scams

India has long been at the centre of discussions about scams and online fraud. The country emerged as a hub for the call centre industry in the 1990s, when prominent Western companies – attracted by the potential savings and the fact that English is widely spoken in the country – offshored this component of their business there. More recently, companies have begun to outsource to other countries, and some of those who had previously worked in Indian centres have reportedly stolen databases from their previous employers to set up their own call centres, offering legitimate, but in some cases fraudulent support.

Today, online scammers in India often hide behind legitimate businesses. The companies reportedly defraud victims – including from the US – out of millions of dollars through fake tech support, false loans and fraudulent business deals. In 2023, India’s Directorate of Enforcement raided one such company following a money laundering investigation. They seized cash, gold and cryptocurrency wallets, and found evidence of the use of hawala networks to move money. Enforcement agents also discovered that this company appeared to be just one in a web of related entities operating out of India, but with affiliates in the UK, US and Australia – a transnational network. The investigation into the company is ongoing.

However, India is also increasingly on the receiving end of scams. The Indian Cyber Crime Coordination Centre, an agency that operates under the Ministry of Home Affairs, reported an average of 7 000 cybercrime complaints a day in the first four months of 2024. Some fell victim to so-called ‘digital arrests’– where fraudsters impersonate law enforcement or government officials to trick victims into believing they are in legal trouble – while others were defrauded through fake investment or romance scams and online phishing.

Indians have also been increasingly linked to the cyber scam industry in South East Asia. For example, in April 2024, 250 Indian nationals were rescued from a so-called scam compound in Cambodia. These workers were likely to have been recruited online – many under false pretences – and then exploited and forced to defraud others. More than 1 000 Indians have reportedly been rescued from such centres in Cambodia since 2022, and more than 5 000 are believed to still be held there in similar circumstances.

The problem with data security

Data is the lifeblood of scam operations, whether it is obtained illegally through stolen databases or legitimately from data brokers or public scraping. Two major hacks – one in India, the other in the US – in the space of 12 months are emblematic of the dangers of online fraud and the lack of attention paid to securing personal data.

In 2023, a hacker announced the sale of data exfiltrated from the Indian Council of Medical Research, provided during the COVID-19 pandemic. The data contained the information of 815 million Indian citizens, including identity card and passport details, phone numbers and physical addresses. Although it is not possible to draw a clear correlation, the following year saw a significant increase in ‘digital arrest’ scams targeting Indian nationals.

In April 2024, one of the largest breaches in history occurred when the data of billions of people held by the US National Public Data was published on the dark web. This included names, social security numbers and addresses. This type of data is of immense value to scammers and is often the key hook in initial encounters.

In addition to obtaining data illegally, fraudsters use legitimate data-brokerage services, which collect data from the myriad of places where people freely share their information. Scam operations sometimes supplement illegally obtained data with information purchased from data brokers to fill in the gaps.

How to respond?

Given the transnational impact of Indian call scam centres, it has become an issue of international relations, including between India and the US. President Trump and Prime Minister Modi’s commitment to tackle organized crime presents a crucial opportunity to refocus attention on this issue and provide leadership in disrupting predatory operations on a global scale.

With online fraud changing quickly, driven in part by AI, there is an urgent need for the US and India to enhance collaboration. For example, scamming networks already reportedly use voice phishing (or ‘vishing’), where they impersonate someone from a trusted institution to con a victim. Highly convincing human voices can be replicated and used in real time, making it even harder to detect a scam.

AI also needs to be put to good use in the response. This is already happening in the UK, where an ‘AI granny’ – a chatbot that intercepts calls from scammers and engages them in lengthy conversations pretending to be a victim – has been created to divert scammers’ attention. In addition, sound regulation is needed to ensure that companies and government institutions can protect the data they hold, as the knock-on effect of poor cyber security puts individuals in the firing line of online fraudsters. This also includes data brokers, which need to be better regulated and monitored by a compliance procedure.

Privacy must become a fundamental principle of business. This will require a shift in the way many companies operate. Rather than automatically opting individuals in to data sharing in the expectation that they will ignore the convoluted privacy sections designed to obscure the reality of what is being signed away, individuals should be opted out of data sharing by default to protect their privacy. This will significantly hinder the ability of online fraudsters to collect the data they need to carry out illicit activities.