Lessons from Inside the Fraud Factory
Apr 13, 2021 • AARP
We Witnessed International Phone Scammers In Action. What We Saw Will Both Terrify You And Help Keep You And Your Money Safe and Secure
London May 2014
A LIGHT RAIN FELL AND a cold gray mist hung over the street as Jim Browning arrived home from work. A middle-aged Irishman with a strong brogue, Jim is a software engineer at a midsize consulting firm, and on this workday, like most, there were few surprises. He shared a pleasant dinner with his wife, and when the dishes were cleared, he retreated to his office, shut the door, opened his computer and went undercover.
Jim Browning is not his real name. The alias is necessary to protect him and his family from criminals and law enforcement, as what he does in the privacy of his office may be morally upright but technically illegal. It’s a classic gray area in the netherworld of computer hacking, as we will explain. What is important to know is that back in 2014, it was the same annoying robocalls that you and I get most days that set Jim on his journey to become a vigilante.
A relative of Jim’s had told him about warnings popping up on his computer, and Jim, too, was besieged with recorded calls saying his computer was on the verge of meltdown, and that to prevent it he should call immediately. As a software expert, Jim knew there was nothing wrong with his system, but the automated calls from “certified technicians” didn’t stop. One night that spring, his curiosity got the better of him. “It was part nosiness and part intellectual curiosity,” Jim said. “I’m a problem solver and I wanted to get to the bottom of what these people wanted.” So he returned one of the calls.
The person who answered asked if he could access Jim’s computer to diagnose the problem. Jim granted access, but he was ready; he had created a “virtual computer” within his computer, a walled-off digital domain that kept Jim’s personal information and key operations safe and secure. As he played along with the caller, Jim recorded the conversation and activity on his Trojan horse setup to find out what he was up to. It took mere moments to confirm his hunch: It was a scam.
Intrigued by the experience, Jim started spending his evenings getting telephone scammers online, playing the dupe, recording the interactions and then posting videos of the encounters on YouTube. It became, if not a second career, an avocation—afterdinner entertainment exposing “tech support” scammers who try to scare us into paying for unnecessary repairs.
“Listening to them at first, honestly, made me sick, because I realized right away all they wanted to do was steal money,” Jim would later tell me. “It doesn’t matter if you are 95 or 15, they will say whatever they need to say to get as much money out of you as possible.”
Jim saw, for example, how the callers used psychology to put targets at ease. “They say reassuring phrases like ‘Take your time, sir,’ or ‘Do you want to get a glass of water?’ And they will also try to endear themselves to older people, saying things like ‘You sound like my grandmother,’ or ‘You don’t sound your age—you sound 20 years younger.’ ”
Jim’s YouTube videos garnered mild interest—a couple thousand views at best. For Jim, this didn’t matter. The engineer in him enjoyed solving the maze. At the least, he was wasting the scammers’ time. At best, his videos maybe helped prevent some cases of fraud.
Then one day in 2018, Jim’s evening forays took an unexpected turn. A tech support scammer called from India and went through the normal spiel, but then he asked Jim to do something unusual: to log in to the scammer’s computer using a remote-access software program called TeamViewer. Later on, Jim found out why: The developers of TeamViewer had discovered that criminals in India were abusing their software, so they temporarily banned its use from computers initiating connections from India. But there was a loophole: It didn’t stop scammers from asking U.S. and U.K. consumers like Jim to initiate access into computers in India.
Hence, the scammer’s request. The voice on the phone talked Jim through the connection process, then told him to initiate a “switch sides” function so the caller could “be in charge” and look through Jim’s computer.
Presented with this opportunity, Jim acted quickly. Instead of “switching sides,” he took control of the criminal’s computer and locked the scammer out of his own computer. Lo and behold, mild-mannered programmer Jim Browning had complete access to all of the scammer’s files and software. And he was able to see everything the scammer was frantically trying to do to regain control.
This bit of digital jujitsu changed everything. Over the next few months, Jim figured out ways to infiltrate the computers of almost every scammer who tried to victimize him. “My process worked on almost every remote access program out there, certainly the ones most popular with scammers, like TeamViewer, AnyDesk or FastSupport.” He also figured out how to secretly install software that recorded what the scammers were doing—without them even knowing it.
Suddenly, Jim was sitting on some powerful knowledge. But as Spider-Man was told, with great power comes great responsibility. Jim wondered, What should I do with what I’ve learned?
Laughing at Us
New Delhi May 2019
BY NOW JIM HAD REVERSE engineered his way into dozens of scammers’ computers, sometimes four or five at a time. He would set his software to record, then leave for work as his computers did their thing. When he came home at night, he reviewed the footage. Often, he couldn’t believe what he saw: call after call of boiler room scammers—mostly in India—contacting older people—mostly in the U.S. and U.K.—and scaring them into spending money to fix a fake computer problem, or sending money based on other deceptions.
Jim posted these new videos, which gave an authentic, bird’s-eye view of how scammers operate. As a result, his YouTube channel jumped to tens of thousands of subscribers.
One night in May 2019, Jim found his way into the computer network of a large New Delhi boiler room. While lurking in their network, he noticed the company had installed closed-circuit television (CCTV) cameras so the bosses could monitor their employees. So Jim hacked his way into that network and was able to turn the cameras this way and that, capturing the facial expressions and attitudes of dozens of scammers in action.
In one remarkable scene, he called one of the scammers in the boiler room and focused a CCTV camera on him as they talked. Zooming in, Jim could see that while the scammer was supposedly diagnosing his computer, he was actually playing Pac-Man. Jim got annoyed by this criminal’s nonchalance; call it hacker’s pride. So he decided to grill him.
“Where are you calling from?” Jim asked.
“San Jose,” replied the scammer from his desk in New Delhi.
“What is your favorite restaurant in San Jose?” Jim asked. The scammer paused and replied, “Why do you want to know that?” Jim then asked him, “Can you even name one restaurant in San Jose, California, without looking it up on Google?” The man became flustered and eventually hung up.
Jim continued to monitor the room in the following weeks, recording one tragic story after another of vulnerable people being exploited. One woman said, “I’m a nervous wreck. I have MS and I can’t understand a lot, but I’m listening.…” The scammer said, “That is the reason you are telling me you won’t live past next year, right?” She said, “Probably not. I’m a diabetic and I’m legally blind.…”
“Relax. You are in safe hands,” he said.
Another older man started crying when told it would cost about $1,500 to repair his machine. “Oh, bloody hell. I’m going to have a heart attack. I feel sick.” When the scammer asked why he was crying, he said he suffered from depression. As the man wept, Jim captured images of the salesmen in the room who were listening to the call, and laughing and pointing fingers mockingly at the victim.
This is when Jim reached a new stage in his journey: outright fury. He wanted to do more than make a few salesmen squirm. He wanted to stop as many operations as possible so they couldn’t continue to abuse people.—DOUG SHADEL, AARP fraud expert
But Jim was careful; he had his and his family’s welfare to worry about. “I could have physically destroyed their computers by placing a virus in them, but I intentionally didn’t do that because there was really nothing on their computers worth destroying,” he said. “And secondly, if I physically destroyed property, I would be overstepping the mark.” Translation: He, too, would be a criminal.
So what could he do? Jim had already started to intervene personally when he thought he could prevent a fraud from occurring, by calling the victim, the financial institution or anyone else he thought could halt the scam. So he tried a new tactic: using “call flooding” software to tie up the boiler room’s phone lines with thousands of junk calls. Viewing the scene through his computer, he saw all the salesmen removing their headsets and complaining that the calls were nothing but annoying white noise. To his joy, he successfully shut the place down for several hours.
But then, reality set in: What Jim had done was just a trivial, temporary annoyance for just one operation. The next morning, the boiler room was back to business as usual.
Determined to make a difference, Jim moved to plan C: He contacted the media. He sent his best footage to the BBC, Britain’s largest news operation. And it bit, producing a half-hour program featuring the evidence he had gathered and naming “Jim Browning” as the source. It aired in the U.K. in March 2020, just as the coronavirus pandemic hit. The piece received widespread international exposure. Around the same time, Jim sent videos to local authorities in India; they arrested the scammers and shut down the boiler room.
After years of obscurity, Jim had become a YouTube star. As of this writing, Jim’s video of this particularly cruel boiler room has been viewed more than 14 million times, and his YouTube page has grown to over 2.8 million subscribers. Success!
And he had succeeded at walking the fine line. “Doing just enough to make life miserable and identifying who they are is probably the best thing that I can achieve,” Jim said.
But again, Jim asked himself, What now?
Spreading the Word
Seattle June 2020
THIS IS WHERE I enterthe story. I stumbled onto Jim’s YouTube page early in 2020, and after watching many of the videos, emailed him to see if I could learn more about his work. To my joy, he responded immediately, saying he would be happy to work with AARP on educating its members about tech-support scams. He said that while his videos do reach millions of people, most of his subscribers are male and younger than 40, meaning many are likely tech geeks, law enforcement or even scammers. He has found it difficult to reach older people who are the prime scam targets.
And so, in the middle of a pandemic, I entered into one of the most intriguing correspondences of my life. At first, I needed to verify his story. You already know that Jim Browning is not his real name; but for AARP to tell his story, we had to confirm his real identity and situation. Ultimately, he agreed, and I can assure you that the “Jim Browning” of this story is real and accurately described.
Once that was done, Jim and I spent countless hours over the summer looking over new footage he had recorded earlier in the day to watch phone marauders try to steal money. We communicated only on Skype, with our personal cameras turned off, again to protect Jim’s identity and his family’s privacy.
On four separate occasions, I witnessed a tech-support crime occurring in real time. The first time this happened, Jim was showing me what I thought was a recording from earlier in the day. I asked him when it happened, and to my surprise he said, “It’s happening right now.”
“Well, what do we do?” I asked, my blood pressure surging. “We can’t just let this transaction go through. They are about to send the scammer $10,000!”
Jim, an old pro at these situations by now, was already at work to find the victim’s phone number. Often, he could get it directly from the scammer’s computer; as we became more familiar, he sometimes would ask if I could access the person’s contact information through a U.S. public data aggregator service to which I subscribe.
In those cases, I would give Jim the victims’ phone numbers as fast as I could find them, and he would call to warn them. After initial skepticism, they typically became convinced that it was a scam, and decided not to send cash. Which is what many scammers actually asked for.
The picture below is of a woman holding a box with $10,000 in cash. The scammers turned her computer camera on and asked her to show them the package to prove she was really going to send it to them. In this case, Jim was able to contact FedEx, which intercepted the package and stopped delivery.
But for every successful intervention, there were many more times when we were too late. “I can’t tell you how many times I have infiltrated a scammer’s computer and looked at his previous transactions, and it will say things like, ‘Confirmation of wire transfer,’ ” Jim told me. “You just know those people have been scammed, and there is nothing you can do about it. That is the worst feeling.”
I get it. I witnessed crimes with Jim that couldn’t be undone; I can’t overstate how frustrating it was, or how angry I became.
Here are some cases I observed with Jim. I’d urge to you read on, as knowing the details is the best protection from becoming a victim. It might spark a little rage in you, too.
One important note: Don’t try to do what Jim does! Hacking undetected into criminal computers takes advanced skills, gear and cunning; it is also illegal and very dangerous.
The False Diagnosis
Riverton, Utah July 2020
DAVID, A 63-YEAR-OLD DISABLED VETERAN from Utah, was surfing the web one night when his screen filled with a scary pop-up sent by Sarjun, a scammer working solo out of Dehradun, a city about 150 miles northwest of New Delhi. David, alarmed, called the number on the pop-up to find out what was going on.
Sarjun claimed to be a certified computer technician and instructed David how to open up the event log on his computer. As we watched, Jim explained that the event log is a diagnostic tool that professionals use to track computer activity. An event log often includes many ominous-looking red and yellow warning messages. To a coder, they mostly indicate normal functions and trivial glitches. But since most of us don’t know that, the log can create a real sense of fear.
“Can you see all of these bugs that have gotten into your computer?” Sarjun asks David—1,327 of them, he explains. “They are responsible for compromising your computer security. You can see here—error, warning, error—and these bugs—they are not harmful for your computer only. They are harmful for your other devices also, like your cellphone, your iPad, that you have at your location.”
Sarjun then showed David two other diagnostic screens that all computers use, misrepresenting the information to ramp up the fear. For example, Sarjun twisted one innocuous piece of data to say that 19 individuals were currently connected to David’s computer.
“Wow. I don’t know what they are after, but I don’t keep numbers in my phone like banking or any of that stuff. But my wife might,” David tells Sarjun.
At this point, Sarjun senses he can go in for the kill. He tells David it will cost $300 to fix the problem, and David gladly complies to avoid any more problems.
Sarjun uses the exact same scare tactics with every victim, and they have been very effective. Jim found a spreadsheet on Sarjun’s computer that showed he had scammed close to 1,000 victims and taken in more than $250,000 in the first six months of 2020 alone. Pretty good dough for a solo scammer sitting on a couch in India.
The average age of Sarjun’s victims? Sixty-eight years old. To help fight back, Jim sent a warning to every victim on Sarjun’s client list for whom he had an email address—about 850 of them. It described what he had seen and suggested they contact their bank to report the transaction as a fraud.
Several people wrote back, thanking him for the warning. Jim also has reported Sarjun and his operation to the Indian authorities. It took a while, but the Dehradun police recently asked Jim to help them “to do something about Sarjun.”
Of course, not everyone fell for Sarjun’s scam. Jim played me a recording he made of another scam baiter interacting with Sarjun. At some point, the scam baiter confronted him: “You are a scammer, aren’t you?” the man asked Sarjun angrily.
Sarjun replied, “Yes, I am and I am proud of it. Don’t ever call this number again.”
The Bogus Refund
Waterloo, Michigan September 2020
HELLO, THIS IS KATHY JACKSON. I am calling you from the Microsoft Refund Department. Please do not hang up. You paid for your computer technical support a few months ago, and we are calling to refund your $400 as the company has been ordered to close down. Please call us on our toll-free number, 855-789-0307. Repeating again: 855-789-0307. Thank you.”
Jim and I watched live as a woman named Betty, 78, called the phone number after getting such a call. The man on the phone told her she was eligible for the $400 refund, but he would have to remote access into her computer to confirm it. He started by walking her through the steps for how to give him access using—you guessed it—TeamViewer.
After gaining access to her computer, the scammer told Betty that to get her refund, she needed to log in to her bank account so he could deposit the money directly. What she didn’t realize was that the scammer could see everything she was doing. And so could we. We watched as she entered her bank account username and password. Within seconds, we could see the scammer himself logging in to her bank account.
“What he will do next is look at how much the victim has in her savings account,” Jim told me, having observed many of these transactions. “You see there—she has $180,035.74 in savings. The scammer will love that.”
Once he saw her sizable stash, the scammer pushed the “Blank Guest Monitor” button on the software to blacken Betty’s screen so she couldn’t see what he would do next: transfer $40,000 from her savings account into her checking account. The scammer then went into the HTML code on her computer (which determines what Betty would see on her screen) and changed the savings balance back to $180,035.74. He did this so when she looked, it would appear that nothing had been transferred but that her checking account had gone from $4,657 to $44,657.
Why do this? To set up the story he was about to feed her: that he had made a horrid mistake and transferred $40,000 of his firm’s money into her account instead of $400.
If Betty had known to refresh her screen, or log out and log back in, she would have been able to see that the scammer had simply transferred her own money from one account to another. Absent those actions, the story seemed believable. So it wasn’t hard for the bad guy to convince her that she needed to send the difference between $40,000 and $400—$39,600—to a bank in China to pay him back or else he will lose his job.
Because we were literally inside the scammer’s computer, we could see him logging in to his Bank of China Hong Kong branch account to get the right account numbers to give the victim.
As he continues on with Betty, he tells her she would need to physically go to her bank and wire the money (that way, it would be untraceable). She should not, under any circumstances, mention what she is doing to anyone. Jim says scammers typically will coach the victim on what to tell the bank: “Say you are sending money to a sick relative.”
It seemed pretty obvious to both Jim and me that unless someone intervened, Betty would comply with this request. While I listened, Jim called her bank to warn someone that Betty might be coming in soon to transfer funds and that it was a scam. Then Jim tried calling Betty, pretending to be a representative from her bank (any other explanation would have been too hard to explain), but she hung up on him—a good sign because it meant she was growing suspicious.
A few days later, I called Betty, a longtime AARP member, to make sure she never sent the funds. She confirmed that she had been contacted about a software refund, but told me that she figured out it was a fraud and never sent them any money.
“Don’t worry, honey, I’m fine. But thanks for checking on me,” she said.
The Official Response
Washington, D.C. October 2020
IMPOSTOR SCAMS LIKE THESE—in which a crook fakes the identity of some kind of authority to coerce money out of you—were the number one form of consumer fraud in 2020, the Federal Trade Commission reports. And it’s not just Jim’s observation that victims often are older. Consumers over 60 were about five times more likely to report losing money to a tech-support scam in 2020 than those ages 20 to 59, the FTC says.
In response, law enforcement agencies have invested heavily to take down tech-support scammers, resulting in more than 900 arrests in the U.S. in the past three years. Industry giants like Microsoft have also ramped up the fight by more widely sharing information they see about these types of abuses. After all, their brand reputation is at stake.
Just in October, the Central Bureau of Investigation (India’s equivalent to the FBI) and the U.S. Justice Department brought charges against a group of tech-support scammers who allegedly defrauded thousands of seniors for almost a decade. Jim had penetrated these operations years earlier and sent details of them to the CBI. He even confronted one of the main defendants, Michael Brian Cotter, online; Cotter denied any wrongdoing, saying Jim’s evidence was just the result of a couple of rogue employees and was not what his company was all about.
The Justice Department and the India law enforcement agency disagreed; Cotter, a California resident, and numerous others have been indicted in the United States.
Did Jim’s tip play a role? It’s impossible to know. I spoke with a senior manager at the FTC and a former state assistant attorney general about how law enforcement thinks about people like Jim. They both said that even if what vigilantes like Jim do is illegal, law enforcement will turn a blind eye as long as they don’t “cross the line” and use the information they gather for nefarious purposes. One person likened them to industry whistleblowers who report wrongdoing that in some cases leads to indictments—and, in some cases, cash payments to the whistleblower.
Jim doesn’t expect reward money anytime soon. “I know that law enforcement probably wouldn’t approve of what I do,” he told me. “But almost every time I pass on information”—Jim notes he’s done so at least 100 times—“they tell me they are grateful and say, ‘Keep doing what you are doing.’ ”
Perhaps that’s because the onslaught of tech-support fraud shows no sign of letting up. Robocall technology has made it shockingly cheap and easy for fraudsters to call millions of homes, thereby increasing their chances of reeling in unsuspecting victims.
Likewise, the global pandemic has caused us to spend more time online, exposing us to dubious websites where malicious pop-ups are more common. And high youth unemployment in developing countries, combined with easy access to technology, has swelled the number of individuals willing to engage in fraud for a living.
You’re probably wondering: Do law enforcement agencies sneak into scammers’ computers and observe crimes as Jim does? The answer is: only under the narrowest of circumstances. Electronic wiretapping rules are extensive and highly restrictive. One U.S. official told me, “It’s a big deal” to get a judge to sign off on electronic surveillance that would allow the government to do what Jim is doing; prosecutors would need overwhelming documentation ahead of time that a crime is occurring before a judge would grant such approval.
But Jim doesn’t work for the U.S. or any other government, which means there is no one to stop him as he continues his solitary quest to search and call out the bad guys…