Every year, tens of millions of Americans collectively lose billions of dollars to scam callers. Where does the other end of the line lead?
To hear more audio stories from publishers like The New York Times, download Audm for iPhone or Android.
One afternoon in December 2019, Kathleen Langer, an elderly grandmother who lives by herself in Crossville, Tenn., got a phone call from a person who said he worked in the refund department of her computer manufacturer. The reason for the call, he explained, was to process a refund the company owed Langer for antivirus and anti-hacking protection that had been sold to her and was now being discontinued. Langer, who has a warm and kind voice, couldn’t remember purchasing the plan in question, but at her age, she didn’t quite trust her memory. She had no reason to doubt the caller, who spoke with an Indian accent and said his name was Roger.
He asked her to turn on her computer and led her through a series of steps so that he could access it remotely. When Langer asked why this was necessary, he said he needed to remove his company’s software from her machine. Because the protection was being terminated, he told her, leaving the software on the computer would cause it to crash.
After he gained access to her desktop, using the program TeamViewer, the caller asked Langer to log into her bank to accept the refund, $399, which he was going to transfer into her account. “Because of a technical issue with our system, we won’t be able to refund your money on your credit card or mail you a check,” he said. Langer made a couple of unsuccessful attempts to log in. She didn’t do online banking too often and couldn’t remember her user name.
Frustrated, the caller opened her bank’s internet banking registration form on her computer screen, created a new user name and password for her and asked her to fill out the required details — including her address, Social Security number and birth date. When she typed this last part in, the caller noticed she had turned 80 just weeks earlier and wished her a belated happy birthday. “Thank you!” she replied.
After submitting the form, he tried to log into Langer’s account but failed, because Langer’s bank — like most banks — activates a newly created user ID only after verifying it by speaking to the customer who has requested it. The caller asked Langer if she could go to her bank to resolve the issue. “How far is the bank from your house?” he asked.
A few blocks away, Langer answered. Because it was late afternoon, however, she wasn’t sure if it would be open when she got there. The caller noted that the bank didn’t close until 4:30, which meant she still had 45 minutes. “He was very insistent,” Langer told me recently. On her computer screen, the caller typed out what he wanted her to say at the bank. “Don’t tell them anything about the refund,” he said. She was to say that she needed to log in to check her statements and pay bills.
Langer couldn’t recall, when we spoke, if she drove to the bank or not. But later that afternoon, she rang the number the caller had given her and told him she had been unable to get to the bank in time. He advised her to go back the next morning. By now, Langer was beginning to have doubts about the caller. She told him she wouldn’t answer the phone if he contacted her again.
“Do you care about your computer?” he asked. He then uploaded a program onto her computer called Lock My PC and locked its screen with a password she couldn’t see. When she complained, he got belligerent. “You can call the police, the F.B.I., the C.I.A.,” he told her. “If you want to use your computer as you were doing, you need to go ahead as I was telling you or else you will lose your computer and your money.” When he finally hung up, after reiterating that he would call the following day, Langer felt shaken.
Langer was mystified that this new caller, who had what seemed to be a strong Irish accent, knew about the conversations she had just had. “Are you sure you are not with this group?” she asked.
He replied that the same scammers had targeted him, too. But when they were trying to connect remotely to his computer, as they had done with hers, he had managed to secure access to theirs. For weeks, that remote connection had allowed him to eavesdrop on and record calls like those with Langer, in addition to capturing a visual record of the activity on a scammer’s computer screen.
“I’m going to give you the password to unlock your PC because they use the same password every time,” he said. “If you type 4-5-2-1, you’ll unlock it.”
Langer keyed in the digits.
“OK! It came back on!” she said, relieved.
For most people, calls like the one Langer received are a source of annoyance or anxiety. According to the F.B.I.’s Internet Crime Complaint Center, the total losses reported to it by scam victims increased to $3.5 billion in 2019 from $1.4 billion in 2017. Last year, the app Truecaller commissioned the Harris Poll to survey roughly 2,000 American adults and found that 22 percent of the respondents said they had lost money to a phone scam in the past 12 months; Truecaller projects that as many as 56 million Americans may have been victimized this way, losing nearly $20 billion.
The person who rescued Langer that afternoon delights in getting these calls, however. “I’m fascinated by scams,” he told me. “I like to know how they work.” A software engineer based in the United Kingdom, he runs a YouTube channel under the pseudonym Jim Browning, where he regularly posts videos about his fraud-fighting efforts, identifying call centers and those involved in the crimes. He began talking to me over Skype in the fall of 2019 — and then sharing recordings like the episode with Langer — on the condition that I not reveal his identity, which he said was necessary to protect himself against the ire of the bad guys and to continue what he characterizes as his activism. Maintaining anonymity, it turns out, is key to scam-busting and scamming alike. I’ll refer to him by his middle initial, L.
The goal of L.’s efforts and those of others like him is to raise the costs and risks for perpetrators, who hide behind the veil of anonymity afforded by the internet and typically do not face punishment. The work is a hobby for L. — he has a job at an I.T. company — although it seems more like an obsession. Tracking scammers has consumed much of L.’s free time in the evenings over the past few years, he says, except for several weeks in March and April last year, when the start of the coronavirus pandemic forced strict lockdowns in many parts of the world, causing call centers from which much of this activity emanates to temporarily suspend operations. Ten months later, scamming has “gone right back to the way it was before the pandemic,” L. told me earlier this month.
Like L., I was curious to learn more about phone scammers, having received dozens of their calls over the years. They have offered me low interest rates on my credit-card balances, promised to write off my federal student loans and congratulated me on having just won a big lottery. I’ve answered fraudsters claiming to be from the Internal Revenue Service who threaten to send the police to my doorstep unless I agree to pay back taxes that I didn’t know I owed — preferably in the form of iTunes gift cards or by way of a Western Union money transfer. Barring a few exceptions, the individuals calling me have had South Asian accents, leading me to suspect that they are calling from India. On several occasions, I’ve tested this theory by letting the voice on the other end go on for a few minutes before I suddenly interrupt with a torrent of Hindi curses that I retain full mastery of even after living in the United States for the past two decades. I haven’t yet failed to elicit a retaliatory offensive in Hindi. Confirming that these scammers are operating from India hasn’t given me any joy. Instead, as an Indian expatriate living in the United States, I’ve felt a certain shame.
L. started going after scammers when a relative of his lost money to a tech-support swindle, a common scheme with many variants. Often, it starts when the mark gets a call from someone offering unsolicited help in ridding a computer’s hard drive of malware or the like. Other times, computer users looking for help stumble upon a website masquerading as Microsoft or Dell or some other computer maker and end up dialing a listed number that connects them to a fraudulent call center. In other instances, victims are tricked by a pop-up warning that their computer is at risk and that they need to call the number flashing on the screen. Once someone is on the phone, the scammers talk the caller into opening up TeamViewer or another remote-access application on his or her computer, after which they get the victim to read back unique identifying information that allows them to establish control over the computer.
The scammer’s connection to L.’s virtual machine is effectively a two-way street that allows L. to connect to the scammer’s computer and infect it with his own software. Once he has done this, he can monitor the scammer’s activities long after the call has ended; sometimes for months, or as long as the software goes undetected. Thus, sitting in his home office, L. is able to listen in on calls between scammer and targets — because these calls are made over the internet, from the scammer’s computer — and watch as the scammer takes control of a victim’s computer. L. acknowledged to me that his access to the scammer’s computer puts him at legal risk; without the scammer’s permission, establishing that access is unlawful. But that doesn’t worry him. “If it came down to someone wanting to prosecute me for accessing a scammer’s computer illegally, I can demonstrate in every single case that the only reason I gained access is because the scammer was trying to steal money from me,” he says.
On occasion, L. succeeds in turning on the scammer’s webcam and is able to record video of the scammer and others at the call center, who can usually be heard on phones in the background. From the I.P. address of the scammer’s computer and other clues, L. frequently manages to identify the neighborhood — and, in some cases, the actual building — where the call center is.
When he encounters a scam in progress while monitoring a scammer’s computer, L. tries to both document and disrupt it, at times using his real-time access to undo the scammer’s manipulations of the victim’s computer. He tries to contact victims to warn them before they lose any money — as he did in the case of Kathleen Langer.
L.’s videos of such episodes have garnered millions of views, making him a faceless YouTube star. He says he hopes his exploits will educate the public and deter scammers. He claims he has emailed the law-enforcement authorities in India offering to share the evidence he has collected against specific call centers. Except for one instance, his inquiries have elicited only form responses, although last year, the police raided a call center that L. had identified in Gurugram, outside Delhi, after it was featured in an investigation aired by the BBC.
Now and then during our Skype conversations, L. would begin monitoring a call between a scammer and a mark and let me listen in. In some instances, I would also hear other call-center employees in the background — some of them making similar calls, others talking among themselves. The chatter evoked a busy workplace, reminding me of my late nights in a Kolkata newsroom, where I began my journalism career 25 years ago, except that these were young men and women working through the night to con people many time zones away. When scammers called me in the past, I tried cajoling them into telling me about their enterprise but never succeeded. Now, with L.’s help, I thought, I might have better luck.
I flew to India at the end of 2019 hoping to visit some of the call centers that L. had identified as homes for scams. Although he had detected many tech-support scams originating from Delhi, Hyderabad and other Indian cities, L. was convinced that Kolkata — based on the volume of activity he was noticing there — had emerged as a capital of such frauds. I knew the city well, having covered the crime beat there for an English-language daily in the mid-1990s, and so I figured that my chances of tracking down scammers would be better there than most other places in India.
I took with me, in my notebook, a couple of addresses that L. identified in the days just before my trip as possible origins for some scam calls. Because the geolocation of I.P. addresses — ascertaining the geographical coordinates associated with an internet connection — isn’t an exact science, I wasn’t certain that they would yield any scammers.
But I did have the identity of a person linked to one of these spots, a young man whose first name is Shahbaz. L. identified him by matching webcam images and several government-issued IDs found on his computer. The home address on his ID matched what L. determined, from the I.P. address, to be the site of the call center where he operated, which suggested that the call center was located where he lived or close by. That made me optimistic I would find him there. In a recording of a call Shahbaz made in November, weeks before my Kolkata visit, I heard him trying to hustle a woman in Ottawa and successfully intimidating and then fleecing an elderly man in the United States.
Although individuals like this particular scammer are the ones responsible for manipulating victims on the phone, they represent only the outward face of a multibillion-dollar criminal industry. “Call centers that run scams employ all sorts of subcontractors,” Puneet Singh, an F.B.I. agent who serves as the bureau’s legal attaché at the U.S. Embassy in New Delhi, told me. These include sellers of phone numbers; programmers who develop malware and pop-ups; and money mules. From the constantly evolving nature of scams — lately I’ve been receiving calls from the “law-enforcement department of the Federal Reserve System” about an outstanding arrest warrant instead of the fake Social Security Administration calls I was getting a year ago — it’s evident that the industry has its share of innovators.
The reasons this activity seems to have flourished in India are much the same as those behind the growth of the country’s legitimate information-technology-services industry after the early 2000s, when many American companies like Microsoft and Dell began outsourcing customer support to workers in India. The industry expanded rapidly as more companies in developed countries saw the same economic advantage in relocating various services there that could be performed remotely — from airline ticketing to banking. India’s large population of English speakers kept labor costs down.
Because the overwhelming majority of call centers in the country are engaged in legitimate business, the ones that aren’t can hide in plain sight. Amid the mazes of gleaming steel-and-glass high-rises in a place like Cyber City, near Delhi, or Sector V in Salt Lake, near Kolkata — two of the numerous commercial districts that have sprung up across the country to nurture I.T. businesses — it’s impossible to distinguish a call center that handles inquiries from air travelers in the United States from one that targets hundreds of Americans every day with fraudulent offers to lower their credit-card interest rates.
The police do periodically crack down on operations that appear to be illegitimate. Shortly after I got to Kolkata, the police raided five call centers in Salt Lake that officials said had been running a tech-support scam. The employees of the call centers were accused of impersonating Microsoft representatives. The police raid followed a complaint by the tech company, which in recent years has increasingly pressed Indian law enforcement to act against scammers abusing the company’s name. I learned from Murlidhar Sharma, a senior official in the city police, that his team had raided two other call centers in Kolkata a couple of months earlier in response to a similar complaint.
“Microsoft had done extensive work before coming to us,” Sharma, who is in his 40s and speaks with quiet authority, told me. The company lent its help to the police in connection with the raids, which Sharma seemed particularly grateful for. Often the police lack the resources to pursue these sorts of cases. “These people are very smart, and they know how to hide data,” Sharma said, referring to the scammers. It was in large part because of Microsoft’s help, he said, that investigators had been able to file charges in court within a month after the raid. A trial has begun but could drag on for years. The call centers have been shut down, at least for now.
Sharma pointed out that pre-emptive raids do not yield the desired results. “Our problem,” he said, “is that we can act only when there’s a complaint of cheating.” In 2017, he and his colleagues raided a call center on their own initiative, without a complaint, and arrested several people. “But then the court was like, ‘Why did the police raid these places?’” Sharma said. The judge wanted statements from victims, which the police were unable to get, despite contacting authorities in the U.S. and U.K. The case fell apart.
The slim chances of detection, and the even slimmer chances of facing prosecution, have seemed to make scamming a career option, especially among those who lack the qualifications to find legitimate employment in India’s slowing economy. Indian educational institutions churn out more than 1.5 million engineers every year, but according to one survey fewer than 20 percent are equipped to land positions related to their training, leaving a vast pool of college graduates — not to mention an even larger population of less-educated young men and women — struggling to earn a living. That would partly explain why call centers run by small groups are popping up in residential neighborhoods. “The worst thing about this crime is that it’s becoming trendy,” Aparajita Rai, a deputy commissioner in the Kolkata Police, told me. “More and more youngsters are investing the crucial years of their adolescence into this. Everybody wants fast money.”
In Kolkata, I met Aniruddha Nath, then 23, who said he spent a week working at a call center that he quickly realized was engaged in fraud. Nath has a pensive air and a shy smile that intermittently cut through his solemnness as he spoke. While finishing his undergraduate degree in engineering from a local college — he took a loan to study there — Nath got a job offer after a campus interview. The company insisted he join immediately, for a monthly salary of about $200. Nath asked me not to name the company out of fear that he would be exposing himself legally.
His jubilation turned into skepticism on his very first day, when he and other fresh recruits were told to simply memorize the contents of the company’s website, which claimed his employer was based in Australia. On a whim, he Googled the address of the Australian office listed on the site and discovered that only a parking garage was located there. He said he learned a couple of days later what he was to do: Call Indian students in Australia whose visas were about to expire and offer to place them in a job in Australia if they paid $800 to take a training course.
On his seventh day at work, Nath said, he received evidence from a student in Australia that the company’s promise to help with job placements was simply a ruse to steal $800; the training the company offered was apparently little more than a farce. “She sent me screenshots of complaints from individuals who had been defrauded,” Nath said. He stopped going in to work the next day. His parents were unhappy, and, he said, told him: “What does it matter to you what the company is doing? You’ll be getting your salary.” Nath answered, “If there’s a raid there, I’ll be charged with fraud.”
Late in the afternoon the day after I met with Nath, I drove to Garden Reach, a predominantly Muslim and largely poor section in southwest Kolkata on the banks of the Hooghly River. Home to a 137-year-old shipyard, the area includes some of the city’s noted crime hot spots and has a reputation for crime and violence. Based on my experience reporting from Garden Reach in the 1990s, I thought it was probably not wise to venture there alone late at night, even though that was most likely the best time to find scammers at work. I was looking for Shahbaz.
Parking my car in the vicinity of the address L. had given me, I walked through a narrow lane where children were playing cricket, past a pharmacy and a tiny store selling cookies and snacks. The apartment I sought was on the second floor of a building at the end of an alley, a few hundred yards from a mosque. It was locked, but a woman next door said that the building belonged to Shahbaz’s extended family and that he lived in one of the apartments with his parents.
Then I saw an elderly couple seated on the steps in the front — his parents, it turned out. The father summoned Shahbaz’s brother, a lanky, longhaired man who appeared to be in his 20s. He said Shahbaz had woken up a short while earlier and gone out on his motorbike. “I don’t know when he goes to sleep and when he wakes up,” his father said, with what sounded like exasperation.
They gave me Shahbaz’s mobile number, but when I called, I got no answer. It was getting awkward for me to wait around indefinitely without disclosing why I was there, so eventually I pulled the brother aside to talk in private. We sat down on a bench at a roadside tea stall, a quarter mile from the mosque. Between sips of tea, I told him that I was a journalist in the United States and wanted to meet his brother because I had learned he was a scammer. I hoped he would pass on my message.
I got a call from Shahbaz a few hours later. He denied that he’d ever worked at a call center. “There are a lot of young guys who are involved in the scamming business, but I’m not one of them,” he said. I persisted, but he kept brushing me off until I asked him to confirm that his birthday was a few days later in December. “Look, you are telling me my exact birth date — that makes me nervous,” he said. He wanted to know what I knew about him and how I knew it. I said I would tell him if he met with me. I volunteered to protect his identity if he answered my questions truthfully.
Two days later, we met for lunch at the Taj Bengal, one of Kolkata’s five-star hotels. I’d chosen that as the venue out of concern for my safety. When he showed up in the hotel lobby, however, I felt a little silly. Physically, Shahbaz is hardly intimidating. He is short and skinny, with a face that would seem babyish but for his thin mustache and beard, which are still a work in progress. He was in his late 20s but had brought along an older cousin for his own safety.
We found a secluded table in the hotel’s Chinese restaurant and sat down. I took out my phone and played a video that L. had posted on YouTube. (Only those that L. shared the link with knew of its existence.) The video was a recording of the call from November 2019 in which Shahbaz was trying to defraud the woman in Ottawa with a trick that scammers often use to arm-twist their victims: editing the HTML coding of the victim’s bank-account webpage to alter the balances. Because the woman was pushing back, Shahbaz zeroed out her balance to make it look as if he had the ability to drain her account. On the call, he can be heard threatening her: “You don’t want to lose all your money, right?”
I watched him shift uncomfortably in his chair. “Whose voice is that?” I asked. “It’s yours, isn’t it?”
He nodded in shocked silence. I took my phone back and suggested he drink some water. He took a few sips, gathering himself before I began questioning him. When he mumbled in response to my first couple of questions, I jokingly asked him to summon the bold, confident voice we’d just heard in the recording of his call. He gave me a wan smile.
Pointing to my voice recorder on the table, he asked, meekly, “Is this necessary?”
When his scam calls were already on YouTube, I countered, how did it matter that I was recording our conversation?
“It just makes me nervous,” he said.
Shahbaz told me his parents sent him to one of the city’s better schools but that he flunked out in eighth grade and had to move to a neighborhood school. When his father lost his job, Shahbaz found work riding around town on his bicycle to deliver medicines and other pharmaceutical supplies from a wholesaler to retail pharmacies; he earned $25 a month. Sometime around 2011 or 2012, he told me, a friend took him to a call center in Salt Lake, where he got his first job in scamming, though he didn’t realize right away that that was what he was doing. At first, he said, the job seemed like legitimate telemarketing for tech-support services. By 2015, working in his third job, at a call center in the heart of Kolkata, Shahbaz had learned how to coax victims into filling out a Western Union transfer in order to process a refund for terminated tech-support services. “They would expect a refund but instead get charged,” he told me.
Shahbaz earned a modest salary in these first few jobs — he told me that that first call center, in Salt Lake, paid him less than $100 a month. His lengthy commute every night was exhausting. In 2016 or 2017, he began working with a group of scammers in Garden Reach, earning a share of the profits. There were at least five others who worked with him, he said. All of them were local residents, some more experienced than others. One associate at the call center was his wife’s brother.
He was cagey about naming the others or describing the organization’s structure, but it was evident that he wasn’t in charge. He told me that a supervisor had taught him how to intimidate victims by editing their bank balances. “We started doing that about a year ago,” he said, adding that their group was somewhat behind the curve when it came to adopting the latest tricks of the trade. When those on the cutting edge of the business develop something new, he said, the idea gradually spreads to other scammers.
It was hard to ascertain how much this group was stealing from victims every day, but Shahbaz confessed that he was able to defraud one or two people every night, extracting anywhere from $200 to $300 per victim. He was paid about a quarter of the stolen amount. He told me that he and his associates would ask victims to drive to a store and buy gift cards, while staying on the phone for the entire duration. Sometimes, he said, all that effort was ruined if suspicious store clerks declined to sell gift cards to the victim. “It’s becoming tough these days, because customers aren’t as gullible as they used to be,” he told me. I could see from his point of view why scammers, like practitioners in any field, felt pressure to come up with new methods and scams in response to increasing public awareness of their schemes.
The more we spoke, the more I recognized that Shahbaz was a small figure in this gigantic criminal ecosystem that constitutes the phone-scam industry, the equivalent of a pickpocket on a Kolkata bus who is unlucky enough to get caught in the act. He had never thought of running his own call center, he told me, because that required knowing people who could provide leads — names and numbers of targets to call — as well as others who could help move stolen money through illicit channels. “I don’t have such contacts,” he said. There were many in Kolkata, according to Shahbaz, who ran operations significantly bigger than the one he was a part of. “I know of people who had nothing earlier but are now very rich,” he said. Shahbaz implied that his own ill-gotten earnings were paltry in comparison. He hadn’t bought a car or a house, but he admitted that he had been able to afford to go on overseas vacations with friends. On Facebook, I saw a photo of him posing in front of the Burj Khalifa in Dubai and other pictures from a visit to Thailand.
I asked if he ever felt guilty. He didn’t answer directly but said there had been times when he had let victims go after learning that they were struggling to pay bills or needed the money for medical expenses. But for most victims, his rationale seemed to be that they could afford to part with the few hundred dollars he was stealing.
Shahbaz was a reluctant interviewee, giving me brief, guarded answers that were less than candid or directly contradicted evidence that L. had collected. He was vague about the highest amount he’d ever stolen from a victim, at one point saying $800, then later admitting to $1,500. I found it hard to trust either figure, because on one of his November calls I heard him bullying someone to pay him $5,000. He told me that my visit to his house had left him shaken, causing him to realize how wrong he was to be defrauding people. His parents and his wife were worried about him. And so, he had quit scamming, he told me.
“What did you do last night?” I asked him.
“I went to sleep,” he said.
I knew he was not telling the truth about his claim to have stopped scamming, however. Two days earlier, hours after our phone conversation following my visit to Garden Reach, Shahbaz had been at it again. It was on that night, in fact, that he tried to swindle Kathleen Langer in Crossville, Tenn. Before I came to see him for lunch, I had already heard a recording of that call, which L. shared with me.
When I mentioned that to him, he looked at me pleadingly, in visible agony, as if I’d poked at a wound. It was clear to me that he was only going to admit to wrongdoing that I already had evidence of.
L. told me that the remote access he had to Shahbaz’s computer went cold after I met with him on Dec. 14, 2019. But it buzzed back to life about 10 weeks later. The I.P. address was the same as before, which suggested that it was operating in the same location I visited. L. set up a livestream on YouTube so I could see what L. was observing. The microphone was on, and L. and I could clearly hear people making scam calls in the background. The computer itself didn’t seem to be engaged in anything nefarious while we were eavesdropping on it, but L. could see that Shahbaz’s phone was connected to it. It appeared that Shahbaz had turned the computer on to download music. I couldn’t say for certain, but it seemed that he was taking a moment to chill in the middle of another long night at work.
No comments:
Post a Comment