Curious to revisit this entire podcast in a quick, readable format? Here’s the full episode transcribed into a blog-style narrative so you can grasp all the insights at your own pace.

Host (Sanjay):
Hi everyone, and welcome to one more episode of What If You Live to Be 100. In earlier episodes, I have mentioned, and even otherwise we all recognize, that besides everything else we have talked about, whether it’s about money, health, social relationships, or where to live, there is one more factor which is of great importance to us at this stage of life, especially in the era that we live in.
Think about it: you put together a nice retirement corpus for yourself, you reckon that should be something safe, and you’ll be good for the rest of your life.
And yet, every morning, literally, you open the newspapers and catch stories about people getting swindled due to some kind of digital fraud, cyber attack, etc. And while we can secure our homes better, we can put our money into safe deposit vaults in banks and whatnot, this is one area where we are not sure how to protect ourselves. We find ourselves in significant vulnerability, and there’s the fear, what if suddenly, someday, we also get entrapped and lose a whole lot of money, besides all the stress it brings.
So to address this very important topic for people in this generation of 50 to 65, we have today an eminent expert with rich experience in this space, who is going to help us with some guidance, tips, and demystify some concepts that we might not be aware of. I think it’s going to be very, very relevant and useful.
So with those words, I welcome to this episode Mr. Prathmesh Churi.

Host (Sanjay):
Welcome, Prathmesh. To give you a little background: Prathmesh has been in academics earlier. He was a professor at NMIMS, where he was teaching information security to engineering students.
In more recent times, he has moved from academia to industry, and he’s currently in an organization where he’s Chief of Staff, Information Security, and also in charge of data protection. Besides that, he’s part of a committee called LITD 17, which is a Government of India committee formed to lay out frameworks and policies related to information security, data standards, etc. So this is an extremely important committee, which will kind of decide how the government comes out with these frameworks.
Without doubt, he is the absolute right person, with the perfect background, credentials, and experience, to help us on this very important subject. With those words, I’d love to have Prathmesh tell us a little bit more about himself, and also what kind of things he has been seeing while working in the industry and with people, before we start with more questions.

Guest (Prathmesh):
Thank you so much, firstly, for the very warm introduction.
Accurately, you have said about me regarding the cybersecurity and data protection side. As you rightly said, I have shifted my whole career from academia to industry. What I found in common is that the number of people I actually make aware of these topics is very low. Only when I was a teacher, teaching students about data security and privacy, I was making them aware of this subject and giving cautionary advice on best practices to follow.
When I came to the industry, I actually tell my customers, my consumers, and my other team members, especially those who are not in information security or data privacy, such as people from human resources, marketing, or business, they generally have very little knowledge in this area. So my job is also to make them aware of the best information security practices.
In cybersecurity or data protection, it’s not just a compliance check. It’s not just about having big, high-end security tools and infrastructure. It’s about making the people aware, those who are using your applications and infrastructure, of responsible usage. I guess the logic of this podcast is aligned with this: your target audience is largely senior citizens, or people who are aware of digital infrastructure but need guidance on how to use it responsibly while keeping cybersecurity in mind.
That should be the real focus. So I guess my actual target audience for today’s podcast is those people, and I’m very happy to be here.

Host (Sanjay):
Absolutely. Absolutely. So one thing, just to say in a lighter way, is that we are focused on people in the 50 to 65 age group. And somehow, they don’t like to be called “senior,” right? Because they’re still…

Guest (Prathmesh):
No, no, this is just in a lighter way, and it doesn’t matter.

Host (Sanjay):
But actually, Prathmesh has obviously worked with large organizations and enterprises, so I’m going to request him to come down to a consumer level, which is what matters for all of us. Specifically, again, these are people in their 50s and 60s, people who were not “digital natives.” When we were in school and growing up, the internet and connectivity were not as prevalent. Somewhere in our late 20s, early 30s, or mid-30s, we started getting introduced to the internet at a fundamental level, along with email and eventually mobile apps and connectivity.
By now, as we are in our 50s and early 60s, most of us have been using internet-related services for 20 years or so. We have become comfortable, but we were not born with digital fluency, unlike the younger generations. Our parents, for example, didn’t get comfortable with the internet because they got introduced much later in life.
So on one side, there is comfort, but on the other side, all of us, I’ve been in the digital space for more than 25 years, can honestly say we don’t feel completely safe. I feel vulnerable; I don’t know when something could go wrong.
At the outset, can you tell us, for people of this kind, what are the kinds of risks or vulnerabilities we have today? So we at least get a sense of where things could potentially go wrong.

Guest (Prathmesh):
You asked whether one can feel safe or have a benchmark. I’ll answer straightforwardly: none of the generations, whether younger or older, can ever feel completely safe. Technology keeps advancing, attacks keep evolving, and the mindset of attackers keeps changing. What was an attack 10 years ago may not be used today because solutions or mitigations are in place. This kind of competition between attackers and defenders will remain valid for the next generation too.
I always tell my target audiences, regardless of age: the moment you give your data to any digital platform, whether the platform provides comfort or assurance about your data’s safety, you are inherently taking a risk. There’s never a point when you can say you are 100% safe. What you can do is minimize potential risks of data breach or security lapses.
One quote I remember, though I don’t recall who said it, is: “Security is a process, not a product.” Security isn’t a feature or a USB stick you buy; it’s an ongoing process. Even with AI, quantum computing, and future tech, security efforts will only become more important.
So, first takeaway: there’s no such thing as perfect security.

Host (Sanjay):
Fair enough. With that out of the way, from a common user’s point of view, using net banking, GST portals, social media, WhatsApp, UPI, or downloading files, we all engage with digital infrastructure daily.
In this context, what are the big areas where we are particularly vulnerable? These are tools we cannot avoid for day-to-day life. Even a simple payment on UPI or accessing a bank account requires digital engagement. The reality is, this subject is so deep that a half-day discussion might not cover everything. But we can focus on the most important hotspots.

Guest (Prathmesh):
I would say, net banking apps are generally not the primary targets for attackers. Banks have robust security. Where people are targeted more is where regulations and protections are weaker. Social media is one such hotspot. From a security perspective, global government regulation varies, so users can often become victims. Social media platforms, Facebook, Instagram, Snapchat, WhatsApp, are common attack vectors.
The second major area getting worse is phishing. Many people receive emails from advertising agencies or e-commerce brands. Security in these cases is more about awareness and human behavior. The moment something seems too good to be true, people often fall into traps.
We live common lives with common activities day-to-day, but these vulnerabilities are very real and important to understand.
And suddenly somebody is sending a message that this particular product, which is of one lakh rupees, you are suddenly getting for twenty thousand rupees or ten thousand rupees. And suddenly some good things happen. And we always say that our God is so kind.
Sometimes God is not kind. God is testing us in that case. So we fall into the trap there.
Okay, so the second hotspot area is phishing. All those links, when we click without even reading, or even if you read, you still feel there is always that one or two percent chance. See, I’m not saying we are not smart. We are smart enough to understand what is good and what is wrong. We are educated people.
But that “too good” thing, and our greedy nature as human beings by default, makes us fall into that trap. And we actually click on that link, and that link turns out to be suspicious.

Host (Sanjay):
So I think while many of you viewing this might be aware of the idea of phishing, for those who don’t, phishing is not our typical going and fishing for fish, which fishermen do. It’s something different. Would you like to explain the concept of phishing for those who are not very familiar with it?

Guest (Prathmesh):
Yeah. So actually phishing is the art of taking control of the data and assets of a consumer through a suspicious link. There are various types of phishing.
Instead of going too technical, I’ll give an example.
Suppose you get an email saying that you have won a lottery of two lakh rupees. To claim that lottery, please click on the link. And there is a link in the email. You read the message properly, but you have not verified certain weak areas or red flags.
You click on that link, and that link is not coming from an authorized person or organization. It is coming from the attacker to fool you. When you click on that link, it asks for some kind of password. Let’s say, for example, it asks for your bank account net banking username and password.
You enter it because in your mind you are already greedy. You already want that money. The moment you submit it, it turns out to be a trap, and your entire money gets debited with your authorization, because you have authorized the attacker by giving your credentials.
This is one way. Another way is where you give your username and password, and the attacker later logs in and does transactions on your behalf.
Another form of phishing is not through links. It is through calls, where someone asks for your UPI PIN, or sends a transaction request through UPI, or sends messages through WhatsApp with links. WhatsApp, as I said earlier, is one of the weakest links and one of the easiest ways for attackers to target victims.
So phishing is actually a very non-technical, yet sophisticated and easy way to fool victims.

Host (Sanjay):
If I may add at this point, on one side, UPI and all these services have given us huge convenience, which is why all of us have adopted them. When Covid happened, everybody was thankful for these systems because we didn’t have to stand in ATM queues to get cash.
We were able to do transactions easily. And now it has become absolutely common for all of us. But at the same time, because it is so convenient that with one click money can be transferred and received, it is equally easy for money to be transferred to the wrong person instead of the right person.
So we understand that convenience comes at a potential cost if a mistake is made. Earlier, money transfers were a big process. You wrote a cheque and it took ten days to clear. If you discovered a mistake, you could go to the bank and put a stop payment.
Here, money moves instantaneously. So convenience comes at a cost. That is something to realize.
And just to add, while Prathmesh has already mentioned this, what happens with phishing is that when the attacker asks for data, they also make the screen look like a familiar banking screen or a familiar entity. It is very easy to create a display that looks familiar, even though the actual website or link, what they call the URL, is not the real bank website.

Guest (Prathmesh):
Because it looks so familiar, we feel that we are giving it to the right person. We are giving our username and password, and at the back end, they are getting that information, which is why mistakes happen. Otherwise, you might think, how can I just give my bank password to somebody else? But it happens because we don’t realize that it looks like a bank screen, but it is not coming from the bank.
They have just created the visual to look like that. So that sort of thing happens.
Just to add to this point, let’s say the bank is, for example, Riverbank. I don’t know if this bank even exists, I’m just giving an example.
Now, the website of Riverbank might be river.com. You expect that emails should come from something like @river.com.
But if an attacker is trying, they might change the spelling of “river,” maybe make it R-I-V-E-R-R, or sometimes use riverbank.com. You should also be aware of the websites of the bank and where emails are coming from. These are small things, not even technical. At least check the spelling, the email, the logo, and the content of the message.
Often, phishing emails do not have good English, are not written like a bank email. You usually receive professional emails from your bank, so it is easy to spot phishing.
Identifying a phishing email is not difficult. Look at spellings and the message carefully. The moment you have even 1% doubt about an email, do not click it. Nothing will happen if you don’t take action. It is always better not to act than to act and fall into a trap.
Even if it is a legitimate email, the maximum you can do is delay certain actions, which does not cause any penalty. But if you click on a suspicious link, you fall into a trap.
For example, I had put up a product for sale on OLX or a similar marketplace. A few prospective buyers contacted me. Then somebody called and said, “Okay, you do this on UPI and I will make the transfer.” I sensed something was not right, so I didn’t proceed.
They made it seem like they were a buyer willing to pay a good price for my product. Sometimes you get trapped because you are hoping to get a certain price, but the person offers much more.

Host (Sanjay):
So what is that kind of fraud? How does it work, especially with UPI, which most people use?

Guest (Prathmesh):
The example you mentioned, where someone calls you, is one form of phishing. It’s called vishing, which is phishing over the phone. The attacker calls you and demands money through net banking or UPI. UPI is the simplest method. During the call, they might pretend they are buying a product you posted for sale.
The government of India has improved systems in the telecom industry. Now you can often identify if a call is spam or not. Many spam calls are automatically flagged. Even if you receive such a call, do not provide any personal information, such as your name, email address, interests, or plans. Attackers often ask for these details. Do not give any information.

Another way to avoid falling into a trap is to look at the numbers calling you. Often, the numbers are not standard. They are generally not from our country. For example, in India, the country code is +91, and legitimate mobile numbers are 10 digits long.
Attackers often use different services, so the numbers are not legitimate. Always check where the number is coming from.
And third, I want to repeat: don’t be greedy. Security is not only the problem of an organization; it is the responsibility of all of us.
Greed can trap you. For example, if a product is offered at a much cheaper price than usual, you have the right to question it. Ask yourself, why are they selling it so cheap? What is their benefit from this?

Guest (Prathmesh):
You should also ask about different payment modes. Basically, you have to exercise your right to ask questions. If something seems suspicious, do not go for that particular method. Anybody calling you and asking for payment, by default, you should say no.
All legitimate organizations or e-commerce platforms do not ask for payment over a call and do not provide a QR code asking you to pay. They have very legitimate payment methods through their apps, where you can link to your net banking or UPI. Always use authenticated mobile apps; that is my advice through this podcast.

Host (Sanjay):
Got it. You know, there is this new kind of crime that I keep reading about. I personally cannot even understand what it could be. I’m sure we have all seen cases where somebody has been put under digital arrest for an extended period and then has to pay a lot of money. I don’t understand what digital arrest is, how it happens, and how someone can get trapped. Could you shed some light on this new kind of fraud?

Guest (Prathmesh):
Digital arrest is essentially a method of capturing personal data and information and trapping an individual through various means. A call is one of the prominent ways of executing digital arrest.
For example, you may receive a call from someone claiming to be from the government or a regulatory authority, saying your mobile number might be blocked or your bank account might be blocked. A legitimate bank or government entity never calls you directly. They always reach citizens through official channels or through your bank. They will never demand payment or threaten you via a call.
Digital arrest is essentially a form of social engineering. Individuals who fear authorities, like banks, platforms, big companies, or regulators, fall into the trap, assuming the call is legitimate. But it is not coming from any superior authority.
People can be trapped for long periods because attackers do not just call randomly. They take time to gather background information. Where does this information come from? Often from social media. Many people, young or old, post information about their lifestyle, location, family, and job on social media.
Research shows that people who are less active on social media have a lower risk of exposure than those who post frequently. Social media itself is not wrong, but you have to limit the type of data you share.
Digital arrest works because attackers gather your social media data and background information. They use this to make the call seem credible. We are surprised at how they obtained the information. If they have correct information, we assume it is accurate, without realizing they have done extensive research. This is social engineering.
There are no technical tools to fully prevent social engineering attacks because they depend on human behavior and lifestyle, which are not controlled by organizations. The more aware we are, the better we can avoid digital arrest. The moment you are suspicious of a call or link, just do not engage.
Even in normal life, if someone has personal information, they can exploit it. In the digital world, attackers use such information to execute digital arrest and extract money. The safest approach is to not have anything to hide or to avoid situations that could be exploited.
Ultimately, more than technology or tools, prevention relies heavily on our own awareness, understanding, and mental behavior. You need to recognize something unusual or out of the ordinary to avoid falling into a trap.

Host (Sanjay):
And I don’t want to engage, I don’t want to get into it, I’ll stop. Let it be because it could easily be a trap. So that’s something which I’m hearing here.
So I’m going to shift a little bit. There are a lot of things we’ve been talking about, whether it’s net banking, UPI, or phishing—areas where we do something and get trapped. But there are also cases where we might not be doing something specific, and yet we are vulnerable.
One of those areas I’ve heard about is the use of CCTV cameras. Many of us have cameras inside our homes for security, especially when we are away. The information or video comes to our phone, and we feel safe. But could that information also go to someone else? How does that happen? Is it a hack?

Guest (Prathmesh):
That’s a very thoughtful and real-time question. I’ll take some time to answer because there are various cases I’ve seen regarding CCTV monitoring and footage hacks.
Your question is more about data privacy than information security. Your privacy can be compromised depending on where you install the CCTV.
For example, children may install cameras to monitor their senior citizen parents or a child when they are away. From a usage perspective, this is understandable. However, the more you use technology for convenience, the more you may compromise security. I’m not saying avoid technology, just be aware.
Most CCTV footage is stored on centralized servers or in the cloud. If the cloud is hacked, attackers could access the footage, potentially for blackmail or digital arrest purposes.
I’ll share a real example. I heard about an organization that suffered a ransomware attack. The attackers compromised all the data and then released real-time CCTV footage of employees at work, causing a huge shock. This was likely used to pressure the organization to pay ransom.
So, regarding CCTV: it is safe to use, but install cameras only in public areas of your home, not in personal bedrooms. Verify and regularly review CCTV vendors. Understand where your data is stored and how it is protected. Responsible use is key.

Host (Sanjay):
Yeah, so it’s boiling down to convenience versus risk. You want security, but convenience can compromise it. Your advice makes sense: don’t overdo it, keep cameras only in necessary areas, and trust your vendors.

One last part: another issue not directly related to our actions, like clicking a wrong link, is Wi-Fi security. If someone outside your home accesses your Wi-Fi using your password, what’s the risk? Can it cause harm beyond using your bandwidth?

Guest (Prathmesh):
That’s a very good question. It is a bigger risk if the person accessing your Wi-Fi is technically skilled. A normal person using third-party tools to identify your password may or may not cause harm.
When you use Wi-Fi, you are transferring data over a network. The risk depends on the websites or apps you use. A skilled attacker could potentially intercept communications or access sensitive data, so always secure your network with strong passwords and trusted devices.

Guest (Prathmesh):
So actually, someone using your Wi-Fi may have access to all your communications. Basically, all your communication can be intercepted. It is possible. But there is a good remedy for that.
Generally, your Wi-Fi is provided by a service provider, either local or big companies like Airtel or Vodafone. Some people also have government entities like MTNL or BSNL. When they install Wi-Fi at your home, ask them to set it so that only specific devices can connect.
You can limit the number of devices. For example, at your home, you might allow only three or four devices. Only the addresses of those devices are added to the Wi-Fi portal. Even if someone else tries to connect, they won’t be allowed.
If you’re technically savvy, you can also manage this yourself. You can give temporary access to someone by extending the limit for a specific time. This ensures that only authorized devices can use your Wi-Fi.

Guest (Prathmesh):
One more point: it’s not just home Wi-Fi. When you go outside, for example to malls or airports, avoid using free public Wi-Fi. Free Wi-Fi is often unencrypted and insecure. Use your personal mobile Wi-Fi or wait until you are at home.

Host (Sanjay):
Right. So one concern I have is slightly different. If someone accesses our Wi-Fi and sends a threat email, maybe about terrorism, it could trace back to our IP and create serious legal trouble.

Guest (Prathmesh):
That’s a big risk. But usually, attackers don’t operate through your Wi-Fi to send such emails. The more common case is that people forget to log out of accounts, like mobile banking or email, especially on unsecured devices or browsers.
If someone gains access to your email or applications, they could misuse it. For example, in offices, we often advise employees to lock screens when leaving their desks. Some people don’t, and a mischievous colleague could send emails on their behalf. It may sound funny, but it’s a lesson: anything can happen if basic cyber hygiene is ignored.

Guest (Prathmesh):
So, acceptable use and basic cyber hygiene practices are essential.

Host (Sanjay):
Absolutely. Even though our conversation has been detailed, I feel we’ve just scratched the surface. Cybersecurity is deep and evolving.
But to summarize: it’s largely about personal behavior and awareness. Convenience comes at a cost. Instant money transfers, real-time CCTV feeds from home, and easy access to online platforms all have risks. Always be cautious of offers that seem too good to be true—there’s rarely a free lunch.
In the same way, something that is too good to be true is probably not the right thing. Those are the more important things we can control as users. Beyond that, at the very beginning, Prathmesh told us that we are not likely to feel 100% safe ever, because it’s a cat-and-mouse game.
Like in earlier days, when there was antivirus, a new virus would come, antivirus companies would release a fix, then another virus would appear, and the cycle would continue. It’s much the same with digital crime, cyber attacks, data issues, and privacy threats.
We should do what we can from our side: be careful about what we click, how we use digital tools, follow best practices, and maybe learn more about areas where the risk is higher. For example, don’t expose large account balances through UPI. Keep a separate account with smaller amounts for transactions. These are simple steps that can help reduce risk.
This is an ongoing conversation, and this episode is just the first one. Hopefully, we can do a more in-depth discussion in the future. Thank you so much, Prathmesh, for taking the time for this conversation. I really appreciate the fundamental thoughts you’ve shared.
Do you have any last thoughts before we wind up?

Guest (Prathmesh):
Yes. I would like to leave three key pointers for all the listeners:
First, don’t give your data unnecessarily when it’s not needed. That’s the most important takeaway.
Second, follow basic cyber hygiene practices regularly, as advised by your bank, e-commerce platforms, or government. Listen to tech-savvy people and experts who share advice in this area.
Third, do not use untrusted entities or technologies, and don’t fall into greed.
If you follow these three messages throughout your life, the risk of data breaches or unwanted sharing of your information will be very low, and you are unlikely to fall into traps.

Host (Sanjay):
At one level, listening to all this can feel frightening, like there’s no complete safety. But at the end, Prathmesh has given us hope: by following fundamental best practices, we can stay as safe as possible in this connected world.

Once again, thank you, Prathmesh, for taking the time to share your insights.

Thank you, listeners, and we’ll be back with the next episode.