Anatomy of an Indian Phone Scam

I watched a great video on YouTube the other day, the latest in a series of videos by Mark Rober where he uses glitter bombs to surprise scammers. His project started off using a device that targets people who steal packages from people's porches. A fake package was built that would activate when opened, with a glitter throwing disc, a mechanism to press down on a fart spray nozzle, and cameras to record and upload thieves' reactions when they opened the packages in their homes or cars.

Since then Mark has uncovered an organised scheme using money mules in the US to receive cash for Indian call centre scammers, and he's worked with other YouTubers who fight these scammers - including one who pretends to be an elderly person when scammers call him, using voice altering software.

In Mark's latest video he has people physically infiltrate several Indian call centres in Kolkata (Calcutta) by applying for jobs there, and then they release cockroaches, bad smells, smoke and more in the offices - all recorded on video because some of these scam busters have managed to hack into the call centres' CCTV systems.

What particularly interested me about these videos is the method the scammers are currently using, and who it's being used against.

All of these scams use a technique called social engineering, a way of gaining someone's trust (or confidence, hence the term confidence trickster or “con” man) through pretending to be someone you're not. In this case the technique is used to gain remote access to someone's home computer - giving them the ability to control the computer over the internet, where the scammer can operate the keyboard and mouse, and can see what's on the screen.

A few years ago, this remote access was mainly used in a fairly rudimentary way by scammers to scare people into thinking they had a virus on their PC. The scammers would say they were from Microsoft, McAfee or Norton, and show the users errors in their PC's Windows' Event Log (where Windows stores a record of changes to the PC and other information) - pretty much every PC will have errors. But the scammers lie, and tell people that the errors are because of a virus, rather than just issues with something like a webcam driver. Then they'd convince people to pay hundreds of dollars to have the fake virus cleaned up, and for non-existent anti-virus software.

Thankfully there's been a lot of public awareness of these scams recently, but unfortunately the scammers have moved on to a different type of scam - one that's harder to trace, and uses some basic psychology to guilt people into being more likely to hand over their money.

The scammers are now pretending to be from an online service that most people in their target country will use (like Amazon in the US), or from the government (such as the tax department). They tell people that they've been accidentally overcharged for something, just a small amount like $20 or $200. At this point many people will go along with this, because the scammer is not asking for money, they're offering to give the victim money.

The scammer says that they need to connect to the victim's computer to help them organise a refund to their account. The scammer then opens up a fake bank transfer app on the victim's PC, and asks the victim to help them transfer the money back to their account by typing in their name and the amount.

As the victim types in the amount, the fake app adds a few zeroes, making it look like the victim accidentally hit the key too many times - so the amount in the fake bank transfer might say $20,000 instead of $20. The scammer starts to act worried, as they say this is an irreversible transfer, then asks the victim to log in to their bank account to confirm that the money is in there - with the scammer still connected remotely. At this point, the simplest scam would be to lock the victim out of their PC and transfer money out of the account and into another one - but this would leave a traceable bank account number in the bank's records, and most of the time these transfers are reversible if caught quickly enough.

Instead, the scammer uses a feature of modern browsers called the Inspector, which allows them to easily edit what shows up on a web page, in this case their bank account transfer history and balance - they're not actually changing the amount in the bank account, just editing how the web page looks to make it appear like there's a new transaction of $20,000 into their account.

At this point, the psychology kicks in. The victim is made to feel guilty that the accident, supposedly caused by them, may cost the scammer their “job”. They're fed a sob story about not being able to look after their family:

They're told that a normal transfer won't work, and the solution they're given is to withdraw the money as cash and courier it to an address - and usually the address is an AirBNB that has been rented out for a day or two by a money mule in the same country as the victim, someone who is willing to take the risk of receiving the package, in return for a portion of the proceeds. The rest of the money ends up being transferred to a bank account owned by the scammers in India - with this transfer to and from cash in the middle acting as a kind of firewall to stop the money being traceable. And once the money's been sent, the victim can't reverse their cash withdrawal either - unlike an online transfer.

So, how do you protect against this kind of scam? Firstly, be suspicious of anyone phoning you to talk about a problem with one of your accounts that they need to fix. Ask for the person's name and department if you're not sure, and tell them you'll call them back on the company's help line and ask to be put through to them.

Even if you think a support person is legitimate, never let them get you to install software on your PC - especially remote control software. Unless you're dealing with a company you've specifically paid to manage your computer, no legitimate company will want to take control of your desktop or laptop - not your Internet Service Provider (ISP), not Microsoft, not your bank, and not your favourite online shop.

If you want to know more about these scams, or if you want to see people turning the tables on scammers, I'd recommend watching videos online from the YouTube channels Jim Browning, Kitboga and Scammer Payback.