Call centre fraud opens new frontier in cybercrime
Mumbai: In August 2010, a victim identified as T.C. in an investigation report prepared by the US Federal Trade Commission (FTC), reported receiving a threatening call from a blocked number.
The caller, T.C. said, had an American sounding name but also a “thick Middle Eastern accent," and claimed to be a representative of the Central Investigation Finance Agency, a fictitious but ominous sounding agency.
“He claimed that I had a warrant out for my arrest for not paying off a loan," T.C. told the investigator for the government consumer protection agency, despite the fact that T.C. didn’t have any outstanding loans. “He kept asking me to verify my address so I could be arrested…. (He said he was) trying to collect a debt from US Cash who is ‘the mother of multiple payday loan agencies’".
The intimidation tactic worked and T.C. told the investigator, a copy of whose report was obtained by Mint, “They never showed me any documentation, but he had my social security number, bank account number and names of people close to me."
He was told that if a payment of $200 was made—via Western Union money transfer; US Cash didn’t accept credit cards—the charges would be dropped. He made the payment.
On 13 February, the Federal Trade Commission sued the California-based American Credit Crunchers Llc, alleging that the threatening calls came from an associated company in Ahmedabad.
American Credit Crunchers allegedly preyed on consumers with a history of applying for short term, high interest loans, also known as payday loans, which are typically applied for online. Funds were routed to an associated firm in India, according to the investigation.
A US district court has frozen the assets and halted the activities of American Credit Crunchers and an affiliated company, according to the commission.
According to the civil suit filed by the commission, agents in India of the company’s owner, Varang K. Thaker, would call potential victims, armed with a slew of personal data and threatening dire consequences if phantom loans of up to $2,000 were not repaid. The commission alleges that companies affiliated with Thaker made more than $5 million from the scam, which has been in operation since January 2010.
Business process outsourcing (BPO) industry stakeholders fear that this type of crime will only become more prominent.
By comparison, the calls made to T.C. seem mild. One victim said, “my son was called and threatened." Another victim reported getting anonymous voicemail messages, on one of which the caller said that “something bad would happen to her" if she didn’t return the call and that “her job could be in danger ‘or worse… and may god help (her).’"
Adding insult to injury, some of the callers appear to be having some fun at the expense of their victims, using as aliases the names of movie characters and professional wrestlers.
Stakeholders worry that the lawsuit represents the next frontier in Indian cybercrime. “I don’t think the BPO industry or the country is prepared to resolve this kind of fraud," said Vijay Mukhi, a leading cyber security expert. “This is a crime that was committed in the US, but originated in India. On the Indian side, I don’t think we’ll see any closure on this. The Indian police is not as cyber savvy as it should be. My worry is that because nothing will happen in this case, many other people will be encouraged to do the same scam."
Mukhi added that he’s “surprised this type of bullying hasn’t happened sooner."
In the past there have been several instances where BPO employees have been charged for misusing and manipulating credit records of customers.
In April 2005, five employees of MsourcE in Pune were arrested for allegedly siphoning off about $425,000 from the Citibank accounts of four New York-based account holders. This was the first of the many BPO scams that hit India.
Two months later, the UK-based tabloid The Sun, in a sting operation, purchased the bank account details of 1,000 Britons for about $5.50 each from Karan Bahree, an employee of Gurgaon-based BPO firm Infinity E-Search.
In January 2006 Intelenet Global, a Mumbai-based BPO, filed a case against two of its employees Imran Sayed and Frank Remedis, for manipulating credit records of 400 customers in the US.
In the wake of those cases, the National Association of Software and Services (NASSCOM), an industry association for the IT-BPO sector in India, set up the Data Security Council of India, a self-regulatory organization to monitor and enforce privacy and data protection standards for the Indian BPO industry. Stakeholders say the initiative reduced the instances of fraud originating from call centres in India. Until now.
American Credit Crunchers is registered as a collection agency in the state of California, according to the FTC investigation report. For the period between 29 December 2009, and July 29 2010, bank statements for American Credit Crunchers show deposits of $4,594,136.98, according to the investigation.
During the same period, the account showed debits of $4,521,551.96, including payments to Ebeeze Llc, an affiliated company registered in the US, “in cheque payments" to Kalpana Thaker and Ashish Thaker, as well as $17,376.04 in airline tickets.
Debits for an account held by Ebeeze include a cheque for $43,899.65, on which “the memo section contains the notation ‘ML 350’ indicating that the payment is for a Mercedes-Benz ML 350 vehicle."
The investigation also reveals $86,930 in wire transfer payments to Zeus Inc. Pvt. Ltd , an affiliated company registered in Ahmedabad, deposited into accounts held by Kotak Mahindra Bank Ltd .
The investigation report reveals a phone number associated debit or credit card payments by victims to American Credit Crunchers originated from an Internet protocol address in Ahmedabad.
Since the lawsuit froze the assets of American Credit Crunchers and Ebeeze, the FTC has heard of other entities involved in similar types of fraud.
“Similar complaints still come in," said Elizabeth Scott, an attorney at the FTC. The FTC does get complaints of call centres using “the same basic modus operandi," she said, “but it’s difficult to determine whether they are from the same entity."
Calls made to Nirav H. Raichura, a partner at Zeus, went unanswered. Varang K. Thaker told news wire agency the Press Trust of India that he was also a victim of the scam and that he was cooperating with the FTC.
The FTC’s office of international affairs has reached out to Indian law enforcement, but no coordinated action has been taken as yet, said Scott. “We have reached out to law enforcement in India using existing contacts (of other US law enforcement agencies)," she said. “There is potential for that to bear fruit."
Kiran Patel, police inspector with the cybercrime cell in Ahmedabad, said he was unfamiliar with the case and the cell has not been approached by either a foreign government or another branch of Indian law enforcement, state or central. Patel said, however, his unit broke up a similar operation in January in Ahmedabad. Scott said that the FTC has gotten around 4,000 complaints of the same nature and that typically fewer than 10% of consumer victims report this kind of fraud.
Supreme Court lawyer and cyber law expert Pavan Duggal said the alleged perpetrators in India could be prosecuted under various sections of the Information Technology Act as well as the Indian Penal Code, and could potentially be found guilty of crimes such as “electronic forgery, nuisance, mischief and criminal intimidation." The kind of fraud allegedly committed by American Credit Crunchers was “a new trend that’s emerging," Duggal said. BPO companies “that are not getting adequate business are increasingly using their facilities and businesses for criminal purposes and intents."