NEW YORK (NYTIMES) - One afternoon in December 2019, Kathleen Langer, an elderly grandmother who lives by herself in Crossville, Tennessee, got a phone call from a person who said he worked in the refund department of her computer manufacturer.
The reason for the call, he explained, was to process a refund the company owed Ms Langer for antivirus and anti-hacking protection that had been sold to her and was now being discontinued.
Ms Langer, who has a warm and kind voice, couldn't remember purchasing the plan in question, but at her age, she didn't quite trust her memory. She had no reason to doubt the caller, who spoke with an Indian accent and said his name was Roger.
He asked her to turn on her computer and led her through the steps so that he could access it remotely. When she asked why this was necessary, he said he needed to remove the software from her machine.
After he gained access to her desktop, using the program TeamViewer, the caller asked Ms Langer to log into her bank to accept the refund, US$399 (S$528), which he was going to transfer into her account. She made a couple of unsuccessful attempts to log in; she couldn't remember her user name.
Frustrated, the caller opened her bank's Internet banking registration form on her computer screen, created a new username and password for her and asked her to fill out the required details - including her address, Social Security number and birth date. When she typed this last part in, the caller noticed she had turned 80 weeks earlier and wished her happy birthday. "Thank you!" she replied.
After submitting the form, he tried to log into her account but failed, because Ms Langer's bank activates a newly created user ID only after speaking to the customer who has requested it. The caller asked her if she could go to her bank to resolve the issue.
Because it was late afternoon, however, she wasn't sure if the bank would be open when she got there. The caller noted that the bank didn't close until 4.30pm, which meant she still had 45 minutes.
"He was very insistent," Ms Langer told me. On her computer screen, the caller typed out what he wanted her to say at the bank. "Don't tell them anything about the refund," he said.
Later, she rang the number the caller had given her and told him she had been unable to get to the bank in time. By now, she was beginning to have doubts about the caller. She told him she wouldn't answer the phone if he contacted her again.
"Do you care about your computer?" he asked. He then uploaded a program onto her computer called Lock My PC and locked its screen with a password she couldn't see. "If you want to use your computer as you were doing, you need to go ahead as I was telling you or else you will lose your computer and your money," he told her. When he finally hung up, she felt shaken.
The anti-scammer
Minutes later, her phone rang again. This caller introduced himself as Jim Browning. "The guy who is trying to convince you to sign into your online banking is after one thing alone, and that is he wants to steal your money," he said.
Ms Langer was mystified that this new caller, who had what seemed to be a strong Irish accent, knew about the conversations she had just had. "Are you sure you are not with this group?" she asked.
He replied that the same scammers had targeted him, too. But when they were trying to connect remotely to his computer, he had managed to secure access to theirs. For weeks, that remote connection had allowed him to eavesdrop on and record calls like those with Ms Langer.
"I'm going to give you the password to unlock your PC because they use the same password every time," he said. "If you type 4-5-2-1, you'll unlock it."
Ms Langer keyed in the digits.
"OK! It came back on!" she said, relieved.
For most people, calls like the one Ms Langer received are a source of annoyance or anxiety. According to the Federal Bureau of Investigation's Internet Crime Complaint Centre, the total losses reported to it by scam victims increased to US$3.5 billion in 2019 from US$1.4 billion in 2017. Last year, the app Truecaller commissioned the Harris Poll to survey 2,000 American adults and found that 22 per cent of the respondents said they had lost money to a phone scam in the past 12 months.
The person who rescued Ms Langer delights in getting these calls, however. "I'm fascinated by scams," he told me. A software engineer based in Britain, he runs a YouTube channel under the pseudonym Jim Browning, where he regularly posts videos about his fraud-fighting efforts. He began talking to me over Skype in the autumn of 2019 on the condition that I not reveal his identity, which he said was necessary to protect himself. I'll refer to him by his middle initial, L.
The goal of L's efforts is to raise the costs and risks for scammers, who hide behind the veil of anonymity afforded by the Internet and typically do not face punishment.
Tracking perpetrators has consumed much of L's free time over the past few years, he says, except for several weeks in March and April last year, when the coronavirus pandemic forced strict lockdowns around the world, causing call centres from which much of this activity emanates to temporarily suspend operations. Ten months later, scamming has "gone right back to the way it was before the pandemic," L told me earlier this month.
Like L, I was curious to learn more about phone scammers, having received dozens of their calls over the years. The individuals calling me have frequently had South Asian accents, leading me to suspect that they are calling from India. On several occasions, I've tested this theory by interrupting the voice on the other end with a torrent of Hindi curses. I haven't yet failed to elicit a retaliatory offensive in Hindi.
Confirming that these scammers are operating from India hasn't given me any joy. Instead, as an Indian expatriate living in the United States, I've felt a certain shame.
L started going after scammers when a relative of his lost money to a tech-support swindle, a common scheme with many variants.
Often, it starts when the target gets a call from someone offering help in ridding a computer's hard drive of malware. In other instances, victims are tricked by a pop-up warning that their computer is at risk and that they need to call a certain number. Once someone is on the phone, the scammers talk the caller into opening up a remote-access application on his or her computer, after which they get the victim to read back unique identifying information that allows them to establish control over the computer.
The 'virtual machine' trap
L flips the script. He starts by playing an unsuspecting target and allows the scammer to connect to his device. This doesn't have any of his actual data, however. It is a "virtual machine": a program that simulates a functioning desktop on his computer.
The scammer's connection to L's virtual machine is a two-way street that allows L to connect to the scammer's computer and infect it with his own software. Once he has done this, he can monitor the scammer's activities.
Sitting in his home office, L is able to listen in on calls between the scammer and targets and watch as the scammer takes control of a victim's computer. L acknowledged to me that his access to the scammer's computer is unlawful, but that doesn't worry him. "If it came down to someone wanting to prosecute me for accessing a scammer's computer illegally, I can demonstrate in every single case that the only reason I gained access is because the scammer was trying to steal money from me," he says.
On occasion, L succeeds in turning on the scammer's webcam and is able to record video of the scammer. From the IP address of the scammer's computer and other clues, L frequently manages to identify the neighbourhood - and, in some cases, the actual building - where the call centre is. When he encounters a scam in progress, L tries to both document and disrupt it - as he did in the case of Ms Langer.
The Kolkata connection
I flew to India at the end of 2019 hoping to visit some of the call centres that L had identified. Although he had detected scams originating from Delhi and other Indian cities, L was convinced that Kolkata had emerged as a capital of such frauds.
In my notebook were a couple of addresses that L identified as possible origins for some scam calls. I also had the identity of a person linked to one of these spots, a young man whose first name is Shahbaz. L identified him by matching images and several government-issued IDs found on his computer. The home address on his ID matched what L determined, from the IP address, to be the site of the call centre where he operated, which suggested that the call centre was located where he lived or close by.
One afternoon, I drove to Garden Reach, a predominantly Muslim and largely poor section in south-west Kolkata. I was looking for Shahbaz.
The apartment I sought was in a building at the end of an alley. It was locked, but a woman next door said that the building belonged to Shahbaz's family and that he lived in one of the apartments with his parents.
Then I saw an elderly couple seated on the steps in the front - his parents, it turned out. The father summoned Shahbaz's brother, who said Shahbaz had gone out.
They gave me Shahbaz's mobile number, but when I called, I got no answer. Eventually I pulled the brother aside. We sat down on a bench, and I told him that I was a journalist and wanted to meet his brother because I had learnt he was a scammer. I hoped he would pass on my message.
I got a call from Shahbaz a few hours later. He denied that he'd ever worked at a call centre. I persisted, but he kept brushing me off until I asked him to confirm that his birthday was a few days later in December. "Look, you are telling me my exact birth date - that makes me nervous," he said. He wanted to know what I knew about him. I said I would tell him if he met me. I volunteered to protect his identity if he answered my questions truthfully.
Two days later, we met for lunch at the Taj Bengal, one of Kolkata's five-star hotels. I'd chosen that as the venue out of concern for my safety. When he showed up in the hotel lobby, however, I felt a little silly. Physically, Shahbaz is hardly intimidating. He is short and skinny, with a face that would seem babyish but for his thin moustache and beard.
We sat down at a secluded table in the hotel's Chinese restaurant. I took out my phone and played a video that L had posted on YouTube. (Only those that L shared the link with knew of its existence.) The video was a recording of a call in which Shahbaz was trying to defraud a woman in Ottawa. On the call, he can be heard threatening her: "You don't want to lose all your money, right?"
I watched him shift uncomfortably in his chair. "Whose voice is that?" I asked. "It's yours, isn't it?"
He nodded in silence.
How it works
Shahbaz told me that some time around 2011 or 2012, a friend took him to a call centre, where he got his first job in scamming, though he didn't realise right away that that was what he was doing. At first, he said, the job seemed like legitimate telemarketing for tech-support services. By 2015, working in his third job, Shahbaz had learnt how to coax victims into filling out a Western Union transfer in order to process a refund for terminated tech-support services.
Shahbaz earned a modest salary in these first few jobs - he told me that that first call centre paid him less than US$100 a month. In 2016 or 2017, he began working with a group of scammers in Garden Reach, earning a share of the profits.
It was hard to ascertain how much this group was stealing from victims, but Shahbaz confessed that he was able to defraud one or two people every night, extracting anywhere from US$200 to US$300 per victim. He was paid about a quarter of the stolen amount.
The more we spoke, the more I recognised that Shahbaz was a small figure in the gigantic criminal ecosystem of the phone-scam industry, the equivalent of a pickpocket on a Kolkata bus.
He had never thought of running his own call centre, he told me, because that required knowing people who could provide names and numbers of targets to call, as well as others who could help move stolen money through illicit channels. "I don't have such contacts," he said. There were many in Kolkata, according to Shahbaz, who ran operations significantly bigger than the one he was a part of.
Shahbaz was a reluctant interviewee, giving me guarded answers that were less than candid or directly contradicted evidence that L had collected. He was vague about the highest amount he'd ever stolen from a victim, at one point saying US$800, then later admitting to US$1,500.
I found it hard to trust either figure, because on one of his November calls I heard him bullying someone to pay him US$5,000. He told me that my visit to his house had left him shaken, causing him to realise how wrong he was to be defrauding people. And so, he had quit scamming, he told me.
"What did you do last night?" I asked him.
"I went to sleep," he said.
Business as usual
I knew he was not telling the truth about his claim to have stopped scamming, however. Two days earlier, hours after our first phone conversation, Shahbaz had been at it again.
It was on that night, in fact, that he tried to swindle Ms Langer in Crossville, Tennessee. Before I came to see him for lunch, I had already heard a recording of that call, which L shared with me.
When I mentioned that to him, he looked at me pleadingly, in visible agony, as if I'd poked at a wound. It was clear to me that he was only going to admit to wrongdoing that I already had evidence of.
L told me that the access he had to Shahbaz's computer went cold after I met him on Dec 14, 2019. But it buzzed back to life about 10 weeks later.
The IP address was the same as before, which suggested that it was operating in the same location I visited. L set up a live stream on YouTube so I could see what L was observing. The microphone was on, and L and I could clearly hear people making scam calls in the background.
The computer itself didn't seem to be engaged in anything nefarious while we were eavesdropping on it, but L could see that Shahbaz's phone was connected to it. It appeared that Shahbaz had turned the computer on to download music. I couldn't say for certain, but it seemed that he was taking a moment to chill in the middle of another long night at work.
Yudhijit Bhattacharjee is a contributing writer at National Geographic and the author of The Dinner Set Gang, from Audible.
Adapted from an article that originally appeared in The New York Times Magazine.
