When Ivan Thomas and Stephen Daniel joined MphasiS BFL's call centre in Pune, the first thing they were taught was to strike a friendly conversation with Citibank's global customers, who were calling in with problems related to their bank accounts and credit cards. Little did the company realise that the two youths would use the same method to extract sensitive information from customers and defraud them.

HOW THE SCAM WORKED It was a well-planned operation but the scamsters failed to cover their tracks

1 THE PLAN Four employees of MphasiS' call centre in Pune hatch plan to steal from the accounts of Citibank customers in the US. As call-centre agents they have access to bank account numbers, credit card numbers and account status. 2 THE MODE To get PIN number and password they try: SOCIAL ENGINEERING: Friendly chats over phone to extract confidential information from customers. PHISHING: A fake webmail is generated which seemingly comes from the customer's bank asking for account details and password for verification. 3 THE GROUNDWORK The accused open 15 fake bank accounts in Pune where funds can be transferred online. They rope in a travel agent and two home-loan agents who use details of rejected applications to open fake accounts. 4 THE EXECUTION Money is electronically transferred into new accounts in Pune. First transaction transfers $76,000 (Rs 32.8 lakh) in December 2004. $350,000 more moved from four accounts between February and March. Accused also changed e-mail addresses for the accounts, so notifications about transfers went unnoticed. 5 NET LOSERS On April 6, the mastermind of the scam Ivan Thomas and his colleague Stephen Daniel are arrested when they try to withdraw money from one of the fake accounts. Fourteen others are also arrested.

Earlier this month, four Citibank customers in the US reported that $426,000 (Rs 1.90 crore) was missing from their bank accounts. An investigation by the bank traced the money to several bank accounts in Pune where it had been transferred electronically. The scamsters had even registered fake e-mail accounts in the names of the victims so that all notifications about the transfer of money went to the new e-mail addresses, unnoticed by the account holders.

After Citibank reported the fraud, a trap was laid at one of the banks where the money had been transferred. On April 6, when Thomas and Daniel came to withdraw money from the account, they were arrested by the police. In all 16 arrests have been made.

India's first outsourcing cyberfraud was a well-planned scam. The call-centre agents used to befriend their victims during routine calls and extract confidential details like passwords and pins. Says Jerry Jaitirth Rao, chairman of MphasiS: "They seem to have used a technique called social engineering to get confidential information through friendly conversations."

Social engineering has become a popular mode of soliciting information because people are getting more aware of the digital route called "phishing". In phishing, bogus e-mails are sent to an account holder asking him to fill in details about his bank account and passwords for verification. The e-mails seem to come from the bank and unsuspecting customers often reply, parting with confidential information.

Rao admits that this is not good news for the industry but he feels that there is an opportunity in this threat. "We have to improve the entire system of background checks on employees and educate the customer better so that vital information is not shared with call-centre agents casually," he says. However, he also feels this will not affect the outsourcing business in India because a fraud can occur in any country. A spokesperson for Citibank says, "This is a case of fraud, no more no less. It can happen anywhere."

"We have to improve background checks on employees and educate customers." JERRY RAO, CHAIRMAN, MPHASIS "This is not about BPO but about risks in the financial services business." RAMAN ROY, CEO, WIPRO SPECTRAMIND

Indeed, last fortnight the credit card database of a large retail chain in the US was hacked. The hackers stole details of 1.4 million credit cards. Authorities say that reports of theft of credit card and other customer information have shot up in recent months. The cumulative losses due to identity thefts run into billions of dollars in the US alone. So there is no reason to fear, as yet, of a decline in the business of outsourcing from India. But that does not mean that all is hunky dory in the call centre business.

Due to the rapid growth in the ITEs industry in India, recruitment standards are often compromised by some players. For instance, when Wipro Spectramind sacked some people for misrepresentation last year, all of them found new jobs in less than 24 hours. Wipro Spectramind CEO Raman Roy feels this may not be entirely due to a lackadaisical attitude of BPO units but due to "lack of information".

Many in the industry feel that call-centre companies should maintain an employee call registry to identify the bad apples. But the software industry body, NASSCOM, says that it must be done with the permission of employees and should not be a negative list. NASSCOM is now creating awareness on cyber security. "We should plug the legal loopholes," says Sunil Mehta, vice-president, security services, NASSCOM.

Of course, there is a lesson in this for customers too. Call-centre agents do not have access to information like passwords and pins or the social security number of customers. They are not allowed to download any information, take printouts, access the Internet or even carry a pen and paper inside the office. The fraud could not have been executed if the customers had not disclosed their passwords and pins.

Customers need to be on their guard when dealing with call-centre agents. Sharing of passwords and pins amounts to giving away a blank cheque with your signature on it. There is a verification code at the back of a credit card. That too should not be shared. Also, customers should monitor their accounts and statements routinely to spot any unauthorised transaction.

While all this may not stamp out frauds, it will certainly deter tricksters out to cheat you of your money.

Index