“The internet is unsafe. There’s no guarantee of security, anonymity, or privacy” 

Sankarraj Subramanian, Founder and CEO – Prompt Infotech, Coimbatore

• Hackers often listen to what you are saying — business meetings, family conversations, anything.
• Even without being hacked, your device is listening.
• Attackers may observe your systems for two months silently and strike just before a major transaction.
• There’s a rising scam called pig butchering, where scammers build a fake relationship over months and then ask for money or investment. People fall for it because of the emotional connection.

As the digital world rapidly expands, so do the threats lurking behind every app, message, and tap. In this in-depth interview, Sankarraj Subramanian — Founder and CEO of Prompt Infotech in Coimbatore, India — draws on his experience conducting over 160 international cybersecurity sessions to shed light on the most pressing cyber threats of our time. From the hidden dangers of everyday smartphone use to cross-border cybercrime, AI-powered attacks, and the emotional vulnerability of young internet users, he warns that no one is immune. Backed by practical examples and a strong advocacy for awareness, Sankarraj Subramanian calls for a smarter, more security-conscious society — beginning with ourselves. He recently visited Mauritius to conduct master classes and participate in conferences for both the public and the private sector. His visit was facilitated by the Tamil Chambers of Commerce and Professionals (Mauritius).

Rudy Veeramundar

During your presentation this morning, you said something interesting: ‘The phone is smart, but are we smart?’ I think that question sets the stage for this discussion. Could you start by elaborating on it?

The things we create can overrule us. That is what technology has brought us to today. Smartphones — what we have created — combined with the emergence of AI and new technologies, have started thinking on their own. We always underestimate the capabilities and functionalities of smartphones. We think, “I just paid 50,000 and bought this mobile, and I can use it as per my wish.” Yes, you can use it as per your wish, but you also need to understand what functions it performs without your knowledge. That is where smartphones overrun us. So, we have to be very careful about the things it can do. As I said, you can remove your SIM card, or you can put your mobile in flight mode, but it will still record a few functions that can affect the user’s privacy.

When it comes to user privacy, we must be aware that our privacy is being exploited. It’s fine for users who are aware of this. But users who are not aware need to be educated. You own a smartphone. Just like when you buy a car—you have to maintain it, understand how it works, and know what to do if something goes wrong or when to take it for servicing. The same applies to your smartphone. You should know whether your smartphone is controlled by you or by someone else. Is your smartphone reporting to you or to an attacker? So, we must be careful about that.

The fact is, almost no one reads the terms and conditions. We just press OK whenever there’s an update—it’s so common. And when buying a phone, nobody reads the manual either. So, would you say this is a flaw?

It’s a flaw, and I don’t know why corporates are making it so complicated. Legally, they are required to be elaborate, especially due to the complaints they might face. But they make sure it is so elaborate that nobody spends time reading those terms and conditions. With all the technical jargon, governments and other complaint-related agencies should require clearer formats for these texts. You read all these terms and conditions, and for sure you’ll need a dictionary to understand them. For a techie, that’s okay. But imagine a common man who is going to use the mobile — he just swipes and says, “Agree and continue.” Not only for the mobile, but even for the apps you install, there are many technical terms that are very hard to understand. So, they should simplify this, and we must at least spend some time looking at the headlines to see what the app or phone is going to access.

From your perspective as an expert, what are the most common cyberattacks we’re seeing right now?

The most common attacks are ransomware, which is predominant in corporates. Next are phishing-based attacks, which target not only corporates but also individuals. There was a famous Russian cybercrime investigation company. Their network was hacked just because one of their employees opened a phishing mail. The entire network was compromised. So, there is no patch for human vulnerability. In terms of financial loss, ransomware and phishing-based attacks are at the top.

You mentioned that in cases of blackmail or phishing threats involving images of children—particularly on platforms like WhatsApp—children should speak to their parents first before filing a complaint. Could you explain why involving parents at the outset is so crucial?

Mostly, when kids face problems like cyberbullying or blackmail, they don’t speak out — this is problem number one. And even if they do, they share it with their close friends, not their parents. They think their friends can help, but those friends are probably of the same age and unfamiliar with such issues. They might give misleading advice.

“Smartphones are smart. Make sure you are smarter.”

So, we tell children: go speak with your parents first. Whether you’ve done something wrong or not, speak with your parents—they’ll know what to do. Then go file a complaint. Informing your parents brings emotional stability, so children don’t have to fear the attacker anymore. Emotional instability is the main cause of many attacks like this. Children become frightened and vulnerable, unsure of whom to speak to, and end up doing whatever the scammer says.

South Korea had a case called the “Nth Room.” It was a Telegram group with multiple chat rooms — room 1, room 1000, room 200 — where illicit child pornography was shared. Victims were threatened to send more pictures or the attackers would send them to their parents. The perpetrators included schoolchildren who threatened and coerced others into unimaginable acts. Most victims said they were afraid of their families. So again: tell your parents first. That gives emotional control and removes fear of the scammer.

You spoke about how dangerous the internet can be. During your presentation, you highlighted Google as one of the main tools used by hackers. Are there other means, besides Google, that cybercriminals commonly use?

That’s simply Google’s functionality. Google does whatever you ask it to do. If you search for the best hotels in Mauritius, it gives you all the websites. If you search for usernames and passwords in Mauritius, it will try to fetch that, too. That’s its job — to crawl and collect information.

If your server is not configured properly, Google can crawl sensitive information from it. So yes, it does that. Not just Google — any search engine like Yahoo, Bing, or DuckDuckGo does this. Crawling is their core function. It’s not about blaming the search engines. It’s about how we configure and maintain our servers and datasets.

We’ve seen that hackers can access phone cameras—even the background camera. Is it also possible for them to access the microphone?

Yes. If I can access your camera, accessing your microphone is simple. Hackers often listen to what you are saying — business meetings, family conversations, anything. Even without being hacked, your device is listening.

Say, “Hey Siri,” and your phone responds. That means it was listening the whole time for that one keyword, but it also heard everything else. It stores that data and uses it for targeted ads. Try this: speak about dinosaurs every day for a week next to your phone. Even if you never searched for them — and you’ll start seeing ads for dinosaur toys, posters, keychains. This means the phone listens and analyzes keywords. Technically, it’s called user behaviour analytics.

Even if the phone is on airplane mode or turned off?

If it’s completely off, the probability is very low. It can still grab the location, but won’t listen. But when it’s on—even in airplane mode—it can still listen. You can check this in your Google settings. Go to Gmail > Settings > Data and Privacy > Web & App Activity. There’s an option called allow audio recordings. Google has options to record both video and audio for voice commands and other inputs. You need to manually turn it off.

Mauritius’s financial services sector is a key contributor to GDP. We rely heavily on the internet and digital tools. How safe—or at risk—are we as a financial center?

Mauritius is emerging in this space. This is the right time for companies to invest in cybersecurity—train employees, train developers. When you’re still growing, it’s easier and more cost-effective to build secure systems. Retrofitting security later is expensive.

Being a financial center, Mauritius must focus on audits, governance, and compliance — whether HIPAA, PCI DSS, or others. Strong cybersecurity laws must be enforced from now.

What are the biggest cyber threats to businesses today?

Some businesses say, “We are not in IT; we only have two computers.” But that doesn’t matter. It’s not about how many devices you have — it’s about how much money flows through your business. If you have a ₹10 crore annual turnover, even two computers are enough to target you.

One major threat is spear phishing. Attackers may observe your systems for two months silently and strike just before a major transaction. These are not overnight attacks. They wait for the right moment and wipe out your entire bank account in one shot.

So, businesses must guard against financial loss and data loss. If your data is gone, everything is gone.

“Don’t blindly believe anything you see on the internet.”

Can you share an example of a major cybercrime?

Yes. Let’s combine this with the challenges of cross-border crimes.

If the attacker and the victim are in Mauritius, it’s easy to act. But if the attacker is in Switzerland and the victim in India or Mauritius, it’s a different story. Countries like Switzerland have strong privacy laws. Even if I attack someone, companies can’t easily release my information without a long process. That gives the attacker a window of three months or more to disappear.

Some attackers host servers in countries like Switzerland, Ecuador, China, and Russia because their laws protect user privacy. So, they can commit crimes while buying time before being caught. For cybercrime investigators, this creates serious challenges.

You have conducted over 160 international sessions in 58 countries. What are the biggest cybersecurity knowledge gaps you’ve observed?

Students are learning cybersecurity on their own, which is good. But many do it just to impress or scare people. They learn techniques, not the technology. For example, someone learns to hack Wi-Fi from YouTube but doesn’t know what IP addresses or DNS are.

They follow 100 techniques but lack technical depth. Companies won’t hire them. That’s the main knowledge gap we observe.

How do you foresee AI and machine learning shaping the future of cybersecurity in the coming years?

AI will speed things up — both for good and bad. A developer may take a month to write code; AI does it in 30 minutes. Replace that developer with an attacker, and you have malware created instantly.

So, it will become a battle between two AIs. AI’s impact will be biggest in automation — apps, bots, malware generation, phishing — all done instantly. And that’s worrying.

What cybersecurity learning practices or approaches would you recommend to individuals or organizations looking to build resilience?

The internet is unsafe. There’s no guarantee of security, anonymity, or privacy. Be cautious. Limit the apps you download. Check URLs before clicking. Don’t open anonymous messages or images. Don’t trust messages from unknown numbers.

There’s a rising scam called pig butchering, where scammers build a fake relationship over months and then ask for money or investment. People fall for it because of the emotional connection. Be careful with such online relationships.

As the CEO of Prompt Infotech in Coimbatore, India, could you tell us more about your professional journey and the work of Prompt Infotech?

Yes, we are based in Coimbatore, and we handle cybercrime investigations. We assist government law enforcement in solving cases, audit corporate infrastructure, and provide cybersecurity training to students and corporate employees.

We focus on job-oriented training to help individuals enter the cybersecurity field.

Do you also offer cybersecurity services?

We don’t sell products. We conduct audits and vulnerability assessments. That means identifying weaknesses in websites, servers, and apps. We generate a report and show clients how many vulnerabilities exist and how we or they can patch them.

Earlier in this interview, you mentioned a motorbike ride that started in the south and ended near Nepal to raise awareness about cyber safety. Could you tell us more about that initiative?

Yes. Cybercrime is increasing. In 2024 alone, we lost around $3 trillion globally. We wanted to raise awareness, especially among government school students in India. Private colleges have plenty of awareness programs, but not government schools.

So, we rode across India, Bhutan, and Nepal—visiting cities, state capitals, and union territories—speaking especially to women and children about what to do and what not to do online.

What were the main takeaways from this bike ride?

I believed people no longer fall for OTP scams or calls from fake banks. But I was shocked to find people still sharing card numbers, grid values, and falling for basic scams. That’s why awareness campaigns like ours are so important.

Any final words to conclude this interview?

Smartphones are smart. Make sure you are smarter. Don’t blindly believe anything you see on the internet. With AI, even photos and videos can be fake. Before sending money or sharing sensitive information, double-check with the person involved.