How Phone Scammers Got Your Social Security Numbers

“Had I not been careful enough, much of my hard-earned money would have been down the drain,” New Jersey resident Tanupriya Singh told VICE World News. In November, an unknown caller claiming to be from the Social Security Administration (SSA) called her and said that her social security number was being suspended owing to suspicious activity. 

“It’s been only a few years that I got my social security number. I panicked,” Singh said. When she contacted her friend working in the SSA for counsel, Singh was warned of an ongoing calling scam duping people across the U.S. 

Not everyone is as lucky. A 45-year-old woman in California lost $45,000 to one of the callers who operated from the bylanes of Peeragarhi area in India’s capital, New Delhi.

Earlier this month, the cybercrime unit of Delhi police busted two fake call centres. In the last three years, these call centres duped more than 8,000 U.S. citizens, robbing them of over $24 million. 

Thousands of calls are being made from shady call centres in India to foreigners—mostly in the U.S. and Europe—posing as government officials.

Sensitive personal details of foreign nationals including their social security numbers available for sale on the dark web are enabling such scams. The social security number is a nine-digit unique number assigned to U.S. citizens to track their income and determine benefits. It is also used as a personal identifier at medical centres, insurance firms, loan offices or other government offices.

“Dark web is one of the biggest sources of leaked data. There are certain websites which can be accessed only through U.S. IP addresses using a virtual private network (VPN) and data including mobile number, email addresses and SSN is extracted,” Anyesh Roy, deputy commissioner of police (cyber cell) in Delhi, told VICE World News. Roy added that most of the call centres just require basic data. For the rest, they rely on cheating techniques, which they often get trained for.

The dark web is a part of the internet that cannot be found by search engines and where stolen data, including social security numbers of Americans, are often traded. It is goldmine for phone scammers.

Cybercrime experts and investigators say that the business of hoax call centres is thriving on the nature of data they manage to procure: banking data, online shopping or telecom data.

While not everything being sold here can be trusted, scam callers take their chances and script their conversations based on the information they can get their hands on.

“If callers get email data, they send malware pop-up and cheat them on the pretext of tech support. In the latest scam, callers posed as government or law enforcement officials and scared citizens of being involved in money laundering,” Triveni Singh, superintendent of police, cyber crime in the northern Indian state of Uttar Pradesh, told VICE World News.

Singh, who has busted many such call centres operating from Delhi suburbs, believes that data leak is the biggest problem the world is facing. Phishing attacks and hoax calls are side effects of data becoming public.

Earlier in December, police in the northern Indian city of Gurugram busted a fake call centre posing as Amazon security support staff that cheated U.S. nationals. 

New Delhi-based cybersecurity expert and researcher Amit Dubey said many companies are buying and collecting data from different sources including leaks and publicly available databases.

“Based on mobile numbers or email addresses, the collected data is mapped. These companies are ready to sell data of any sector and region,” Dubey said.

Citing an example, Dubey said that while investigating a case, he found a Germany-based data selling firm which sent sample data to him of various locations in a bid to confirm that they can sell more of it. However, the seller told Dubey that data of some countries like China, Russia and North Korea is not available because of strict government restrictions and censorship of foreign apps and service providers.

“Extracted data is mapped and categorised based on the mobile platform, age, gender, income and location. Data of 100 Indian individuals would cost barely $5 while global data for 100 people would cost anything between $10-20,” Dubey explained.

So far, police have not found the role of any U.S. national in the data leak to fake call centres, but the initial probe shows some individuals assisted them in routing the money back to India.

Triveni suggested a global crackdown through coordinated efforts of law-enforcement agencies as a solution. “There is no end to the menace. You close one shady unit and another pops-up.”

Police has busted over two dozen fake call centres this year. Troubled with rising complaints, federal agencies in the U.S. and other nations have approached India’s premier investigative agency, Central Bureau of Investigation, but fake calls continue to ring on foreign shores.

Follow Shashank on Twitter.