#FactCheck - Viral Video Claiming Snowfall Near Ambience Mall in Gurugram Is Misleading

Introduction

‍

In October 2024, when the comedian's phone rang, and the voice at the other end claimed to be a FedEx representative, comedian Ankita Shrivastav thought it was a simple issue of misdelivery or customer grievance. The caller said that a parcel in her name was detected being shipped to Iraq and contained illegal drugs. The phone was soon handed over to what appeared to be police personnel in uniform, and she was told that she was under investigation and placed under a so-called digital arrest. For seven hours, she was ordered not to disconnect the call, leave her home, or contact anyone. Through fear, authority, constant surveillance, and psychological pressure, the scammers coerced her into transferring ₹9 lakh in the FedEx parcel scam.

This is the anatomy of one of India's fastest-spreading cyber frauds, and it is costing victims everything.

‍

The Modus Operandi

‍

The most concerning part is the sheer consistency of the script. It usually starts with an unsolicited call, made on a spoofed number that could show up as a legitimate courier or government agency. The caller acts as a FedEx/DTDC executive and claims that a parcel dispatched in the victim’s name to either Taiwan, Iraq, Thailand, or Cambodia has been intercepted and contains drugs, forged passports, or fake credit cards.

As the victim tries to establish that they have no knowledge of this, the scammers smoothly shift the conversation to someone must have impersonated the victim’s Aadhaar number. The victim is now both accused and victim and, therefore, more easily manipulated.

The call is "transferred" to a fake NCB officer or cybercrime cell official. The victim sees a person dressed in uniform seated behind a mock police station set with official-looking documents scattered on the desk. A fake arrest warrant that carries the victim’s real name, address, and Aadhaar number, presumably acquired from stolen databases, is presented to the victim.

This is what the scammers call the "digital arrest." The victim is commanded not to move from the camera, nor leave the house, nor speak to anybody. Scammers take turns monitoring the call, who eventually ask the victim to transfer cash into a "secure government account" for RBI or CBI verification. 

‍

The Psychology of Fear

‍

"The art of scamming is psychological rather than technological," journalist and author Soumya Gupta opines. The scammers use two deeply primal fears: the fear of the police and the fear of social disgrace. Their victims are manipulated into believing that ending the call is tantamount to pleading guilty and that confessing to friends and family will only exacerbate their current circumstances. The victims' isolation is deliberately induced and combined with fatigue and disorientation.

"From a young age, we are taught to be scared of the police and not to question them,” comedian Ankita Shrivastav, who fell victim in October 2024, explains that childhood condition silenced the alarm bells ringing in my head. Shrivastav admitted that her fear of damage to her reputation made her more susceptible to the scam.

‍

The Human Cost

‍

The FedEx parcel scam is targeting everyone, irrespective of age, income, background, or education. Victims of this scam show the kind of different people they are: A 70-year-old veteran journalist was psychologically tortured for eight days in Bangalore, losing 1.2 crores, whereas a 61-year-old retired executive of a multinational was video watched for almost a fortnight in Bangalore, losing 9.14 crores, and additionally, a 25-year-old woman lost 10 lakhs through a video call scam in Coimbatore.

Such a varied mix of victims in such different cases suggests how hard it is to stereotype the ones being swindled: there can be individuals of different age groups ranging from 25 to 70 years old, both educated and non-educated.

‍

Why the Scam Is Spreading?

‍

This FedEx parcel scam is a result of a highly industrialised, sophisticated cybercrime system. The National Cyber Crime Reporting Portal records over 45,000 complaints tagged as specifically 'courier-impersonation fraud' in 2024 alone, where a 1,200-crore loss was registered in that category. 

This scam is powered by stolen Personal Identifiable Information (PII), illegally gathered by scammers through compromised e-commerce stores and rogue registry sites. This data enables the scammers to personalise and tailor the conversation to each individual to make it more believable. Furthermore, fake arrest warrants can be produced within minutes using official-looking templates, and the scammers utilise AI voice cloning and deep-fake videos of government officials. Vast networks of call centres (some based out of India and some overseas, including scam compounds in Cambodia and Myanmar) operate this scam with teams working in shifts. Money is quickly laundered into accounts of 'mule' account holders and quickly into cryptocurrency wallets. Post 24 hours of receiving the funds, recovering money is nearly impossible.

‍

What You Must Do If You Get This Call?

‍

One should always remember: no genuine government official will ever carry out an arrest over a video call. There is no "digital arrest," and this process has absolutely no basis in Indian law. If you do get such a call:

• Cut the call immediately: The scammers have you where they want you if you stay on the line. It is not illegal to hang up on them.
• Do not transfer money under threat or compulsion: No authentic investigative process ever requires you to move money to a "secure government account."
• Never share: your Aadhaar details, bank details, OTP, or passwords with anyone you speak to on the phone.
• Do not provide video statements: Whatever you say can be recorded and used to blackmail you further.
• Verify information independently: Call FedEx India (1800-22-6161) or any courier company using numbers from their official website, never numbers provided to you by the caller.
• Lock: your UPI, cards and Aadhaar biometrics instantly if you feel you have shared information with them.
• Call: 1930 within an hour of money transfer. The rate of recovery is 40-60% within one hour and less than 5% after 24 hours.
• File a complaint at cybercrime.gov.in and an FIR at your local cyber police station.
• Tell someone: Isolation is the scammer's greatest tool. Breaking it breaks the scam

‍

Conclusion

‍

The FedEx parcel scam is also based on a very basic human reaction: the fear of being accused, the urge to obey any figure that represents authority, and the desire to avoid public humiliation. It is designed to skip any part of the brain that may be used to rationalise anything. The only real prevention is to realise, before answering, that the call is never about the FedEx parcel, never from FedEx.

‍

References

‍

• https://www.aol.com/news/fedex-says-parcel-drugs-scam-220400617.html
• https://righttoinformation.wiki/fedex-courier-scam-recovery
• https://www.thenewsminute.com/karnataka/beware-of-fedex-scam-bengaluru-journalist-loses-rs-12-crore
• https://www.digit.in/news/general/coimbatore-woman-loses-rs-10-lakh-in-shocking-courier-scam-heres-what-happened.html
• https://www.deccanherald.com/india/fedex-courier-scam-a-tale-of-terror-trickery-and-deceit-2804802
• https://www.deccanherald.com/india/karnataka/bengaluru/fedex-frauds-con-scared-retiree-of-rs-9-crore-2810169
• https://www.deccanherald.com/india/karnataka/bengaluru/fedex-frauds-hold-woman-in-digital-captivity-for-8-days-2848168
• https://www.deccanherald.com/india/karnataka/bengaluru/how-to-fight-fedex-courier-scam-2836566
• https://www.businesstoday.in/india/story/fedex-scam-lawyer-blackmailed-424883-2024-04-09
• https://www.ncrb.gov.in/uploads/files/2CrimeinIndia2024-VolumeII.pdf‍
• https://www.newsmobile.in/fraud-and-scam/indian-comedian-falls-victim-to-fedex-digital-arrest-scam-loses-rs-9-lakh/
  

Introduction:

Welcome to the third edition of our blog on digital forensics series. In our previous blog we discussed the difference between copying, cloning, and imaging in the context of Digital Forensics, and found out why imaging is a better process. Today we will discuss the process of evidence collection in Digital Forensics. The whole process starts with making sure the evidence collection team has all necessary tools required for the task.

Investigating Tools and Equipment:

Below are some mentioned tools that the team should carry with them for a successful evidence collection:

• Anti-static bags
• Faraday bags
• Toolkit having screwdrivers(nonmagnetic), scissors, pins, cutters, forceps, clips etc.
• Rubber gloves
• Incident response toolkit (Software)
• Converter/Adapter: USB, SATA, IDE, SCSI
• Imaging software
• Volatile data collection tools (FTK Imager, Magnet Forensics RAM Capture)
• Pens, permanent markers
• Storage containers
• Batteries
• Video cameras
• Note/sketch pads
• Blank storage media
• Write-Blocker device
• Labels
• Crime scene security tapes
• Camera

What sources of Data are necessary for Digital Evidence?

• Hard-Drive (Desktop, Laptop, External, Server)
• Flash Drive
• SD Cards
• Floppy Disks
• Optical Media (CD, DVD)
• CCTV/DVR
• Internal Storage of Mobile Device
• GPS (Mobile/Car)
• Call Site Track (Towers)
• RAM

‍

‍

Evidence Collection

The investigators encounter two primary types of evidence during the course of gathering evidence: non-electronic and electronic evidence.

The following approaches could be used to gather non-electronic evidence:

• In the course of looking into electronic crimes, recovering non-electronic evidence can be extremely important.  Be cautious to make sure that this kind of evidence is retrieved and kept safe. Items that may be relevant to a later review of electronic evidence include passwords, papers or printouts, calendars, literature, hardware and software manuals, text or graphical computer printouts, and photos.  These items should be secured and kept for further examination.
• They are frequently found close to the computer or other related hardware.  Locating, securing, and preserving all evidence is required by departmental procedures.

Three scenarios arise for the collection of digital evidence from computers: 

Situation 1: The desktop is visible, and the monitor is on.

• Take a picture of the screen and note the data that is visible. 
• Utilize tools for memory capturing to gather volatile data.
• Look for virtual disks. If so, gather mounted data's logical copies.
• Give each port and connection a label.
• Take a picture of them.
• Turn off network access to stop remote access.
• Cut off the power or turn it off.
• Locate and disconnect the hard drive by opening the CPU chassis.
• Take all evidence and place it in anti-magnetic (Faraday) bags.
• Deliver the evidence to the forensic lab.
• Keep the chain of custody intact.

Situation 2: The monitor is turned on, but it either has a blank screen (sleep mode) or an image for the screensaver.

• Make a small mouse movement (without pressing buttons). The work product should appear on the screen, or it should ask for a password.
• If moving the mouse does not result in a change to the screen, stop using the mouse and stop all keystrokes.
• Take a picture of the screen and note the data that is visible.
• Use memory capturing tools to gather volatile data (always use a write blocker to prevent manipulation during data collection).
• Proceed further in accordance with Situation 1.

Situation 3: The Monitor Is Off

• Write down the "off" status.
• After turning on the monitor, check to see if its status matches that of situations 1 or 2 above, and then take the appropriate action.
• Using a phone modem, cable, confirm that you are connected to the outside world. Try to find the phone number if there is a connection to the phone.
• To protect evidence, take out the floppy disks that might be there, package each disk separately, and label the evidence.  Put in a blank floppy disk or a seizure disk, if one is available. Avoid touching the CD drive or taking out CDs.
• Cover the power connector and every drive slot with tape.
• Note the serial number, make, and model.
• Take a picture of the computer's connections and make a diagram with the relevant cables.
• To enable precise reassembly at a later date, label all connectors and cable ends, including connections to peripheral devices. Put "unused" on any connection ports that are not in use.  Recognize docking stations for laptop computers in an attempt to locate additional storage media.
• All evidence should be seized and placed in anti-magnetic (Faraday) bags.
• All evidence should be seized and placed in anti-magnetic (Faraday) bags.
• Put a tag or label on every bag.
• Deliver the evidence to the forensic lab.
• Keep the chain of custody intact. 

Following the effective gathering of data, the following steps in the process are crucial: data packaging, data transportation, and data storage.

The following are the steps involved in data packaging, transportation, and storage:

Packaging:

• Label every computer system that is gathered so that it can be put back together exactly as it was found

When gathering evidence at a scene of crime,

• Before packing, make sure that every piece of evidence has been appropriately  labeled and documented.
• Latent or trace evidence requires particular attention, and steps should be taken to preserve it.
• Use paper or antistatic plastic bags for packing magnetic media to prevent static electricity. Do not use materials like regular plastic bags (instead use faraday bags) that can cause static electricity. 
• Be careful not to bend, fold, computer media like tapes, or CD-ROM.
• Make sure that the labels on every container used to store evidence are correct.

Transporting

• Make sure devices are not packed in containers and are safely fastened inside the car to avoid shock and excessive vibrations. Computers could be positioned on the floor of the car,and monitors could be mounted on the seat with the screen down .

When transporting evidence—

• Any electronic evidence should be kept away from magnetic sources.  Radiation transmitters, speaker magnets, and heated seats are a few examples of items that can contaminate electronic evidence.
• Avoid leaving electronic evidence in your car for longer than necessary. Electronic devices can be harmed by extremes in temperature, humidity.
• Maintain the integrity of the chain of custody while transporting any evidence.

Storing

• Evidence should be kept safe and away from extremes in humidity and temperature. Keep it away from dust, moisture, magnetic devices, and other dangerous impurities.  Be advised that extended storage may cause important evidence—like dates, times, and system configurations—to disappear. Because batteries have a finite lifespan, data loss may occur if they malfunction. Whenever the battery operated device needs immediate attention, it should be informed to the relevant authority (eg., the chief of laboratory, the forensic examiner, and the custodian of the evidence). 

CONCLUSION:

Thus, securing the crime scene to packaging, transportation and storage of data are the important steps in the process of collecting digital evidence in forensic investigations. Keeping the authenticity during the process along with their provenance is critical during this phase. It is also important to ensure the admissibility of evidence in legal proceedings. This systematic approach is essential for effectively investigating and prosecuting digital crimes.

‍

Introduction

Assisted Reproductive Technology (“ART”) refers to a diverse set of medical procedures designed to aid individuals or couples in achieving pregnancy when conventional methods are unsuccessful. This umbrella term encompasses various fertility treatments, including in vitro fertilization (IVF), intrauterine insemination (IUI), and gamete and embryo manipulation. ART procedures involve the manipulation of both male and female reproductive components to facilitate conception.

The dynamic landscape of data flows within the healthcare sector, notably in the realm of ART, demands a nuanced understanding of the complex interplay between privacy regulations and medical practices. In this context, the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011, play a pivotal role, designating health information as "sensitive personal data or information" and underscoring the importance of safeguarding individuals' privacy. This sensitivity is particularly pronounced in the ART sector, where an array of personal data, ranging from medical records to genetic information, is collected and processed. The recent Assisted Reproductive Technology (Regulation) Act, 2021, in conjunction with the Digital Personal Data Protection Act, 2023, establishes a framework for the regulation of ART clinics and banks, presenting a layered approach to data protection.

A note on data generated by ART

Data flows in any sector are scarcely uniform and often not easily classified under straight-jacket categories. Consequently, mapping and identifying data and its types become pivotal. It is believed that most data flows in the healthcare sector are highly sensitive and personal in nature, which may severely compromise the privacy and safety of an individual if breached. The Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 (“SPDI Rules”) categorizes any information pertaining to physical, physiological, mental conditions or medical records and history as “sensitive personal data or information”; this definition is broad enough to encompass any data collected by any ART facility or equipment. These include any information collected during the screening of patients, pertaining to ovulation and menstrual cycles, follicle and sperm count, ultrasound results, blood work etc. It also includes pre-implantation genetic testing on embryos to detect any genetic abnormality. 

But data flows extend beyond mere medical procedures and technology. Health data also involves any medical procedures undertaken, the amount of medicine and drugs administered during any procedure, its resultant side effects, recovery etc. Any processing of the above-mentioned information, in turn, may generate more personal data points relating to an individual’s political affiliations, race, ethnicity, genetic data such as biometrics and DNA etc.; It is seen that different ethnicities and races react differently to the same/similar medication and have different propensities to genetic diseases. Further, it is to be noted that data is not only collected by professionals but also by intelligent equipment like AI which may be employed by any facility to render their service. Additionally, dissemination of information under exceptional circumstances (e.g. medical emergency) also affects how data may be classified. Considerations are further nuanced when the fundamental right to identity of a child conceived and born via ART may be in conflict with the fundamental right to privacy of a donor to remain anonymous. 

Intersection of Privacy laws and ART laws: 

In India, ART technology is regulated by the Assisted Reproductive Technology (Regulation) Act, 2021 (“ART Act”). With this, the Union aims to regulate and supervise assisted reproductive technology clinics and ART banks, prevent misuse and ensure safe and ethical practice of assisted reproductive technology services. When read with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other ancillary guidelines, the two legislations provide some framework regulations for the digital privacy of health-based apps.

The ART Act establishes a National Assisted Reproductive Technology and Surrogacy Registry (“National Registry”) which acts as a central database for all clinics and banks and their nature of services. The Act also establishes a National Assisted Reproductive Technology and Surrogacy Board (“National Board”)  under the Surrogacy Act to monitor the implementation of the act and advise the central government on policy matters. It also supervises the functioning of the National Registry, liaises with State Boards and curates a code of conduct for professionals working in ART clinics and banks. Under the DPDP Act, these bodies (i.e. National Board, State Board, ART clinics and banks) are most likely classified as data fiduciaries (primarily clinics and banks), data processors (these may include National Board and State boards) or an amalgamation of both (these include any appropriate authority established under the ART Act for investigation of complaints, suspend or cancellation of registration of clinics etc.) depending on the nature of work undertaken by them. If so classified, then the duties and liabilities of data fiduciaries and processors would necessarily apply to these bodies. As a result, all bodies would necessarily have to adopt Privacy Enhancing Technologies (PETs) and other organizational measures to ensure compliance with privacy laws in place. This may be considered one of the most critical considerations of any ART facility since any data collected by them would be sensitive personal data pertaining to health, regulated by the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 (“SPDI Rules 2011”). These rules provide for how sensitive personal data or information are to be collected, handled and processed by anyone.

The ART Act independently also provides for the duties of ART clinics and banks in the country. ART clinics and banks are required to inform the commissioning couple/woman of all procedures undertaken and all costs, risks, advantages, and side effects of their selected procedure. It mandatorily ensures that all information collected by such clinics and banks to not informed to anyone except the database established by the National Registry or in cases of medical emergency or on order of court. Data collected by clinics and banks (these include details on donor oocytes, sperm or embryos used or unused) are required to be detailed and must be submitted to the National Registry online. ART banks are also required to collect personal information of donors including name, Aadhar number, address and any other details. By mandating online submission, the ART Act is harmonized with the DPDP Act, which regulates all digital personal data and emphasises free, informed consent.

Conclusion

With the increase in active opt-ins for ART, data privacy becomes a vital consideration for all healthcare facilities and professionals. Safeguard measures are not only required on a corporate level but also on a governmental level. It is to be noted that in the 262 Session of the Rajya Sabha, the Ministry of Electronics and Information Technology reported 165 data breach incidents involving citizen data from January 2018 to October 2023 from the Central Identities Data Repository despite publicly denying. This discovery puts into question the safety and integrity of data that may be submitted to the National Registry database, especially given the type of data (both personal and sensitive information) it aims to collate. At present the ART Act is well supported by the DPDP Act. However, further judicial and legislative deliberations are required to effectively regulate and balance the interests of all stakeholders.

References

• The Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011
• Caring for Intimate Data in Fertility Technologies https://dl.acm.org/doi/pdf/10.1145/3411764.3445132 
• Digital Personal Data Protection Act, 2023
• https://www.wolterskluwer.com/en/expert-insights/pharmacogenomics-and-race-can-heritage-affect-drug-disposition