Identity theft: ONGC falls prey to cyber fraud, loses Rs 197 crore
In one of the biggest cyber crimes in Mumbai, the Oil and Natural Gas Corporation Limited (ONGC) lost Rs 197 crore after cyber criminals duplicated the public sector firm’s official e-mail address with minor changes and used it to convince a Saudi Arabia-based client to transfer payments to their account.
The fraud was committed on the premise that the company making the payment would not notice a minor change in the e-mail address of the ONGC representative, with whom they had been communicating. While ONGC communicated with the company from firstname.lastname@example.org, the fraudsters duped the company by communicating with them from email@example.com.
According to the BKC cyber police team probing the case, ONGC had an order to deliver 36,000 metric tonnes of Naphtha — flammable liquid hydrocarbon mixtures — to Saudi Aramco, an oil company based in Dhahran.
On September 7, ONGC dispatched the order, worth Rs 100.15 crore, from Hazira port in Surat. According to the police, the company usually transferred payments to ONGC’s State Bank of India (SBI) account, but did not do so this time.
“ONGC was to send a second batch of naphtha to Aramco on September 22. However, since they had not received the earlier payment, they enquired with the Saudi-based company,” an officer said. On being told that the delay was on account of public holidays and bank holidays, ONGC dispatched the second batch of Naptha worth Rs 97 crore on September 22. Again, ONGC e-mailed a scanned copy of the tax invoice with its SBI account number to the company.
Again, no payments were received in the ONGC account. What finally set alarm bells ringing was an e-mail ONGC received on October 7 from Aramco stating that the money had been transferred to a new account. When the PSU contacted Aramco, they were told the company had merely followed up on ONGC’s request to deposit the money into an account in Bangkok Bank Public Company Limited. “ONGC had never made such a request,” the officer said.
As soon as an official complaint was registered on October 10, Additional Commissioner of Police K M M Prasanna instructed the cyber crime police station to probe the matter on priority. During investigations, police found that someone aware of the e-mail communication between ONGC and Aramco regarding the transfer of a large sum of money had created an e-mail ID similar to an official ONGC email ID.
“The communication from ONGC was done using the e-mail ID firstname.lastname@example.org. The fraudsters merely created an e-mail address email@example.com,” said senior police inspector S Mahadik.
Using this ID, the fraudsters began to communicate with Aramco, and as the second email ID appeared almost identical to the original, Aramco officials did not notice the difference. The fraudsters then sent an e-mail asking for the payment to be deposited to a Bangkok-based account. Officers of the BKC cyber police station said an FIR has been registered under Sections 419 (cheating by impersonation), 420 (cheating), 465 (forgery), 468 (forgery for purpose of cheating), 471(using a forged document) of the Indian Penal Code and Sections 66 C (punishment for identity theft) and D (cheating by impersonation using computer resource) of the Information Technology Act. ONGC was unavailable for comment.