Now type in your bank password...
From offices in Kolkata, scam callers try to separate Americans from their money, said Yudhijit Bhattacharjee in The New York Times Magazine. With the help of an anti-scam hacker, I went to find them.
ONE AFTERNOON IN December 2019, Kathleen Langer, an elderly grandmother who lives by herself in Crossville, Tenn., got a phone call from a person who said he worked in the refund department of her computer manufacturer. The reason for the call, he explained, was to process a refund the company owed Langer for anti-virus and anti-hacking protection that had been sold to her and was now being discontinued. Langer, who has a warm and kind voice, couldn’t remember purchasing the plan in question, but at her age, she didn’t quite trust her memory. She had no reason to doubt the caller, who spoke with an Indian accent and said his name was Roger.
He asked her to turn on her computer and led her through the steps so that he could access it remotely. When Langer asked why this was necessary, he said he needed to remove the software from her machine. After he gained access to her desktop, using the program TeamViewer, the caller asked Langer to log in to her bank to accept the refund, $399, which he was going to transfer into her account. Langer made a couple of unsuccessful attempts to log in; she couldn’t remember her user name.
Frustrated, the caller opened her bank’s internet banking registration form on her computer screen, created a new user name and password for her, and asked her to fill out the required details—including her address, Social Security number, and birth date. When she typed this last part in, the caller noticed she had turned 80 weeks earlier and wished her happy birthday. “Thank you!” she replied.
After submitting the form, he tried to log in to Langer’s account but failed, because Langer’s bank activates a newly created user ID only after speaking to the customer who has requested it. The caller asked Langer if she could go to her bank to resolve the issue. Because it was late afternoon, however, she wasn’t sure if the bank would be open when she got there. The caller noted that the bank didn’t close until 4:30, which meant she still had 45 minutes. “He was very insistent,” Langer told me recently. On her computer screen, the caller typed out what he wanted her to say at the bank. “Don’t tell them anything about the refund,” he said.
Later, Langer rang the number the caller had given her and told him she had been unable to get to the bank in time. By now, she was beginning to have doubts about the caller. She told him she wouldn’t answer the phone if he contacted her again.
“Do you care about your computer?” he asked. He then uploaded a program onto her computer called Lock My PC and locked its screen with a password she couldn’t see. “If you want to use your computer as you were doing, you need to go ahead as I was telling you or else you will lose your computer and your money,” he told her. When he finally hung up, Langer felt shaken.
INUTES LATER, HER phone rang again. This caller introduced himself as Jim Browning. “The guy who is trying to convince you to sign in to your online banking is after one thing alone, and that is he wants to steal your money,” he said.
Langer was mystified that this new caller, who had what seemed to be a strong Irish accent, knew about the conversations she had just had. “Are you sure you are not with this group?” she asked.
He replied that the same scammers had targeted him, too. But when they were trying to connect remotely to his computer, he had
Mmanaged to secure access to theirs. For weeks, that remote connection had allowed him to eavesdrop on and record calls like those with Langer. “I’m going to give you the password to unlock your PC because they use the same password every time,” he said. “If you type 4-5-2-1, you’ll unlock it.”
Langer keyed in the digits. “OK! It came back on!” she said, relieved.
For most people, calls like the one Langer received are a source of annoyance or anxiety. According to the FBI’s Internet Crime Complaint Center, the total losses reported to it by scam victims increased to $3.5 billion in 2019 from
$1.4 billion in 2017.
The person who rescued Langer delights in getting these calls, however. “I’m fascinated by scams,” he told me. A software engineer based in the United Kingdom, he runs a YouTube channel under the pseudonym Jim Browning, where he regularly posts videos about his fraud-fighting efforts. I’ll refer to him by his middle initial, L.
L. started going after scammers when a relative of his lost money to a tech-support swindle, a common scheme with many variants. Often, it starts when the mark gets a call from someone offering help in ridding a computer’s hard drive of malware. In other instances, victims are tricked by a pop-up warning that their computer is at risk and that they need to call a certain number. Once someone is on the phone, the scammers talk the caller into opening up a remote-access application on his or her computer, after which they get the victim to read back unique identifying information that allows them to establish control over the computer.
L. flips the script. He starts by playing an unsuspecting target and allows the scammer to connect to his device. This doesn’t have any of his actual data, however. It is a “virtual machine”: a program that simulates a functioning desktop on his computer. The scammer’s connection to L.’s virtual machine is a two-way street that allows L. to connect
to the scammer’s computer and infect it with his own software. Once he has done this, he can monitor the scammer’s activities. Sitting in his home office, L. is able to listen in on calls between scammer and targets and watch as the scammer takes control of a victim’s computer.
On occasion, L. succeeds in turning on the scammer’s webcam and is able to record video of the scammer. From the IP address of the scammer’s computer and other clues, L. frequently manages to identify the neighborhood—and, in some cases, the actual building—where the call center is. When he encounters a scam in progress, L. tries to both document and disrupt it— as he did in the case of Kathleen Langer. Like L., I was curious to learn more about phone scammers, having received dozens of their calls over the years. Sometimes during my interviews with him L. would begin monitoring a call between a scammer and a mark and let me listen in. In some instances, I would also hear other call-center employees in the background—some of them making similar calls, others talking among themselves.
The chatter evoked a busy workplace, reminding me of my late nights in a
Kolkata newsroom, where I began my journalism career 25 years ago. When scammers called me in the past, they frequently had South Asian accents, leading me to suspect that they were calling from India. I had tried cajoling them into telling me about their enterprise but never succeeded. Now, with L.’s help, I thought, I might have better luck.
FLEW TO India at the end of 2019 hoping to visit some of the call centers that L. had identified. Although he had detected scams originating from Delhi and other Indian cities, L. was convinced that Kolkata had emerged as a capital of such frauds. I knew the city well, having covered the crime beat there for an Englishlanguage daily in the mid-1990s.
In my notebook were a couple of addresses that L. identified as possible origins for some scam calls. I also had the identity of a person linked to one of these spots, a young man whose first name is Shahbaz. L. identified him by matching images and several government-issued IDs found on his computer. The home address on his ID matched what L. determined, from the IP address, to be the site of the call center where he operated, which suggested that the call center was located where he lived or close by.
One afternoon, I drove to Garden Reach, a predominantly Muslim and largely poor sec
Ition in southwest Kolkata. I was looking for Shahbaz. The apartment I sought was in a building at the end of an alley. It was locked, but a woman next door said that the building belonged to Shahbaz’s family and that he lived in one of the apartments with his parents. Then I saw an elderly couple seated on the steps in the front—his parents, it turned out. The father summoned Shahbaz’s brother, who said Shahbaz had gone out. They gave me Shahbaz’s mobile number, but when I called, I got no answer. Eventually, I pulled the brother aside and told him that I was a journalist and wanted to meet his brother because I had learned he was a scammer. I hoped he would pass on my message.
I got a call from Shahbaz a few hours later. He denied that he’d ever worked at a call center. I persisted, but he kept brushing me off until I asked him to confirm that his birthday was a few days later in December. “Look, you are telling me my exact birth date—that makes me nervous,” he said. He wanted to know what I knew about him. Two days later, we met for lunch at the Taj Bengal, one of Kolkata’s five-star hotels. I’d chosen that as the venue out of concern for my safety. When he showed up in the hotel lobby, however, I felt a little silly. Physically, Shahbaz is hardly intimidating. He is short and skinny, with a face that would seem babyish but for his thin mustache and beard. We sat down at a secluded table in the hotel’s Chinese restaurant. I took out my phone and played a video that L. had made of a call in which Shahbaz was trying to defraud a woman in Ottawa. On the call, he can be heard threatening her: “You don’t want to lose all your money, right?” I watched him shift uncomfortably in his chair. “Whose voice is that?” I asked. “It’s yours, isn’t it?” He nodded in silence.
Shahbaz told me that sometime around
2011 or 2012, a friend took him to a call center, where he got his first job in scamming. In his first few jobs Shahbaz earned a modest salary—he told me that that first call center paid him less than $100 a month. In 2016 or 2017, he began working with a group of scammers in Garden Reach, earning a share of the profits.
It was hard to ascertain how much this group was stealing from victims, but Shahbaz confessed that he was able to defraud one or two people every night, extracting anywhere from $200 to $300 per victim. He was paid about a quarter of the stolen amount. The more we spoke, the more I recognized that Shahbaz was a small figure in the gigantic criminal ecosystem of the phone-scam industry, the equivalent of a pickpocket on a Kolkata bus. Shahbaz was a reluctant interviewee, giving me guarded answers that were less than candid or directly contradicted evidence that L. had collected. He was vague about the highest amount he’d ever stolen from a victim, at one point saying $800, then later admitting to $1,500. I found it hard to trust either figure, because on one of his November calls I heard him bullying someone to pay him $5,000. He told me that my visit to his house had left him shaken, causing him to realize how wrong he was to be defrauding people. And so, he had quit scamming, he told me. I knew he was not telling the truth. Two days earlier, hours after our first phone conversation, Shahbaz had been at it again. It was on that night, in fact, that he tried to swindle Kathleen Langer in Crossville, Tenn. Before I came to see him for lunch, I had already heard a recording of that call, which L. shared with me.
L. told me that the access he had to Shahbaz’s computer went cold after I met with him on Dec. 14, 2019. But it buzzed back to life about 10 weeks later. The IP address was the same as before, which suggested that it was operating in the same location I visited. L. set up a livestream on YouTube so I could see what L. was observing. The microphone was on, and L. and I could clearly hear people making scam calls in the background. It appeared that Shahbaz had turned the computer on to download music. I couldn’t say for certain, but it seemed that he was taking a moment to chill in the middle of another long night at work.
Adapted from an article that originally appeared in The New York Times Magazine. Used with permission.