Three Strike Rule To Eliminate Cybercrime

In his ET WEALTH column entitled If it seems too good to be true, it probably is, Dhirendra Kumar describes the following asymmetry between victims and perpetrators of cybercrime:

Individual victims – even when they are well-off and educated – are poorly equipped to detect fraud. The fraudsters are invariably well-experienced at what they’re doing because they have honed their skills on a large number of victims.

I admit that I had not thought of this point when I concluded my blog post Fraud v Scam: Who Is Liable For Cybercrime on the following note:

I wish there was a more pleasant way of putting it but the payor is inevitably the only person left holding the can for a cybertheft carried out via A2A RTP. At least until the cops nab the payee and recover the money from her after due legal process.

Dhirendra Kumar uses asymmetry to make a compelling argument to put the onus of preventing online scams and frauds on the regulator.

While I don’t disagree that there’s asymmetry in cybercrime, seeking government intervention is like inviting an elephant for lunch.

When you invite an elephant for lunch, it will not stop after eating what you have served. It will eat until it’s no longer hungry.

Marathi proverb

It’s not a secret that regulators are prone to overreach. As we’ve seen in the case of Two Factor Authentication, Emandate, and a slew of payment regulations in recent times, regulators tend to throw the baby out with the bath water. Left to themselves, regulators might actually ban all payments in order to stop cybercrime. Obviously, nobody wants that.

So, we need to be careful what we wish for vis-a-vis regulatory intervention in cybercrime.


While shaming victims may be politcally incorrect, we cannot afford to gloss over the role of victims in the perpetration of cybercrime.

Let’s take the following “damsel in distress” account by a cybercrime victim for example:

@rakesh314 wished to order something. He looked up a nearby merchant establishment on Google and sees a telephone number. He calls that number. The merchant told him that they were busy and asked him to place his order on WhatsApp and pay with UPI. He did that. The amount was three figures. He then got a phone call from the merchant asking him to complete a registration form before they could process the order. Said process asked him to make another transaction on Google Pay by punching in the merchant’s bill number. This time the amount was a few tens of thousands of rupees. By then, the OP cottoned on to the scam and asked the merchant to cancel the order and make the refund. The merchant refused. Net net, while he escaped a five figure scam, the OP got scammed out of three figures. He blames Google UI for prominently displaying the merchant’s telephone number.

Twitter Thread

Parsing through the above sequence of events, I can spot many acts of gross negligence by the OP.

One, despite claiming to be security-conscious, the OP did exactly what security practitioners have warned people not to do for years.

Visit ecommerce, online banking, stock trading, and other frequently visited websites by directly entering their respective URLs in the browser address bar. Don’t Google them. If you do, your search results might contain ads from imposters. By using phishing techniques, they can harvest your login credentials and steal your money / stocks or defraud you in some other way. In an egregious case of fraud highlighted in Never Ending Search For End Of Google Search, many people have lost all their bitcoins when they Googled “blockchain wallet” and clicked on the first entry instead of directly visiting blockchain.info, the URL of a leading cryptowallet wallet.

Ten Ways To Protect Yourselves From Fraud

Two, any business that displays its telephone number prominently on Google SERP and then tells its customers that it’s too busy to take orders via phone should set off an alarm. It doesn’t matter whether it’s a saint or a scamster – it should simply not be worthy of your business. Anyone with an iota of business savvy would have stopped at the very first step of the transaction and thereby nipped the scam in the bud.

Sorry to say but the cybercrime was enabled by these acts of negligence on the part of the victim. While he is entitled to legal recourse, there’s absolutely no case for holding Google and other third parties liable for this cybercrime.

Contrary to the impression you might get from their patronizing attitude towards people who are less tech savvy than themselves, nerds are more – not less – likely to fall for online scams if they think tech savviness is a license to suspend common sense.


Mindful of the need for regulation to be light touch and effectively curb victims’ negligence at the same time, I propose the following Three Strike Rule:

Three Strike Rule of Cybercrime Control

Strike 1: Stipulate that the bank or PSP should reimburse the victim for the first instance of online scam, and compel the victim to undergo training on the proper use of online shopping and digital payments apps.

Strike 2: If the victim gets scammed a second time, suspend their use of these apps and put them on a Performance Improvement Program. Reinstate their access to the said apps only if they demonstrate the ability to use these apps safely.

Strike 3: Upon reinstatement, if the victim gets scammed a third time, bump them off digital payment apps  altogether (They can continue to use shopping apps but pay with cash on delivery).

While the diktat “Three Strikes And You’re Out” seems a bit harsh, I’d like to think that it strikes the right balance between the need to eradicate cybercrime on the one hand and stop telling shareholders of banks to endlessly compensate cybercrime victims on the other. If you can think of a better regulation, please feel free to share in the comments below.