The DJB’s “Know Your KNO” portal, designed to help citizens find their 10-digit water connection identifier, inadvertently functions as a data harvesting tool. Anyone can input a partial address — as few as 10 characters — and access detailed results showing residents’ full names, addresses, mobile numbers, and unique connection numbers (KNOs). These KNO numbers can then be used to get bill details of individual customers.
With 2.9 million water connections across Delhi potentially exposed through this vulnerability, fraudsters pose as DJB officials and contact victims with urgent disconnection threats, using their personal and bill details to establish credibility before stealing money through malicious mobile applications or other means.
The scam now accounts for approximately 20% of all cybercrimes reported in Delhi, according to multiple police station house officers across the capital.
According to cyber officials, at least 5,000 complaints are received on NCRP each month in Delhi. Of these, more than 700 are complaints related to DJB fraud. Police said FIRs are limited to 100-200 as many complainants make double complaints or file wrong information.
“The accused sent a message saying my DJB connection will be cut off tonight as my metre reading was not updated,” said Laxman Agarwal, a 52-year-old RK Puram resident who lost ₹38,000 in May. “He knew my address, my phone number, my KNO number and meter status. He said the pending amount was ₹12.”
The method involves convincing targets to visit a malicious link or install an application.
Agarwal downloaded an application file that appeared genuine, complete with DJB logos. “As soon as I put my banking details, it showed an ‘unsuccessful’ transaction. While I was on the call with the accused, he quickly took out money in three transactions. I didn’t even give him an OTP.”
A businessman from Vasant Kunj lost over ₹1.5 lakh in a similar manner. “The message said my connection would be disconnected in three hours. It’s summer and losing water connection was scary,” he said, requesting anonymity. “In less than an hour, ₹1 lakh was withdrawn from my two bank accounts.”
The scammers typically claim small pending amounts — often just ₹12 — to avoid suspicion. However, once victims engage, they lose significantly larger sums, usually between ₹20,000 and ₹50,000, according to a police inspector in the south range.
Deputy commissioner of police (southwest) Amit Goel said his force has received multiple complaints over the past four to five months. “The scale of the scam is growing as multiple gangs are misusing data from DJB and targeting unsuspecting victims.”
On June 2, police arrested three men from Jamtara and Deoghar in Jharkhand. Analysis of their devices revealed involvement in 35 additional cases, with one mobile number alone used to target 14 victims.
Police estimate that at least 100 people fall victim to this scam in a month, though no collated figure was available. The total losses, an official said, has reached ₹10 crore over four months.
“We have written to DJB and even issued warnings on social media. However, the cases keep on increasing. DJB should either restrict access or do something,” said a deputy commissioner-level officer, asking not to be named.
A freelance journalist from Inderpuri who lost ₹8,000 this week highlighted the broader problem: “The biggest issue is that DJB has all the data and anyone can see it.”
Even senior officials are targeted. A senior IAS officer in Kidwai Nagar received such a message on Monday, claiming a ₹12 pending amount would result in disconnection. He spoke to the person but on learning that the caller’s number was “active in Jharkhand”, he realised it was a scam and did not fall prey to it.
DJB released an advisory and officers shared details of their plan to make people aware of the scam.
On June 3, DJB issued a social media advisory stating: “It has been brought to the attention of DJB that its consumers are being contacted through mobile calls/SMS/WhatsApp messages by individuals falsely claiming to be from DJB… All consumers are urged to remain alert.”
For now, DJB is not planning make changes to vulnerable portal, an official said.
Since June, we have been spreading awareness about the scam through press releases, ads, social media and other platforms. At present, we are asking all our customers to call us and not fall prey to any of the calls or messages. We don’t cancel any connection through messages. Also, people can check any meter update on our genuine website. For now, we are not making any changes to the website because people want to know the KNO and can’t come to our office all the time,” a DJB official, asking not to be named.
Dr Pavan Duggal, a cybersecurity expert, said, “These cases are happening as cyber security loopholes are being exploited by fraudsters. This is not limited to DJB but multiple government portals. We need to have better cybersecurity systems in place to avoid this. Also, giving out all these personal details of the customers openly is in violation of the IT rules and regulations. The fraudsters are using the loophole to scam people. The system will have to be amended in a manner that effective remedies are provided to citizens, improved cyber security of government portals are in place and people need to be encouraged to improve cyber safety on their own.”
