What compliance frameworks does CloudTrunk support?

CloudTrunk supports 350+ compliance frameworks including SOC 2, ISO 27001, ISO 42001 (AI), HITRUST, HIPAA, PCI-DSS, DPDP 2025, GDPR, NIST CSF, and many industry-specific standards.

What is ControlForge?

ControlForge is an AI-Powered GRC Platform that automates compliance across 350+ frameworks with AI-verified evidence scoring and comprehensive audit documentation. It runs fully on-premise for maximum data sovereignty.

Nigrahi is India's dedicated DPDP 2025 compliance monitoring platform. It provides continuous PII detection across 17 PII types with AI explanations available in 5 Indian languages (Hindi, Tamil, Telugu, Bengali, Marathi).

ClerkHub is a unified Business Management Suite combining HR, Payroll, Invoicing, Accounting, Contracts & Projects with multi-country tax compliance support for 50+ countries.

How quickly can CloudTrunk help us get certified?

Our 'Assess, Secure, Prove' methodology typically gets organizations audit-ready in 12-16 weeks, depending on the framework and current maturity. We've served 50+ clients with time to first fix under 72 hours.

Does CloudTrunk offer on-premise deployment?

Yes, ControlForge and Nigrahi are designed for fully on-premise deployment, ensuring complete data sovereignty and compliance with data localization requirements including India's DPDP 2025.

VAPT (Vulnerability Assessment and Penetration Testing) is a security testing service that identifies vulnerabilities in your systems. CloudTrunk offers comprehensive VAPT services for web applications, mobile apps, and infrastructure.

How do I get started with CloudTrunk?

You can book a free 30-minute security consultation through our contact form at cloudtrunk.tech/contact or email us at hello@cloudtrunk.tech. We'll discuss your specific needs and recommend the right approach.

Back to ScamKavach

Technical Deep Dive

How ScamKavach Detects
13 Types of Indian Scams

A look inside the on-device detection engine — weighted scoring, bilingual pattern matching, and behavioral analysis.

Published April 2026 · By CloudTrunk Technologies

India is facing an epidemic of digital fraud. From fake CBI officers demanding "digital arrest" fines to UPI payment requests from fraudulent loan apps, scammers are evolving faster than traditional blocklists can keep up.

ScamKavach uses a multi-layered detection engine that runs entirely on your Android device. No cloud processing of your messages. No data uploaded. Here's how it works.

Architecture: Three Detection Layers

Layer 1: Pattern-Based SMS Analysis

40+ regex patterns across 13 scam categories, each with calibrated risk weights. Bilingual support for Hindi (Devanagari + transliterated) and English.

Layer 2: URL Threat Scoring

Multi-vector analysis of URLs — typosquatting detection, suspicious TLD scoring, brand impersonation checks, and shortened URL penalties.

Layer 3: Offline Database Lookup

360+ known Indian scam phone numbers, phishing URLs, and fraudulent UPI IDs bundled in the app. Works without internet.

The 120-Point Scoring Model

Every SMS is scored on a 0-120 point scale. Pattern matches contribute weighted points based on scam severity. The final score determines the verdict:

< 25

Safe

25-59

Suspicious

60+

Scam

Confidence is calculated as a percentage of the 120-point maximum, capped at 98% — because no automated system should claim 100% certainty.

13 Scam Categories

Each category has dedicated patterns with calibrated weights. Higher weights mean higher confidence that the pattern indicates a real scam:

OTP Phishing

Direct OTP sharing requests, fake bank verification

Digital Arrest

Fake CBI/police officers demanding bail via UPI

Loan Harassment

Recovery agent threats, family contact blackmail

Investment Scams

Guaranteed returns, double-money, crypto schemes

Banking Fraud

Fake debit alerts, account compromise claims

Parcel Scams

Package held at customs, delivery failure fees

Gaming Fraud

Free in-game currency, fake game passes

Prize/Lottery

Lottery winners, prize claiming in Hindi/English

Job Scams

Work-from-home, Telegram recruitment, task payments

Insurance Scams

Policy maturity claims, fake LIC schemes

Loan Scams

Pre-approved loans, no-document instant loans

KYC Fraud

Account blocking threats, Aadhaar/PAN linking demands

Phishing/Urgency

Generic urgency language, suspicious call-to-action links

TRAI/RBI Sender Validation

Indian banks are required by TRAI and RBI to send transactional SMS using numeric sender codes (1600xx format) registered through the DLT platform. Promotional messages must use 140xx prefixes.

The Spoofing Signal

If a message contains banking keywords (OTP, account, debit, credit) but comes from a non-compliant sender — like an alphanumeric code pretending to be "HDFCBANK" — ScamKavach adds a +40 point penalty. Legitimate banks never send transactional SMS from alphanumeric IDs.

Bilingual Detection: Hindi + English

Indian scammers operate in Hindi, English, and Hinglish (transliterated Hindi in Latin script). ScamKavach matches all three:

English

"your account will be blocked", "verify KYC immediately"

Hindi (Devanagari)

"गिरेफ्तार", "केवाईसी", "वारंट"

Hinglish (Transliterated)

"giraftari", "kyc se juri", "paisa transfer"

URL Threat Scoring

URLs are analyzed across multiple threat vectors, each contributing points to a separate 0-100 score:

IP-address URL (http://192.168...)+50

Typosquatting (paytmm.com vs paytm.com)+55

Shortened URL (bit.ly, tinyurl)+40

Suspicious TLD (.xyz, .tk, .loan, .icu)+35

Government impersonation (not .gov.in)+30

Suspicious path keywords (login, kyc, otp)+8-30

Excessive subdomains (4+ levels)+25

A whitelist of 40+ verified domains (Google, Amazon, Flipkart, major Indian banks) ensures legitimate URLs are never flagged. Brand impersonation detection maps 18 major brands with their official domain suffixes.

Digital Arrest Detection

"Digital arrest" is a uniquely Indian scam where criminals impersonate CBI, police, or customs officials on a phone call, keep the victim on the line for extended periods, and demand payment via UPI.

ScamKavach's DigitalArrestDetector uses behavioral signal fusion — correlating call metadata with SMS content:

Step 1: Call Pattern Detection

Monitors for calls from unknown numbers lasting 3+ minutes, OR 3+ repeated calls from the same number within 30 minutes.

Step 2: SMS Content Correlation

Within a 15-minute window after the call, scans incoming SMS for authority keywords (CBI, warrant, FIR), payment keywords (UPI, transfer, bail), and threat keywords (jail, freeze, arrest).

Step 3: Risk Classification

HIGH: Authority + payment keywords in same SMS. MEDIUM: Authority OR payment + threat keywords. LOW: 2+ threat keywords alone.

100% On-Device Processing

Every detection layer runs locally on the device:

✓All regex patterns are pre-compiled Kotlin objects — fast, no network latency

✓SMS analysis uses coroutines with an 8-second timeout per message

✓Digital arrest detection uses zero network calls

✓DPDP Act consent is checked before any scanning begins

✓Scan history auto-deletes: 90 days for scans, 30 days for alerts

RBI Licensed Lender Verification

ScamKavach bundles a database of 156 RBI-licensed financial institutions — banks, NBFCs, payment banks, small finance banks, and housing finance companies. When you check a UPI ID, the app instantly shows whether the recipient is a licensed lender or an unverified entity.

This is critical for detecting fake loan apps — one of the fastest-growing scam categories in India.

Open and Transparent

We believe security tools should be transparent about how they work. This article describes the actual detection algorithms running in ScamKavach today. We're committed to continuously improving our detection as scammers evolve their tactics.

If you have questions about our detection system or want to report a scam pattern we're missing, reach out at hello@cloudtrunk.tech.

Try ScamKavach

Free. No ads. No subscriptions. Available on Google Play.

Download on Google Play

← ScamKavach Home Privacy Policy CloudTrunk

How ScamKavach Detects13 Types of Indian Scams