Skip to content Skip to footer

Fake International Package Delivery Scam: Beware of Police Impersonation Fraud, Fake Drug Packages and Money Extortion

Fake Drug Packages and Money Extortion

This article is written by Ms. Radhika Tapkir (Intern at Netlawgic Legal)




·     The Modus Operandi

·     What Baffle the Law Enforcement and Banking Authorities?


·     The Indian Penal Code, 1860

·     The Information Technology Act, 2000


·     Identify such scams

·     Protect Yourself and Your Money

·     Understanding Various RBI Guidelines

·     Reporting the Cyber Fraud to Authorities

·     Legal Advice and Remedy


·     The Actions of the Authorities

·     Suggestions for the RBI and Banks


I.              INTRODUCTION

A new cyber scam has rocked the daily lives of Indian citizens since last year. There has been an increase in the frequency of how this scam has spread and is now being targeted at a specific group, i.e. the IT industry professionals. This cyber scam is being referred to as the ‘fake courier’ or the ‘drugs in parcel’[1] fraud.

Cyber fraudsters craftily manipulate innocent victims by impersonating fake courier delivery officials and fake police officers/law enforcement members. This has led to multiple people suffering financial losses worth crores[2], leading to further mental agony and harassment. Furthermore, the emotional trauma inflicted not only on the victim but the family of the victim cannot be ignored, as losing money to such a scam is a sensitive matter.

II.            HOW IT WORKS

The police imposters create a hyper-panic situation for the call receivers, manipulating them into sharing their bank details and personal identity credentials or straight-up demanding money to ‘clear’ their (the victim’s) name and to avoid arrest. This scam has a likeness to ‘vishing call’ scams.

·      The Modus Operandi

The Modus Operandi of the scammers is as follows –

1.     A hacker will call the victim posing as a courier delivery official from FedEx and BluDart, or as law enforcement officers of Cyber Cell or Narcotics Department.[3]

2.     The hacker will proceed to manipulate the victim and weave a scam story of how an international package[4] containing illegal goods (clothes, gold/silver/diamond jewellery, passports, credit cards, and forged documents, etc.), narcotics (drugs like fentanyl, MDMA, cocaine, etc.), and other goods are being shipped to a foreign country (Iran, Dubai, Thailand, Taiwan, Cambodia, and Malaysia, etc.) under their name. Or the victim is the receipt of such a parcel and the customs officials have seized it and the police have filed an FIR in their name with various charges being mentioned like money laundering, identity theft, drug trafficking and smuggling, and human trafficking, etc.[5]

3.     The victim feels panicked, denying the allegations and the questions, and goes into a state of shock upon hearing such details. The victims may be forced to do various untoward activities by the fraudsters as a way to blackmail to extort more money.[6]

4.     The hacker taking advantage of the fragile emotional and mental state of the victim (who might be at work or busy with something else) will tell them that the call is being transferred to the fake police officer. The call is transferred either directly or the victim is asked to join the fake police officer via Skype[7] call.

5.     The police imposter will ask the victim certain questions as a part of ‘police verification and investigation’. The imposter will further tell the victim to keep the current conversation confidential (and the victim usually agrees fearing public humiliation, damage to reputation and defamation).

6.     The police officer will inform them that their bank details and Aadhar card details were used for this illegal purpose.

7.     The fake police officer will provide details of the package –

a.     where it is being shipped to or from – the country;

b.     who are the sender and recipient – names, addresses, phone numbers, etc.;

c.     the contents of the package – drugs, jewellery, clothes, tools, etc.;

8.     Then, the police imposters will proceed to tell them about how an FIR has been registered in their name, and that CBI and RBI are also investigating the matter. There has been a warrant issued for their (victim’s) arrest. Additionally, they will send the warrant and any other notice issued (with the ‘official seal’ of RBI and CBI) to the WhatsApp of the victim or just show[8] it through the screen during the call.

9.     Then, the police officers proceed to ask for or demand details of bank account information, passwords and OTPs, PAN card, and Aadhar card, for RBI validation and investigation. The current general observation has been that after acquiring the details of the victims, the fraudsters proceed in either of the following fashion –

a.     the cyber fraudsters will use the details to issue a pre-approved digital loan in the name of the victim and ask them to transfer this ‘illegal’ fund to the RBI account; or

b.     transfer an initial amount, and tell the victim to transfer the said amount to the RBI account, and later the cyber fraudsters proceed to empty the victim’s accounts via multiple transactions; or

c.      simply threatening or demanding money from the victim under the guise of removal of the existing FIR, issuing the warrant of arrest, and stopping this news from spreading in their personal and professional circle.

10.  After 15-20 minutes later the police officer will call saying that there have been illegal money transfers in their account, and either they should withdraw all the money from their account or transfer the funds into an ‘RBI’ account. If not complied with then the RBI will freeze their account with charges of fraudulent transactions.

11.  The police imposters further ask for money to be transferred to them for the removal of the FIR and to stop the ongoing investigation.

·      What Baffle the Law Enforcement and Banking Authorities?

The modus opernadi of this ‘fake courier delivery’ or ‘drugs in parcel’ scam lies in the extensive network of the hackers/ cybercriminals. It is clear that the hackers and cyber fraudsters in this scam have an understanding of the of who the victim is and how to easily manipulate/distract them enough to snare them in their trap.

The law enforcement authorities and banking authorities are in a glitch due to lack of clarity concerning the accussed parties as there has been no clear set evidences linking them to the victim except phone numbers (call records), bank account details for transfer of funds and the Skype calls. But it has been found that such bank accounts are specifically opened by such criminals for fradulent transaction s and later abandoned or closed after completion of purpose.

Furthermore, the liability of customer and bank, negligence of the customer or not, the role of third parties need to defined in set terms.


The Indian legal system has robust legislation and infrastructure to tackle issues and offences of various types. Here is a look at the following legislations and their applicable provisions in such a scenario –

·      The Indian Penal Code, 1860 [9]

1.     Cheating: Section 415[10] of the Indian Penal Code, 1860 states ‘cheating’ to be an offence where any person has fraudulently induced a person to give consent for any transaction of delivery or retention of property that will cause damage or harm to the body, mind, reputation and property of that person, such an act is punishable[11] by imprisonment of 1 year or fine or both. But, a person can also cheat anyone by impersonating another person (real or imaginary)[12], such an act is punishable[13] by imprisonment of 3 years or a fine or both.

2.     Extortion: As per Section 383[14] and 385[15] of the Indian Penal Code, 1860, the act by any person who has been intentionally put in fear of any injury or such and induced to deliver property, valuable security or such is referred to as ‘extortion’. Such an act is punishable by imprisonment of term up to 3 years or a fine or both.[16]  

3.     Impersonation: As per Section 170[17] of the Indian Penal Code, 1860 impersonating a public officer or pretending to hold any public office by any individual is punishable with imprisonment of up to 2 years or a fine or both. Additionally, under Section 171[18] of the Indian Penal Code, 1860 doing so by wearing the garb (dress code/uniform) associated with that public officer or office position or carrying a token used by such an officer to make others believe his identity is punishable by imprisonment or fine or both.

4.     Forgery of Documents: As per Section 463[19] and Section 464[20] of the Indian Penal Code, 1860 states that if any person forges a physical and/or an electronic document or makes a false document to commit a fraudulent act or cause damage is ‘forgery’. Such a despicable act is punishable with an imprisonment term exceeding up to 2 years or with a fine or both.[21] Furthermore, if any such ‘forged document’[22] is used with an intent to cheat, then such an act can be punished with an imprisonment term of 7 years accompanied by a monetary penalty.[23]  

·      The Information Technology Act, 2000[24]

The Information Technology Act of 2000 was a revolutionary legislation in the Indian legal system. It has helped to shape the journey of cyber offences and how they are dealt with in India. However, there are several points where it fails to keep up with the new and innovative crimes devised by the tech-savvy and rampant cyber criminals.

1.     Identity Theft –  Cyber fraudsters often resort to ‘Identity Theft’[25] as a means to gain fraudulently or dishonestly other persons’ identity or information in regards to it.

2.     Cyber Fraud – Fraudsters could also resort to ‘manipulation of computer resources and networks’ for committing such scams. The magnitude of this scam has not yet been fully discovered. It can be assumed that it involves a network of cyber criminals based out of various locations either in India or internationally. As per the Information Technology Act of 2000, any person who commits any offence under Sections 43[26], 66[27], 66A[28], 66C and 66D[29], has committed an act punishable under this legislation with imprisonment up to 3 years with a monetary penalty, or both.

Such offences are a mix of traditional criminal and cyber offences, creating a new challenge not only for the judiciary but the cyber cell and bank officials to tackle.


·      Identify such scams

Here are the following steps you can to avoid being involved in such a scam –

1.       Be Suspicious and Trust Your Instincts – In case you get a call from an unknown number(s), be suspicious of the person conversing with you. They might pose as law enforcement authorities, bank officials or courier delivery officials. Be wary of the details being provided to you or asked of you. You understand yourself better if you know about never sending a parcel to any person abroad or otherwise or soliciting services of such package delivery companies, then you should always confirm with actual customer care of such companies instead of blindly trusting an unknown person contacting you in regards to a fake parcel and its illegal contents. Therefore, stay safe by trusting your instincts.

2.       Call Verification –  Always verify the caller’s number via an app, website or by contacting an actual police authority. The call verification can be done via apps like Truecaller, etc., nowadays messaging apps such as WhatsApp are being equipped with call verification features.

3.       Educate Family, Friends, and Employees –  Make sure your family members (especially the elders and children), and friends are aware of such scams that are rampant in society. Create awareness among your employees or place of work about keeping official documents and bank details confidential, and never reveal such sensitive information to anyone in any situation.

4.       FedEx Notice: On their official website, FedEx has put out instructions regarding this ‘drugs in parcel’ or ‘fake (international) courier delivery’ scam.[30]

5.       For further reference : Below is list of recent cases that have rocked the lives of various individuals across the country –

§  A Bengaluru based software engineer was scammed into giving Rs. 2.24 crores to the fraudsters in the ‘drugs in parcel’ scam. The victim got a call from the fake Delhi Customs and Narcotics Control Bureau officials claiming that there was a package with the victim’s name containing ’16 passports, 58 bank ATM cards, and 140 grams of ecstasy tablets’ being detained at the IGI Aiport, New Delhi.[31]

§  An IT professional based out of Pune aged 36-years old had a similar experience. The fraudster posed as courier official and informed her of the parcel being dispatched in her name via Mumbai to Iran. He then proceeded to tell her the contents of the package being 750 grams of MDMA, 5 Kg of clothes, laptop, credit cards, and passport. The fraudsters on the pretext of bank detail verification took her details and passwords and availed an insta loan of Rs.18.4 lakhs on her account.[32] Furthermore, another woman aged 28-years, in similar instance was asked to disrobe on Skype call for physical body mark verification by the fake police officials. They siphoned off $16.000 from her account.[33]

·      Protect Yourself and Your Money

Protecting your identity and personal information should be your top priority –

1.       Be Calm – Keep yourself calm and never rush to give away confidential information in haste.

2.       Always have Two-Factor Authentication or Multi-Factor Authentication – In the case of internet/digital banking via the official bank website or mobile application, always opt for two-factor or multifactor authentication to access your account. Never share such sensitive details with anyone. Such an authentication system ensures an extra layer of security to your account assets.

3.       Never Share Bank Details! – Your internet/digital banking passwords and OTPs are for your use and authentication, never leave them accessible to the general public or give them to anyone pretending to be a public officer.

4.       Access to your Internet Banking – Never share passwords, OTPs and any other login credentials of Internet banking with any stranger or person claiming to be a bank official, law enforcement official or otherwise.

5.       Activate SMS and E-mail notifications – Banks provide the service feature of getting notification alerts on your phone through SMS and on your laptop via E-mails regarding any activity – transactions, credits and debits, change in personal details, ATM transfers and transactions – directly to you. It’ll keep you informed and in sync with your bank activity. Any suspicious activity can be traced by banks on their networks or by you.

6.       Follow the Cooling-Off Period – While doing a transaction make sure the cooling-off period is prescribed by the bank for the transfer of funds, the addition of beneficiary/payee/third party, and issuance, disbursal, approval of digital loans, etc.  (in compliance with the RBI guidelines).

7.       No official documents should be shared – Official documents about your identity, bank account, property, etc. are not to be disclosed to anyone. Take precautions while even discussing such documents and their contents. Mostly scamsters target people who are gullible or vulnerable or easily manipulated/distracted to extract information such as your Aadhar number or PAN card number. Your debit card and credit card numbers, pins, CVV, etc. should not be shared with strangers.

8.       Use VPN – If possible, purchase a good and reputable VPN (Virtual Private Network) subscription that complies with the ‘VPN Directions of 2022’[34] to conduct your online activities. It’ll provide an added layer of security by protecting your geo-location access and the IP address from being tracked by unscrupulous cybercriminal groups.

9.       Always keep mobile and laptops up-to-date – Make sure your devices are up-to-date, and that all the security patches, apps, and software of the system are updated regularly and in sync with each other.

10.    Install anti-virus software – Always have an anti-virus software installed in your mobile and laptop. This can help your system be defended against phishing attacks, shady application installation, and online risks. Always prefer an anti-virus brand which is reliable as well as affordable.

·      Understanding Various RBI Guidelines

1.       Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions[35]  – Refer to point no. 7, 8, 9, 10 and 12 of this guideline.

§  Liability of the customer due to own negligence: Where the financial loss is due to the negligence of the customer, then the entire loss will be borne by the customer until he reports such an ‘unauthorised transaction’ to the bank. If any further transaction occurs after reporting to the bank, then the subsequent loss(es) will be borne by the bank.

§  Liability of customer in case of delay in Reporting: In case of no responsibility of the bank or the customer for the unauthorised transaction, the customer should report such incident to the bank within four to seven days of such happening. If there is a delay in reporting, the per-transaction liability will be limited to the transaction value /amount by the customer.

§  Limited Liability/Zero Liability of customer: The complaint and liability of the customer should be resolved within 90 days of receipt of any such complaint by the board of the bank. If no liability of the customer is established, then the customer shall be compensated as prescribed in the guideline.

§  Waive-off customer liability: Banks at their discretion may waive off any customer liability in case of unauthorised transactions even in cases of customer negligence.

§  Burden of Proof: The burden of proving customer liability rests on the bank in case of any unauthorised electronic banking transactions.

For further details, please refer to the complete guidelines available on the RBI website.

2.     Master Directions on Digital Payment and Security Controls[36] – The RBI issued this guideline in 2021 to ensure the security and governance of digital payment applications and methods. It ensures –

§  Digital payments and applications should have robust, secure and centralised authentication processes;

§  Banks or other Regulated Entities should have adequate checks and balances to ensure no non-genuine or unauthorised digital payment/transaction takes place on their end of the server’

§  Adoption of multi-factor authentication to combat cyber-attacks like phishing, keylogging, malware, other internet-based frauds, etc.

3.     Security and Risk Mitigation Measures for Electronic Payment Transactions[37] – This RBI circular had issued certain instructions that include security measures for card payment transactions. These instructions included –

§  Banks to install a mechanism for ‘velocity check on the number of transactions effected per day/per beneficiary’. This would have helped in monitoring even the slightest of suspicious operations/transactions in the bank account.

§  To implement digital signature’ for large value payments for all customers, especially for RTGS transactions.

§  ‘Capturing of Internet Protocol (IP) address’ as an additional validation check.

It is important to keep in mind that this particular notification was merely instructional in nature.

·      Reporting the Cyber Fraud to Authorities

In case of commission of fraud or any suspicion you should report to the appropriate authorities immediately –

1.   Inform the Bank – In case of any ‘unauthorised transactions’ or fraudulent/dishonest transactions or any suspicious activity should be immediately informed to the bank.

§ Make sure you block/cancel your credit and debit cards immediately, change the password to your Internet Banking account, or close your account to prevent further transactions.

§ Understand the various policies of your bank, such as their Privacy Policy, Cybersecurity Policy, Customer Relation Policy, etc. This will provide you with an understanding of your bank and how you as well as your data are being protected, accessed and utilised.

§ Your case should be investigated by the bank with utmost seriousness. If not resolved by the bank or if you are not satisfied with the findings of the investigation, you can escalate the matter to the Bank Ombudsman.

2.   Inform the Cyber Police (register a complaint or FIR) – Reach out to the Cyber Police Cell via –

§  National Cybercrime Helpline Number – 1930

§  National Cyber Crime Reporting Portal[38]

§  Or by referring to the list of Cyber Crime Cells as posted on the website of the RBI.[39]

·      Legal Advice and Remedy

The victim should approach or contact a cyber lawyer or office to get advice in regards to future legal steps, remedies, and reliefs available to him/her in such a scenario.

In case of the fault of the bank or a bank official or involvement of bank official(s) in such case, the victim can approach the District Consumer Redressal Forum, as the victim and the bank have a relationship akin to that of ‘customer’ and ‘service provider’ as per the Consumer Protection Act, 2019.

Otherwise, the case can be rereferred to District Court for further remedies.

V.            THE WAY FORWARD

·      The Actions of the Authorities

Various State Police have released social media creatives, advisories and guidelines on identifying and protecting oneself against such scams. Other measures should include –

1.     Understanding and cracking the modus operandi of this scam; and

2.     Training Police personnel in capturing such hackers quickly and efficiently;

3.     White-listing and Black-listing of websites or servers that might indicate cybercriminal/fraudulent activity.

·      Suggestions for the RBI and Banks

1.       RBI should address the increase in innovative cyber-financial scams and frauds annually, by reviewing, altering or strengthening the existing guidelines to better suit the changing dynamics between cyber criminals and victims.

2.       RBI has issued several guidelines and notifications regarding banks, customers, and intermediaries regarding maintaining complete transparency and safety while conducting any business or activity of a financial nature.

3.       Banks need to incorporate active measures to monitor such transactions better.

4.       Banks should implement measures in the form of geo-tagging and IP address-tracking, and monitoring for each digital transaction. Currently, geo-tagging of transactions is only done in the case of digital payments[40] and their software. The ‘Reconciliation Mechanism’ as mentioned in the ‘Master Directions on Digital Payment and Security Controls (RBI, 2021)’ should be elaborated extensively and modified to include other perspectives as well.

5.       Under the ‘Master Directions on Digital Payment and Security Controls (RBI, 2021)’ there is a mention of Regulated Entities ensuring ‘Device Binding’ of mobile applications. This feature can be further extended to its website as well, by sending notification to the registered phone number or email address the change in login device or in case of IP address this can also be implemented.

6.       There should be a system to ‘red flags’ or alert the banks and customers alike about any fraudulent transaction done via their accounts.


No matter how many security measures are implemented by the banks, or the government, it is the victim that should be initially be aware, calm and alert towards such scams. Always verify your received calls and keep a cautious attitude towards any suspicious behaviour/tone of any person or digital application.

The active involvement and collaborative effort of all parties, i.e. the police, bank officials, victims and judiciary can ensure a better and efficient handling of this scam.

[1] Gautham Selvarajan, ‘The return of ‘drugs in parcel’ scam’ (The New Indian Express, 16 October 2023) <>  accessed on 02 May 2024

[2] Divya Bharti, ‘Indians losing lakhs to the new courier scam: What is happening, how to stay safe’ (India Today, 28 January 2023) <> accessed on 02 May 2024

[3] H M Chaithanya Swamy, ‘Cybercriminals pose as narco, FedEx authorities; dupe two in Bengaluru’ (Deccan Herald, 08 July 2023) <> accessed on 02 May 2024

[4] Analiza Pathak, ‘FedEx Package, MDMA Drug, Skype Call: How Crooks Looted Rs. 4.5 Cr From Delhi Doctor In Biggest Cyber Fraud Ever’ (, 23 May 2023) <> accessed on 2 May 2024

[5] ‘FedEx scam: Lawyer blackmailed into paying Rs. 15 lakhs after being tricked into stripping on video call in elaborate cyber fraud’ (Business Today, 09 April 2024) <> accessed on 02 May 2024

[6] Ibid 3.

[7] Jignasa Sinha, ‘35-yr-old woman duped of Rs.5 lakh in ‘FedEx’ scam in Delhi’ (Hindustan Times, 16 April 2024) <> accessed on 02 May 2024

[8] ‘Bengaluru IISc professor latest victim of ‘FedEx courier’ scam, loses Rs. 83 lakhs’ (The NEWS Minute, 29 December 2023) <> accessed on 02 May 2024

[9] The Indian Penal Code of 1860 (India Code) <> accessed on 2 May 2024

[10] Indian Penal Code 1860, s. 415

[11] Indian Penal Code 1860, s. 417

[12] Indian Penal Code 1860, s. 416

[13] Indian Penal Code 1860, s. 419

[14] Indian Penal Code 1860, s. 383

[15] Indian Penal Code 1860, s. 385

[16] Indian Penal Code 1860, s. 384

[17] Indian Penal Code 1860, s. 170

[18] Indian Penal Code 1860, s. 171

[19] Indian Penal Code 1860, s. 463

[20] Indian Penal Code 1860, s. 464

[21] Indian Penal Code 1860, s. 465

[22] Indian Penal Code 1860, s. 470

[23] Indian Penal Code 1860, s. 468

[24] The Information Technology Act of 2000, (India Code) <> accessed on 2 May 2024

[25] The Information Technology Act 2000, s. 66C

[26] The Information Technology Act 2000, s. 43

[27] The Information Technology Act 2000, s. 66

[28] The Information Technology Act 2000, s. 66A

[29] The Information Technology Act 2000, s. 66D

[30] ‘How to Recognize and Prevent Fraud and Scams’ (FedEx) <> accessed on 02 May 2024

[31] Priya Singh, ‘Air parcel full of drugs found under your name…’: Software engineer robbed of Rs 2.24 crore by scammers’ (Business Today, 12 April 2024) <>  accessed on 02 May 2024

[32] ‘Crooks dupe woman, sipon off Rs. 18L loan’ (The Times of India, 03 May 2024) <> accessed on 03 May 2024

[33] ‘Fraudsters dupe Indian IT professional of $16,000, force her to disrobe on camera’ (WION, 16 April 2024) <> accessed on 03 May 2024

[34]‘Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet’ (MeitY and CERT-In, 28 April 2022) <> accessed on 02 May 2024

[35] ‘Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions’ (Reserve Bank of India, 06 July 2017) <> accessed on 02 May 2024

[36] ‘Master Directions on Digital Payment and Security Controls’ (Reserve Bank of India, 18 February 2021) <> accessed on 02 May 2024

[37] ‘Security and Risk Mitigation Measures for Electronic Payment Transactions’ (Reserve Bank of India, 28 February 2013) <> accessed on 02 May 2024


[39] ‘List of Nodal Agencies (Cyber Crime Cell/ Economic Offences Wing) for Filing Complaint’ (Reserve Bank of India) < > accessed on 02 May 2024

[40] ‘Framework for Geo-Tagging of Payment System Touch Point’ (Reserve Bank of India, 25 March 2022) <> accessed on 02 May 2024

Leave a comment

Subscribe to the updates!

[mc4wp_form id="461" element_id="style-11"]