Varun Kapoor, IPS
Additional Director General of Police, Narcotics and PRTS, Indore
Vishing is a form of Phishing attack. In Phishing the cyber criminal uses technology as a tool to send a fake text message via the SMS or email to a large number of intended victims. All of them do not fall prey to the evil designs of the attacker but a few will – that will satisfy the attacker as s/he was never targeting success with all the recipients of his SMS or mail. Similarly in Vishing, the attacker uses a voice call to achieve the objective of duping the intended victim. The difference is that in Vishing, voice calls are used instead of text and one victim at a time is attacked – whereas in Phishing bulk targets are chosen and attacked simultaneously.
These attacks are increasing rapidly because customers have an innate sense of trust in the services and dependability of the Telecom Service Provider. They generally believe the caller in the calls they get as they feel that the Telecom Company has proper knowledge of the physical locations of the origin of the calls. Which may not be true in case of a Vishing call and that is one reason of the target getting duped. Another reason is the skill of the attacker at convincing the target of the genuineness of the call. These attackers use social engineering to gather knowledge and information about the intended victim. Armed with all this, they attack the target and they very often talk them into being conned.
There are many cases of individual citizens getting defrauded by smooth talking cyber criminals using the Vishing attack module. However one case occurred in Mumbai and Thane areas of Maharashtra which has even shocked the pundits. This is because of the scale, scope and costs involved. This entire scam was very ingeniously planned and executed by a 23 year old youth! The fact that it tasted such huge success is testimony to the reality that it is indeed very easy to carry out a Vishing attack on unsuspecting and law abiding citizens, that too from an educated and advanced country like the United States of America.
This scam was masterminded by a 23 year old resident of Ahmadabad in Gujarat. His name is Sagar Thakkar @ Shaggy. He had several partners in India as well as agents in USA. These agents leaked information about Income Tax defaulters to Shaggy and his associates. They gained this information through black market lists that they purchased and through similar lists obtained from the Dark Net. The Indian wing of this enterprise in turn used this information to formally con the targeted individuals using the Vishing formula. They legally set up five call centers in Mumbai and Thane areas. In these Centers they employed around 700 operators. These operators were told that they have to call on behalf of a private income tax collection company of USA. They were given a specific script to follow and were trained to deliver it as best as they could.
It included making VoIP calls to the defaulters (aka targets) and posing as members of the Internal Revenue Service of the USA. They then were threatened with dire consequences which included arrest if they did not immediately pay up a specified amount which was usually ranging from US$ 10,000 – US $ 20,000 and eventually a settlement was made for anything between US$ 3,000 – US$ 5,000. Everything had to be done immediately and the victim was made to pay through preloaded cash cards. The victims were made to share the 16 digit code of the preloaded cash card with the call center employee who helped them debit the pre-decided amount from it. Then using the online payment mode, the amount debited by the victims from their cash card would be redeemed by the scamsters. In the end, the call center employee would also email a forged certificate of payment to the victim from the Internal Revenue Service of USA. So all stitched up and neatly conducted. The victim did not realize that he had been conned into transferring money to cyber criminals in a smooth operation, till it was too late and little could be done then.
This amount would then be deposited by the partners of Shaggy in the USA, in Singapore, Dubai and even sometimes international bank account of USA and then ultimately get routed to India and to Sagar and his associates through suspected Hawala transactions. The American associates kept 30% of the scammed amount whereas 40% was distributed by Shaggy to his Indian partners and the rest 30% was kept by him.
The scam was going on for the more than one year and in that period a staggering Rs 2000 Crore was illegally amassed by these scamsters. The US Department for Justice claimed that 18 Lakh targets received these bogus calls and 9,600 innocent citizens were actually conned into giving up Crores of Rupees to the scamsters. This entire scam was exposed by allegedly a disgruntled employee and his tip off to the Thane Police. Till date over 70 criminals in India and 20 in the USA have been apprehended but the leader of this huge and shocking scam Shaggy, has escaped to an undisclosed location in the Gulf countries and remains untraceable.
This shocking incident demonstrates the ease with which a deadly cyber crime can be committed and the scale of the benefits that can be reaped by the perpetrators. The fact that the citizens of a well aware and advanced country can be so easily duped into parting with huge amounts just on a phone call – the portents for the citizens of the other lands on the globe are ominous.
The only solution in such cases is awareness and smart use of technology and gadgets by citizens. No telecom calls (either on landline or mobile) should be entertained in which the caller makes a financial offer (either a threat or a gain) or attempts to get cash card details on any pretext. The answer should be a polite no and the phone connection should be cut. This attitude and practice of the same will definitely secure and insulate the individual citizens from all kinds Vishing attacks.