India’s New SIM-Linked Messaging Regulations - A Major Initiative to Curb Cybercrime at Its Roots
Introduction
The digital communication landscape in India is set to change significantly as the Department of Telecommunications is preparing to implement new rules for messaging apps that operate using SIM cards. This step is part of the government’s effort to tackle cybercrime at its roots by enforcing stricter verification and reducing the number of communication platforms that can be misused. One clear change that users will notice is that WhatsApp Web sessions will now be automatically logged out every six hours, disrupting the previously uninterrupted use across multiple devices. Although this may appear to be a simple inconvenience, the measure is part of a broader plan to address the growing problem of cyber fraud. Cybercriminals exploit messaging apps like WhatsApp without keeping the registered SIM in the device, making it difficult to trace fraud. These efforts are surely gonna address these challenges at the root.
The Incident: What Has Changed?
The new regulations will make it mandatory for messaging platforms to create a direct link between user accounts and verified SIM identities. By this method, every account in the network can be associated with a valid and traceable mobile number. Because of this requirement, it is expected that WhatsApp is going to tighten the management of device sessions. The six-hour logout cycle for WhatsApp Web is implemented to prevent long-lived and unmonitored sessions that are sometimes taken advantage of in account takeovers, device-based breaches, and remote access scams. This change significantly affects the user experience. WhatsApp Web, often used for communication, customer support, and coordination, will now require more frequent authentication through mobile devices. Though mobile access remains uninterrupted, desktop and browser-linked sessions will be subjected to tighter security controls.
Why Identity-Linked Messaging Matters
India is facing a rapidly evolving cybercrime ecosystem in which messaging applications play a central role. Scammers often rely on fake, unverified, or illegally obtained SIM cards to create temporary accounts that can be used for various illegal activities, such as sending phishing messages, impersonating government officials, and deceiving victims through call centres set up for scams.
The new rules take into consideration the following main issues:
- Anonymity of accounts makes large-scale fraud possible: Criminals operate bulk scams using hundreds of SIM-linked accounts.
- Freedom to drop identities: Illegal SIMs are discarded after fraud, making it difficult for the police to trace the criminals.
- Multi-device vulnerabilities that last for a long time: Access without permission to WhatsApp Web sessions that last for a long time is seen as the main reason for OTP theft, account hijacking, and on-device social engineering.
The government wants to disrupt these foundations by enforcing stricter traceability.
A Sector Under Strain: Misuse of Messaging Platforms
Messaging apps have turned out to be the most important thing in India's digital life, from communication to enterprise. This very widespread use of messaging apps has made them an easy target for cybercriminals.
The scams that are frequently visible are:
- WhatsApp groupsare used for job and loan scams
- False communication from banks, government departments, and payment applications
- Sextortion and blackmail through unverified accounts
- Remote-access fraud with attackers who are watching WhatsApp Web sessions
- Coordinated spread of false information and distribution of deepfake videos
The employment of AI-generated personas and "SIM farms" has made it harder to secure the systems even more. Unless there is a very strict linking of users to authenticated SIM credentials, the platforms might degenerate into uncontrollable rafts of cybercrime.
Government and Regulatory Response
The Department of Telecommunications is initiating a process of stricter compliance measures and cooperating with the Ministry of Home Affairs, along with the Indian Cyber Crime Coordination Centre. The main points of the directions include the following:
- Identity verification linked to a SIM is mandatory for the creation of messaging accounts
- Device re-authentication on platforms often starts with WhatsApp Web
- Coordination with the telecom operators to the extent of getting suspicious login patterns
- Protocols for the sharing of data with law enforcement in the course of cybercrime investigations
- Compliance checks of digital platforms to verify adherence to national safety guidelines
This coordinated effort reflects the understanding that the security of communication platforms is the responsibility of both the regulators and the service providers.
The Bigger Picture: Strengthening India’s Digital Trust
The fresh regulations are in step with the worldwide trend where the platforms of messaging have to be more responsible, as governments are demanding more and more from them. The same discussions are going on in the EU, UK, and certain Southeast Asian regions.
For India, it is imperative to enhance identity management because:
- The nation has the largest base of messaging users in the whole world
- Cybercrime is increasing at a rate quicker than that of traditional crime
- Digital government services rely on communications that are secure
- Identity integrity is the basis for trust in online transactions and digital payments
The six-hour logout policy for WhatsApp Web is a small action, but it is an indication of a bigger transformation towards a regulation that is active rather than just policing that is reactive.
What Needs to Happen Next?
The implementation of SIM-linked regulations must involve several subsequent measures to make them effective.
- Strengthening Digital Literacy: It is necessary to educate users about the benefits of frequent logouts and security improvements.
- Ensuring Privacy Protections: The DPDP Act should create a strong barrier against the misuse of personal data in identity-linked messaging that will be implemented.
- Collaboration with Platforms: Messaging services should seek to secure authentication under the compromise of safety checks.
- Monitoring SIM fraud at the source: Illicit SIM provisioning enforcement is the main source of criminals, not just changing their methods.
- Continuous Review and Feedback: Policymaking needs to keep pace with real-life difficulties and new inventions in technology.
Conclusion
India's announcement to impose regulations on messaging apps with SIM linkage is a major step forward in preventing cybercrime from occurring in the first place. Although the immediate effect, like the six-hour logout requirement for WhatsApp Web, may annoy users, it is nevertheless part of a bigger goal: to develop a more secure and trustworthy digital communication environment.
Securing the communication that links millions of people is vital as India becomes more and more digital. Through a combination of regulatory measures, technological protection, and user education, the country is headed toward a time when criminals in the cyber world will find it very difficult to operate and where consumers will be able to interact online with much more confidence and safety.
References
- https://thehackernews.com/2025/12/india-orders-messaging-apps-to-work.html
- https://indianexpress.com/article/explained/explained-sci-tech/whatsapp-web-automatic-log-out-six-hourse-reason-10394142/
- https://www.ndtv.com/india-news/explained-how-will-new-sim-binding-rule-affect-whatsapp-signal-telegram-9728710
- https://www.hindustantimes.com/india-news/no-whatsapp-without-active-sim-centre-issues-new-rules-dot-sim-binding-prevent-cyber-crimes-101764495810135.html
Related Blogs
Introduction
Recently the Indian Government banned the import of Laptops and tablets in India under the computers of HSN 8471. According to the notification of the government, Directorate General of foreign trade, there will be restrictions on the import of Laptops, tablets, and other electronic items from 1st November 2023. The government advised the Domestic companies to apply for the license within three months. As the process is simple, and many local companies have already applied for the license. The government will require a valid license for the import of laptops and other electronic items.
The Government imposed restrictions on the Import of Laptops & other electronic products
The DGFT (The directorate General of foreign trade) imposed restrictions on the import of electronic items in India. And, there has been the final date has also been given that the companies only have 3 months to apply for a valid license, from November 1st 2023there will be a requirement for a valid license for the import, and there will be a proper ban on the import of laptops & tablets, and other electronic items. The ban is on the HSN-8471. These are the products that indicate that they are taxable. It is a classification code to identify the taxable items. India has sufficient capacity and capability to manufacture their own IT hardware devices and boost production.
The government has notified production linked incentive, PLI Scheme 2.0, for the IT devices, which will soon be disclosed, and the scheme is expected to lead to a total of 29 thousand crore rupees worth of IT hardware nearly. And this will create future job opportunities in the five to six years.
The pros & cons of the import
Banning import has two sides. The positive one is that, it will promote the domestic manufacturers, local companies will able to grow, and there will be job opportunities, but if we talk about the negative side of the import, then the prices will be high for the consumers. One aspect is making India’s digital infrastructure stable, and the other side is affecting consumers.
Reasons Behind the ban on the Import of electronic items
There are the following reasons behind the ban on the Import of laptops and tablets,
- The primary reason why the government banned the import of laptops and other electronic items is because of security concerns about the data. And to prevent data theft a step has been taken by the Government.
- The banning will help the domestic manufacturer to grow and will provide opportunities to the local companies in India.
- It will help in the creation of Job vacancies in the country.
- There will be a curb down of selling of Chinese products.
The government will promote the digital infrastructure of India by putting a ban on imports. Such as there are domestic companies like Reliance recently launched a laptop by the name of Jio Book, and there is a company that sells the cheapest tablet called Aakash, so the import ban will promote these types of electronic items of the local companies. This step will soon result in digital advancement in India.
Conclusion
The laptop, tablets, and other electronic products that have been banned in India will make a substantial move with the implications. The objective of the ban is to encourage domestic manufacturing and to secure the data, however, it will also affect the consumers which can not be ignored. The other future effects are yet to be seen. But the one scenario is clear, that the policy will significantly make a change in India’s Technology industry.
.webp)
Introduction
The Digital Personal Data Protection (DPDP) Act, of 2023, introduces a framework for the protection of personal data in India. Data fiduciaries are the entity that essentially determines the purpose and means of processing of personal data. The small-scale industries also fall within the ambit of the term. Startups/Small companies and Micro, Small, and Medium Enterprises (MSMEs) while determining the purpose of processing of personal data in the capacity of ‘data fiduciary’ are also required to comply with the DPDP Act provisions. The obligations set for the data fiduciary will apply to them unilaterally, though compliance with this Act and can be challenging due to resource constraints and limited expertise in data protection.
DPDP Act, 2023 Section 17(3) gives power to the Central Government to exempt Startups from being obligated to comply with the Act, taking into account the volume and nature of personal data processed. It is the nation's first standalone law on data protection and privacy, which sets forth strict rules on how data fiduciaries can collect and process personal data, focusing on consent-based mechanisms and personal data protection. Small-scale industries are given more time to comply with the DPDP Act. The detailed provisions to be notified in further rulemaking called ‘DPDP rules’.
Obligations on Data Fiduciary under the DPDP Act, 2023
The DPDP Act focuses on processing digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. Hence, small-scale industries also need to comply with provisions aimed at protecting digital personal data.
The key requirements to be considered:
- Data Processing Principles: Ensuring that data processing is done lawfully, fairly, and transparently. Further, the collection and processing of personal data is only for specific, clear, and legitimate purposes and only the data necessary for the stated purpose. Ensuring that the data is accurate and up to date is also necessary. An important part is that the data is not retained longer than necessary and appropriate security measures are taken to protect the said data.
- Consent Management: Clear and informed consent should be obtained from individuals before collecting their personal data. Further, individuals have the option to withdraw their consent easily.
- Rights of Data Principals: Data principals (individuals) whose data is being collected have the right to Information, the right to correction and erasure of data, the right to grievance redressa, Right to nominate.the right to access, correct, and delete their personal data. Data fiduciaries need to be mindful of mechanisms to handle requests from data principals regarding their concerns.
- Data Breach Notifications: Data fiduciaries are required to notify the data protection board and the affected individuals in case a data breach has occurred.
- Appropriate technical and organisational measures: A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder.Cross-border Data Transfers: Compliance with regulations in relation to the transfer of personal data outside of India should be ensured.
Challenges for Small Scale Industries for the DPDP Act Compliance
While small-scale industries have high aims for their organisational growth and now in the digital age they also need to place reliance on online security measures and handling of personal data, with the DPDP act in the picture it becomes an obligation to consider and comply with. As small-scale industries including MSMEs, they might face certain challenges in fulfilling these obligations but digital data protection measures will also boost the competitive market and customer growth in their business. Bringing reforms in methods aimed at better data governance in today's digital era is significant.
One of the major challenges for small-scale industries could be ensuring a skilled workforce that understands and educates internal stakeholders about the DPDP Act compliances. This could undoubtedly become an additional burden.
Further, the limited resources can make the implementation of data protection, which is oftentimes complex for a layperson in the case of a small-scale industry, difficult to implement. Limitations in resources are often financial or human resources.
Cybersecurity, cyber awareness, and protection from cyber threats need some form of expertise, which is lacking in small enterprises. The outsourcing of such expertise is a decision that is sometimes taken too late, and some form of harm can take place between the periods by which an incident can occur.
Investment in the core business or enterprise many times doesn't include technology other than the basic requirements to run the business, nor towards ensuring that the data is secure and all compliances are met. However, in the fast-moving digital world, all industries need to be mindful of their efforts to protect personal data and proper data governance.
Recommendations
To ensure the proper and effective personal data handling practices as per the provisions of the act, the small companies/startups need to work backend and frontend and ensure that they take adequate measures to comply with the act. While such industries have been given more time to ensure compliance, there are some suggestions for them to be compliant with the new law.
Small companies can ensure compliance with the DPDP Act by implementing robust data protection policies, investing in and providing employee training on data privacy, using age-verification mechanisms, and adopting privacy-by-design principles. Conduct a gap analysis to identify areas where current practices fall short of DPDP Act requirements. Regular audits, secure data storage solutions, and transparent communication with users about data practices are also essential. Use cost-effective tools and technologies for data protection and management.
Conclusion
Small-scale industries must take proactive steps to align with the DPDP Act, 2023 provisions. By understanding the requirements, leveraging external expertise, and adopting best practices, small-scale industries can ensure compliance and protect personal data effectively. In the long run, complying with the new law would lead to greater trust and better business for the enterprises, resulting in a larger revenue share for them.
References
- https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1959161
- https://www.financialexpress.com/business/digital-transformation-dpdp-act-managing-data-protection-compliance-in-businesses-3305293/
- https://economictimes.indiatimes.com/tech/technology/big-tech-coalition-seeks-12-18-month-extension-to-comply-with-indias-dpdp-act/articleshow/104726843.cms?from=mdr
Executive Summary:
This report deals with a recent cyberthreat that took the form of a fake message carrying a title of India Post which is one of the country’s top postal services. The scam alerts recipients to the failure of a delivery due to incomplete address information and requests that they click on a link (http://iydc[.]in/u/5c0c5939f) to confirm their address. Privacy of the victims is compromised as they are led through a deceitful process, thereby putting their data at risk and compromising their security. It is highly recommended that users exercise caution and should not click on suspicious hyperlinks or messages.
False Claim:
The fraudsters send an SMS stating the status of delivery of an India Mail package which could not be delivered due to incomplete address information. They provide a deadline of 12 hours for recipients to confirm their address by clicking on the given link (http://iydc[.]in/u/5c0c5939f). This misleading message seeks to fool people into disclosing personal information or compromising the security of their device.
The Deceptive Journey:
- First Contact: The SMS is sent and is claimed to be from India Post, informs users that due to incomplete address information the package could not be delivered.
- Recipients are then expected to take action by clicking on the given link (http://iydc[.]in/u/5c0c5939f) to update the address. The message creates a panic within the recipient as they have only 12 hours to confirm their address on the suspicious link.
- Click the Link: Inquiring or worried recipients click on the link.
- User Data: When the link is clicked, it is suspected to launch possible remote scripts in the background and collect personal information from users.
- Device Compromise: Occasionally, the website might also try to infect the device with malware or take advantage of security flaws.
The Analysis:
- Phishing Technique: The scam allures its victims with a phishing technique and poses itself as the India Post Team, telling the recipients to click on a suspicious link to confirm the address as the delivery package can’t be delivered due to incomplete address.
- Fake Website Creation: Victims are redirected to a fraudulent website when they click on the link (http://iydc[.]in/u/5c0c5939f) to update their address.
- Background Scripts: Scripts performing malicious operations such as stealing the visitor information, distributing viruses are suspected to be running in the background. This script can make use of any vulnerability in the device/browser of the user to extract more info or harm the system security.
- Risk of Data Theft: This type of fraud has the potential to steal the data involved because it lures the victims into giving their personal details by creating fake urgency. The threat actors can use it for various illegal purposes such as financial fraud, identity theft and other criminal purposes in future.
- Domain Analysis: The iydc.in domain was registered on the 5th of April, 2024, just a short time ago. Most of the fraud domains that are put up quickly and utilized in criminal activities are usually registered in a short time.
- Registrar: GoDaddy.com, LLC, a reputable registrar, through which the domain is registered.
- DNS: Chase.ns.cloudflare.com and delilah.ns.cloudflare.com are the name servers used by Cloudflare to manage domain name resolution.
- Registrant: Apart from the fact that it is in Thailand, not much is known about the registrant probably because of using the privacy reduction plugins.
- Domain Name: iydc.in
- Registry Domain ID: DB3669B210FB24236BF5CF33E4FEA57E9-IN
- Registrar URL: www.godaddy.com
- Registrar: GoDaddy.com, LLC
- Registrar IANA ID: 146
- Updated Date: 2024-04-10T02:37:06Z
- Creation Date: 2024-04-05T02:37:05Z (Registered in very recent time)
- Registry Expiry Date: 2025-04-05T02:37:05Z
- Registrant State/Province: errww
- Registrant Country: TH (Thailand)
- Name Server: delilah.ns.cloudflare.com
- Name Server: chase.ns.cloudflare.com
Note: Cybercriminals used Cloudflare technology to mask the actual IP address of the fraudulent website.
CyberPeace Advisory:
- Do not open the messages received from social platforms in which you think that such messages are suspicious or unsolicited. In the beginning, your own discretion can become your best weapon.
- Falling prey to such scams could compromise your entire system, potentially granting unauthorized access to your microphone, camera, text messages, contacts, pictures, videos, banking applications, and more. Keep your cyber world safe against any attacks.
- Never reveal sensitive data such as your login credentials and banking details to entities where you haven't validated as reliable ones.
- Before sharing any content or clicking on links within messages, always verify the legitimacy of the source. Protect not only yourself but also those in your digital circle.
- Verify the authenticity of alluring offers before taking any action.
Conclusion:
The India Post delivery scam is an example of fraudulent activity that uses the name of trusted postal services to trick people. The campaign is initiated by using deceptive texts and fake websites that will trick the recipients into giving out their personal information which can later be used for identity theft, financial losses or device security compromise. Technical analysis shows the sophisticated tactics used by fraudsters through various techniques such as phishing, data harvesting scripts and the creation of fraudulent domains with less registration history etc. While encountering such messages, it's important to verify their authenticity from official sources and take proactive measures to protect both your personal information and devices from cyber threats. People can reduce the risk of falling for online scams by staying informed and following cybersecurity best practices.
