Most of us believe we are too smart to be scammed. We know what a fake call sounds like. We know banks never ask for OTPs. We’ve watched enough crime dramas to recognise a trap being set. And yet, cybercrime in India grows by the hour. So what is really going on? That was the central question at the heart of Cyber Sunday Episode 1 the opening session of Project CyberShield’s, an initiative of Naksh Foundation, digital awareness series, featuring distinguished guest speaker Mr. Tarun S., Senior Research Associate at Gujarat National Law University.
The session, titled “From Curiosity to Compromise: How Users Fall Into Cybercrime,” wasn’t just another safety lecture with a list of do’s and don’ts. It was something more unsettling and more useful an honest look at the psychology behind why people fall for scams, and what we can do about it.
People who fall for cyber scams are not stupid. They are manipulated. – Mr. Tarun S.
Why Awareness Alone Isn’t Enough to Protect You From Cybercrime
Mr. Tarun opened by doing something refreshingly candid he admitted that even he, someone who teaches cyber law, has come close to falling for a cyber attack. That honesty set the tone for the entire session. Cybercrime, he argued, is not primarily a technology problem. It is a human psychology problem.
He asked participants a simple question: if you received a phone call from someone claiming to be from your bank, alerting you to a suspicious transaction and asking for your details to stop it what would you do? Almost everyone in the room said they would cut the call. And yet, this exact scenario plays out thousands of times a day across India, and countless people hand over their OTPs, account numbers, and personal data without blinking.
Why? The answer has a name: cognitive overload.
Cognitive Overload
The state in which a person’s mental bandwidth is so stretched by work, stress, distraction, or urgency that they cannot process new information rationally. This is precisely the state cyber criminals engineer before they strike.
Think about the last time you were in the middle of a deadline, juggling tasks, fielding messages and then your phone rang. In that fractured state of attention, your capacity for critical thinking shrinks dramatically. A skilled scammer doesn’t need you to be gullible. They just need to catch you when your mind is elsewhere.
There is also research to back this up. A widely cited Stanford study found that most cyberattacks are deliberately timed for Friday evenings. The reason is calculated: it’s the end of the workweek, people are mentally depleted, and crucially banks are closed for the next two days. Furthermore it gives fraudsters a 48-hour window before any financial institution can respond or help.
The Foundation of Cybercrime Awareness: What Is Social Engineering?
Before diving into the specific types of attacks, Mr. Tarun grounded everyone in the concept that underlies almost all of them: social engineering.
In cybersecurity, social engineering refers to the art of manipulating people into revealing confidential information or taking actions that compromise their own security. It is not about breaking into systems through code. It is about breaking into people through conversation, trust, and carefully constructed pressure.
The attacker builds a believable identity. They use pieces of your real information your name, your bank’s name, the last four digits of your account number, to establish credibility. Then they manufacture urgency. Then they offer to help. By the time they ask for anything from you, you’ve already mentally placed them in the category of “trusted”.
That architecture of manipulation is the starting point for every cyber scam that follows.
Six Social Engineering Attacks You Need to Recognise
Mr. Tarun walked through six of the most common and most dangerous forms of social engineering attacks used by cybercriminals. Each one felt familiar once explained, which made the lesson hit harder.
Each of these attack types has been responsible for real, devastating losses, financial, reputational, and emotional. The 2011 Operation Trident Tribunal, led by the FBI with participation from the UK and Australia, revealed a gang that had sold USD 72 million worth of fake security software to unsuspecting users worldwide. That is the scale of what scareware can achieve when it finds the right targets at the right moment.
The Problem Nobody Talks About: Sextortion and Fake Profiles
One of the most difficult topics raised in the session and one that is becoming increasingly common is the use of fake profiles for emotional manipulation and extortion. Participants described scenarios in which someone befriends a target online, builds intimacy over time, and then uses shared private images or conversations as blackmail. Sometimes the profile was entirely fabricated. Sometimes a group of people collaborated to create it.
This kind of crime sits at the intersection of cyber fraud and emotional abuse, and its consequences are severe not only financially, but in terms of mental health and personal dignity. Mr. Tarun’s point here was firm: the victim is never at fault. The manipulation is designed to be convincing. What matters is knowing where to report it and acting quickly.
He also flagged the growing risk on matrimonial and dating platforms. The promise of connection is one of the most effective baits in existence, and cyber criminals exploit it with precision.
AI-Driven Cybercrime: The Emerging Threat
One of the most forward-looking moments of the session came when participants raised the issue of AI-driven cyberattacks. Artificial intelligence is rapidly lowering the barrier for scammers. Voice cloning, deepfake video, AI-generated phishing emails that are grammatically flawless these are no longer science fiction. They are tools being deployed right now.
Mr. Tarun acknowledged this candidly: the same technologies being built to protect people are being weaponised against them. Vigilance needs to evolve in tandem with the threats. Understanding what is real in a digital communication whether a voice, an image, or a message is becoming one of the most important skills of modern life.
Your Digital Footprint Is Permanent So Manage It
A recurring theme throughout the session was the concept of the digital footprint every comment you make, every location you tag, every “like” you leave, every photograph you post. Some of this is active (things you consciously share); some is passive (data collected without your direct awareness). Together, they paint a detailed portrait of who you are, where you live, what you do, and what you care about.
Cyber criminals don’t need sophisticated hacking tools to learn a great deal about you. Your public Instagram account especially if you’re a content creator or influencer can tell someone your daily routine, your home neighbourhood, your financial habits, and your emotional vulnerabilities. The session wasn’t a call to quit social media. It was a call to be deliberate about what you share, and to regularly audit what’s publicly visible about you.
India’s recent legislation, the Digital Personal Data Protection Act (DPDPA) 2023, introduces important new rights, including the right to erasure (sometimes called the “right to be forgotten”). But law takes time. The most immediate protection you have is your own awareness and restraint.
What You Can Do? Seven Practical Steps
- Never open suspicious emails: Even opening a phishing email, without clicking anything, can sometimes expose you. Delete anything that feels off, without engaging.
- Enable Multi-Factor Authentication (MFA): It adds friction for attackers even if they have your password. Write down your backup codes somewhere safe if you struggle to remember them.
- Be sceptical of tempting offers: If something seems remarkably generous a freebie, a reward, a deal that needs “just your details” pause. That pause can save you.
- Audit your social media regularly: Limit personal information on public profiles. Be mindful of location, routine, and anything that could be used to build a profile of you.
- Discard sensitive documents properly: Tear up or shred anything with account numbers, addresses, or personal identifiers before disposing of it. Dumpster diving is real.
- Keep all devices updatedSoftware updates aren’t just about new features, they contain critical security patches. This applies to your parents’ phones too.
- Back up your data regularly: Regular backups protect you from ransomware and accidental loss. Automate it so it requires no effort.
If It Happens to You Report It
In addition to above tips, Mr. Tarun emphasised was this: report it. Cybercrime is massively under-reported, partly because victims feel embarrassed, partly because the process seems daunting. But reporting matters both for your own case and to help identify patterns that protect others.
Closing Thought: The Goal Isn’t Fear, It’s Fluency
The first episode of Cyber Sunday didn’t aim to make anyone paranoid about the internet. It aimed to make participants fluent in how digital threats actually work, fluent enough to recognise them, name them, and resist them. That fluency begins with understanding that cybercrime is fundamentally about people, not technology. It exploits trust, urgency, distraction, and loneliness. And the most powerful counter-measure to all of those is awareness.
Project Cyber Shield believes that every person who learns to protect themselves online can protect dozens of others around them family members, friends, colleagues who may never attend a session like this one. That is the mission. And Episode 1 was a strong beginning.
