Kolkata is India’s newest, biggest scam zone. Police, YouTubers, mice can’t shut it down
FeaturesThe FinePrint

Kolkata is India’s newest, biggest scam zone. Police, YouTubers, mice can’t shut it down

With over Rs 3,000 crore coming in each day, Kolkata is no Jamtara. The scam is international, the scamsters IT experts, the victims American.

   
Illustration by Prajna Ghosh | ThePrint

Illustration by Prajna Ghosh | ThePrint

Lalbazar’s top cyber cop has a tough job these days. He has to make sure Kolkata doesn’t become the next Jamtara. But Praween Prakash, the former engineer who codes in his spare time, was beaten to the job by YouTube scam-baiters. They showed the crackdowns live, garnering hundreds of millions of views.

It’s no surprise that Kolkata has a scam-sized call centre problem.

The earlier large-scale phishing scam from Jharkhand is etched in popular memory because of Jamtara. There’s even a Netflix show on it. But Kolkata is nothing like Jamtara. It’s bigger, bolder, and crosses borders, from Miami to Melbourne. It’s a ‘cottage industry’ that makes over Rs 3,000 crore a day, according to lawyers, involves international bank accounts in countries such as Spain, and is pulled off by educated city graduates and IT experts.

“If you live in an English-speaking country, it’s highly likely that you’ve interacted with a scam caller from India,” said Jim Browning, a YouTuber with nearly four million followers. His bio? ‘I hate scammers.’

It’s so sophisticated that the scam game has multiple moving parts: People who steal and sell data, those who act as temporary account vendors, another team that provides the technical infrastructure required to cheat people abroad, and a Telegram group actively warning scammers of potential targets and risks.

The modus operandi itself, however, is relatively simple: First, pretend you’re selling a product from Microsoft or Amazon or Norton malware software. Next, either convince the mark or victim to click on a link or confuse them with an unwanted error, a.k.a. the ‘blue screen of death’. Third, access their computer and control their screen through remote support software like TeamViewer or AnyDesk. You’re in.

Kolkata is tech years ahead of Jamtara. Even a sign at the traffic junction outside the city’s iconic Victoria Memorial cautions passersby: ‘Don’t share OTP/CVV/PIN with anyone.’

And this is exactly why investigating officers like Prakash are banging their heads. With no clear money trail, victims all over the world, and flimsy data privacy laws in India, the police are at a disadvantage. But YouTubers are not thwarted by such roadblocks.

YouTubers like Jim Robinson, ScamBaiter, Mark Rober, and Trilogy Media are spearheading the charge against phishing through ‘scambaiting’, a form of internet vigilantism aimed at exposing scammers.

A pioneer of the scambaiting genre, Browning has spent years engaging with scammers and exposing their ownership structure, even pinpointing their exact locations. Over 95 per cent of global scam calls originate from India — specifically from in and around Kolkata and New Delhi, according to his database of IP addresses. “Put all of this together, and unfortunately India becomes the telephonic scam capital of the world,” he says.


Also read: Fake customer care numbers, OTP access — how a gang in Jamtara cheated over 1,000 people


Kolkata’s ‘unholy’ call centre problem

Exactly four days after Praveen Prakash took over as Kolkata city’s new Deputy Commissioner of Police for cybercrime, a video was uploaded on YouTube in which glitter bombs, mice, and cockroaches were released by scambaiters’ team across three call centres in Sector V of Kolkata’s Salt Lake. The area is the city’s IT hub.

The video was a collaborative effort involving a group of YouTube watchdogs, Mark Rober, Jim Browning and Trilogy Media. With over 40 million views, it immediately caught the attention of everyone from the police to workers in and around the call centres. Security guards at one of Kolkata’s tech parks, Ecospace Business Park, told ThePrint that everything in the video—the location, the building, the layout of the office—looked accurate, though they hadn’t known how big of a racket it was. They had, however, heard complaints about cockroaches and mice scurrying around the office.

The call centre in the Ecospace campus, Met Technologies, was raided and shut down by Kolkata’s Bidhannagar police after the YouTubers’ tipoff this May. The police complaint describes the call centre as an “unholy business” that cheats “innocent people of India and abroad.” Fifteen people were arrested.

But hundreds of other call centres operate covertly from Sector V, hiding in plain sight within tech parks like Ecospace and multi-storey office buildings. Sometimes, they even operate from within legitimate call centres, using them as a front.

After the video came out, Prakash reached out to the YouTubers to ask them for evidence. The group got on a Zoom call almost immediately, which Prakash took in his car during a 90-minute drive. The chat was inconclusive for both parties: While they all seemed to be on the same page, they weren’t sure how to proceed.

They haven’t gotten on another call since.

In the first six months of 2022, Kolkata Police raided 15 call centres and arrested over 80 people. While the call centres exposed in the video are located in Salt Lake and therefore under the purview of the Bidhannagar Police Station, Prakash’s jurisdiction covers the more residential parts of the city to the south of Salt Lake where ‘organised’ call centres are more conspicuous. His cyber unit largely receives tip-offs on suspicious activity, which they then follow up with a reconnaissance.

But it’s getting increasingly difficult as scammers become more creative. They now work in smaller groups, and use cloud servers to store their data. It makes it easier to pack up, move, change your identity and continue scamming. Prakash said that most people who do get caught are repeat offenders.

Illustration by Prajna Ghosh | ThePrint

Also read: How gang in 3 Indian states ‘solved’ GMAT, JEE & armed forces exams for cash, with Russian help


Hook, line, and sinker

Jharkhand’s Jamtara, known as the phishing capital of India, is responsible for domestic cons. The allegation against the call centres of Kolkata is of running international scams worth millions of dollars. The difference between the two hinges on the English accent.

The typical scam call centre employee in Kolkata is educated, speaks English clearly, and may not have entered the field willingly. It’s easy, quick money for graduates, say Messi (name changed), one of the former scammers who helped orchestrate the YouTube prank as part of Trilogy Media’s team.

A graduate with a bachelor’s in business administration, 24-year-old Messi was hired in 2020 for what he thought was a sales job at a call centre selling Amazon subscriptions. It took him two weeks to realise he was cheating people, and three months to leave.

“I was talking to a 65-year-old lady from Ohio who was physically challenged,” he told ThePrint. “I was midway through scamming her but then I secretly told her what I was doing, and cut the call,” he said. His boss found out and assaulted him, after which Messi quit.

Most young employees fresh out of college don’t foresee a life of crime as their future. But the lure of easy money and the sanitised nature of the crime itself—they sit in air-conditioned offices behind desks with computers—whitewash the theft.

“Many don’t really see it as an ethical problem,” said Pritam Roy (name changed), 26, who used to make scam calls. “The assumption is that all white people they are scamming are rich, and that their government is taking care of them,” said Roy.

“But karma is a bitch.” Someone he knew got caught by the police in Kolkata. Shocked by his deception, his family cast him out and his mother allegedly killed herself.

Roy started making these calls when he was 16 — earning around Rs 1 lakh a month. He told his parents that the money was from a data entry job. Though he no longer makes such calls, he is still tangentially involved – he now provides scammers with contacts for international account vendors in case they need it.

But the ones making the calls aren’t the ones taking the cut. There’s an upper level of management in professional call centres today that siphons off the stolen money. Once the scam is closed, the victim’s money is transferred through a series of bank accounts before it makes its way back to India. Then, after taking their cut of the foreign currency, the bosses pay their employees in Indian rupees. Those who work more independently — and not out of an organised scam call centre — either withdraw the money in cash, or buy cryptocurrency.

Tricking the victims — whom the call centres refer to as “customers” — into falling for the scam happens in several different ways: Getting them to click on a link is the most common. Other options include email blasting and the ‘Blue Screen of Death,’ something that can easily cause panic in those who are technically challenged.

And most of the victims are technically challenged: 90 per cent of them are at least 65 or above. Scammers also make sure to call during American working weekdays, so they know that the people who pick up at home are most likely retired. The large call centres make around $60,000 a day — $18 million a year.


Also read: Gold smuggling to cyber-aided financial crimes: How 1991 reforms changed crime in India


The YouTube Watchdogs

While police investigators hampered by jurisdictional limitations and red tape ran around in circles, YouTube watchdogs decided to take action. Every Sunday morning for almost a year, Rober, Browning and the team from Trilogy Media met to plan their sting operation.

Browning with his tech expertise focused on accessing the call centres’ CCTV cameras, Rober planned the logistics behind the prank, and the Trilogy team — including Messi and another former scammer — were the boots on the ground in Kolkata.

Of the four call centres the scambaiters brought to light, one was raided and shut down, and two have ceased operations. Details about the fourth call centre were deliberately withheld by the YouTubers.

Rober told ThePrint that it was because the scambaiters wanted to keep the entire ecosystem on their toes — the fourth call centre could be any of Kolkata’s hundreds. The idea was to get each scam centre to panic and think it was them.

“For a lot of people in the US, their only interaction with Indians is through a scam call, which is really sad,” said Rober, adding that while he has no legal authority, he can use his platform to expose crimes and make people aware.

Particularly popular on YouTube, the genre racks up millions of views with videos typically involving the scambaiter pranking or exasperating the scammer. Over the years, scambaiters have amassed a wealth of information on scam callers — from their IP addresses to their modus operandi.

ScamBaiter, who wrote to ThePrint via email, said that they “get to show people the inner workings of these scams to educate them.” Plus, “taking revenge on the scammers is especially satisfying for people that have fallen victim to a scam before.” One of his viewers lost over $3 million to a fake crypto exchange. ScamBaiter recounted another incident in which a scammer tried to sexually exploit an elderly lady when he realised she didn’t have much money to scam — he tried to force her to strip down on camera to “stop her Amazon order.”

But scambaiting only goes so far. It’s up to law enforcement to pick up where they left off — and the baiters don’t always trust them.

“The police aren’t helpful,” said Messi, who tried to report his experience to the police. “I think they’re corrupt. They don’t always take action. And the call centre bosses aren’t scared because they have money…you can do anything with money.”

Browning, Rober and Trilogy Media all highlighted their apprehension that scam calling is tolerated and often overlooked in India.

“This is a perfect storm of a crime that they can get away with even if the police can have all the evidence on a platter,” said Ashton Bingham from Trilogy Media.

Illustration by Prajna Ghosh | ThePrint

Also read: Yet another spam call? Here’s how they probably got your number & why you should worry


Stopping the scams 

The problem with arrested scam callers is proving that they successfully conned someone abroad. The easiest way to seal a case against someone is if they are a repeat offender.

A 22-year-old repeat offender was arrested in Punjab last week for making scam calls in the US. ScamBaiter was involved in exposing the operation. But all exposes don’t necessarily end in an arrest, let alone a conviction.

“The main difficulty for law enforcement is that they can’t establish a money trail. People use account vendors in countries like Spain and Portugal to divert attention from India and Pakistan, where most scam calls originate from,” said criminal lawyer Vivek Sharma. Plus, with international victims, it’s difficult for investigating agencies to take witness statements and establish that a crime happened.

Additionally, by the time the money makes it back to India — after account vendors take their cut for storing stolen cash — there’s no trail.

Sharma told ThePrint that he’s currently representing at least a thousand people accused of making scam calls, and has bailed out half of them. He’s more sympathetic, unlike DCP Praween Prakash or the YouTube vigilantes. “They’re just victims of their circumstances.” Most of his clients are in their 20s and early 30s. He estimates the gender ratio to be one woman to every nine men.

“More than issues with legality, our institutions are stuck with technicalities,” said Sharma, pointing out that Indian authorities are not always tech-savvy, and that the government doesn’t have the jurisdiction to focus on international crimes. This means that a lot of cases fall by the wayside. The Ministry of Home Affairs has only recently started visiting “phishing havens” like Jamtara to build a roadmap to understand cybercrime and related issues.

A rare example in which international authorities got involved was in 2017: Kolkata police arrested five people after the German police notified them of a phishing scam. A German prosecutor flew to India to argue the case and the accused were sentenced to nine months in prison. It’s the longest sentence for scam callers yet, according to Sharma.


Also read: India is the sixth most data-breached country in world, says study by cybersecurity firm


Playing with greed and fear

Back at DCP Prakash’s office at the detective department in Lalbazar, the officer is wading through an investigation file when a bureaucrat enters the room with his UPSC-aspirant son.

The IAS officer tells Prakash that he was scammed of Rs 32,000 that morning and he needs help.

“How did it happen?” Prakash asks.

“I was on my way to work when I got a message saying my electricity would be cut….”

“Oh, the CESC scam,” Prakash already knows because the Kolkata electricity board is now a common entry point for domestic scams. “We’ll see what we can do.”

The bureaucrat recounted how he got a text at 8:20 a.m. that his electricity would be cut by 9 in the morning. In panic, he followed the instructions to download a ‘quick support’ app that would help him clear his bill. He entered his card details. Moments later, he received a text saying Rs 32,000 had been debited from his account.

He told Prakash that he’d been warning his son to be wary of phishing links just the previous night. Ironically, he was phished the very next morning. “I got worried about the electricity being cut and it just didn’t occur to me that it was a scam.”

And that is how it begins. The phone rings and your world goes into a tailspin.

(Edited by Neera Majumdar)