Dozens of websites offering targeted marketing leads – ET CISO
https://etimg.etb2bimg.com/thumb/msid-113247284,imgsize-213250,width-1200,height=765,overlay-etciso/data-breaches/dozens-of-websites-offering-targeted-marketing-leads.jpg
The flight you took recently, the broadband connection you requested, the car insurance that is expiring soon, the apartment you sold, or even the mutual fund you invested in, are all turning into a fair game for data collectors.
Such information can be exchanged for as little as Rs 150-Rs 300 by informants who sell such “datasets” to employees at call centres, BPOs, or telemarketers, an investigation by ET revealed.
Take the case of 22 year-old Rishabh Shukla, (name changed) who reports at his desk at a telemarketing company at 9 a.m every morning. He is given a sheet of 70-100 phone numbers of people who have recently sold, purchased or rented an apartment in one of Noida’s residential complexes.
The diligent Shukla calls these numbers day in and day out. Within a month, he identified 13 leads of customers who bought, sold or rented property through brokers. Shukla received an incentive of Rs. 5,000 in addition to his fixed salary of Rs. 8,000 per month for his efforts.
“But soon, this list started drying up, and I got used to the incentives,” said Shukla, adding that “ I started going to every new apartment complex in Noida, tipped off the security guards, and took pictures of visitors’ registers to generate new leads.”
He then “sold this information to online real-estate platforms who would in turn provide these leads to interior designers, brokers, property dealers, housekeeping agencies, internet service providers.”
“I made close to Rs. 1.5 lakhs in three months because these were the most accurate leads in the market. Online companies sometimes paid me Rs. 10,000 for every dataset,” Shukla said.
Privacy Abuse
Digital privacy experts point to multiple sources of data leaks that feed this proliferating industry.
“Blatant data theft, disguised as lead generation, has become an organized industry,” said Dhiraj Gupta, CEO of digital fraud detection agency mFilterIt.
A simple Google search reveals dozens of websites offering targeted marketing leads for as little as Rs 120- Rs 300, often claiming to have generated these leads through “market research.” One can search and buy leads for specific cities or hire services for a particular project.
In highly competitive sectors, the stakes are even higher.
For example, if a user requests a data connection online from a service provider, the CRM (Customer Relationship Management) operator often sells the lead to a competitor for a commission.
Elsewhere, information is shared among group companies to cross-sell credit cards, loans, and mutual funds. Hospitality and travel providers share databases of guests, while delivery personnel, mobile recharge shops, and logistics providers act as data-mining hubs.
Legal Protection
Legal experts are of the view that such “unchecked flow of personally identifiable information will be largely curtailed with the new DPDP (Digital Personal Data Protection) Act.”
Shreya Suri, a partner at INDUSLAW, said “with the DPDP Act holding violators accountable through penalties, data fiduciaries will need to be extremely cautious about managing and sharing personal data within their systems and third-party networks. Consent for unrelated purposes will no longer be conditional,” she said.
Alkesh Kumar Sharma, former secretary of the IT Ministry and a key architect of the Act pointed out that “the law places limitations on the purpose, time, and storage of data by fiduciaries, who will be accountable for any misuse without the data subject’s consent,” he said.
However, full compliance with the DPDP Act could take two to three years.
A study by IDfy, an identity management solutions company, found that nine out of ten leading banks don’t even have a cookie consent manager on their websites.
Scamming the C Suite
Vishal Gondal, founder of GOQii, told ET that 7-8 members of his team were contacted via WhatsApp by someone impersonating him, claiming Gondal was stuck in London and needed money.
“The most shocking part was how the scammer knew who my immediate team members were and had their phone numbers,” Gondal said. He notes a clear pattern in the combined use of data, analytics, and AI by scammers.
“We can’t trust what we see or hear anymore. How does one verify identity now?” he asked.
upGrad founder Mayank Kumar said that impersonation among executives has become so common that his organization now runs mock drills—organized by the IT department—to train employees against such scams.
“They are like mock fire drills. A fake account is created to see who might fall for a scam, and those employees receive special training,” Kumar told ET.
AI Abuse
It takes just three seconds of audio to create a convincing voice clone and use it to defraud anyone. Over a dozen websites offer free voice cloning with up to 95% accuracy.
According to a recent survey by cybersecurity firm McAfee, nearly half (47%) of Indian adults have experienced or know someone who has experienced an AI voice scam—almost double the global average (25%).
Among those who were targeted, 83% of Indian victims reported losing money, with 48% losing over Rs. 50,000.
Looking ahead, McAfee predicts that AI-generated deepfake media will increase risks of identity theft, phishing, and cyberbullying by 2024.
“AI will augment how scammers use personal data. It won’t just be voice calls and SMS—multimedia formats like photos, videos, and audio will be used to create deepfake content, impersonating friends, family, or even CEOs,” said Prashant Mali, a cybersecurity and AI thought leader. “For more sophisticated phishing campaigns, AI can now write convincing emails and even generate malware code.”
Experts warn that the power of generative AI, which can skim multiple databases in seconds and create comprehensive data profiles, could push this problem beyond control.
Carl Pei, founder of smartphone brand Nothing, recently wrote, “A scammer AI generated my voice and left WhatsApp messages asking a leader on our team to wire money for an urgent project. Luckily, our payment processes caught this as designed.”
Another source of data access is the dark web. A simple search for any phone number can yield sensitive information like a person’s name, Aadhaar number, and address, thanks to numerous data breaches in the last three years.
Here’s how it works: “An average hacker sells fresh data on 1,000 people for around $100-$150. Multiple anonymous accounts then resell it until the price drops to $2-$5. Within days, the repository is available with several accounts, some even freely on the dark web,” mFilterIt’s Gupta explained.