21,000 TalkTalk customers had their data stolen. A gang of professional fraudsters created an industrial-scale fraud network to con them.
This is the inside story of how the scam worked.
The hacking of TalkTalk in October 2015 propelled the company into the headlines. But in reality, it wasn’t the cyber attack that hurt the company’s customers.
For more than a year before the hack, TalkTalk had been facing a far bigger problem: a professional scam factory in India was siphoning its customers’ data, and combining century-old con tricks with cutting-edge technology to steal hundreds of thousands of pounds.
The origin of TalkTalk’s problems started four years before the cyber attack, ironically as a result of its efforts to fix a poor record for customer service.
In a bid to give customers better help, the company outsourced some call centre operations in August 2011 to Wipro, a massive Indian outsourcing firm that employs more than 170,000 people across the world.
One of those dissatisfied with the TalkTalk’s service was Tamsin Collison, 49, who had been a customer for six years. Her story is a terrifying insight into the brutal efficiency of cyberfraud, and is typical of those who were caught out in the TalkTalk scam.
Tamsin had grown tired of the repeated, fruitless calls to TalkTalk’s technical support staff, and with her broadband once again on the blink, decided to cancel her contract in May 2015.
On 27th May, she received a call from someone calling himself “Shane Williams”. He claimed to work for TalkTalk and promised he could fix her connection problems.
Ms Collison was convinced she was talking to a genuine TalkTalk employee because “Mr Williams” knew her account number and address. And because she’d had previous dealings with TalkTalk’s call centre in India, the man’s Indian accent didn’t seem suspicious.
In fact, Ms Collison was about to be subjected to an intricate but highly successful con trick which, although it used 21st Century technology, exploited tactics developed almost exactly 100 years earlier by American crime gangs.
Claiming he could fix her problems, “Mr Williams” sent a website link to Tamsin’s email address.
Clicking on the link installed on Ms Collison’s computer a piece of software called a Remote Access Tool (or RAT). As the name suggests, this gives the sender of the email the ability to remotely control the recipient’s computer. Such software is often used legitimately in large companies to help IT support staff fix employees’ problems without having to attend in person.
Still believing she was talking with a legitimate TalkTalk worker, Ms Collison followed his instructions to install the software. Unknown to her, “Mr Williams” was now able to see everything that happened on her computer, and anything she typed on the keyboard.
Next, he told Ms Collison that she was due a £200 compensation. She was transferred to yet another “TalkTalk employee” in India who would help her with her payment. He gave his name as “Patrick Anderson”.
This second scammer then sent Ms Collison a link to a website where she could claim her £200 compensation. It looked like the TalkTalk website, and featured the logos of all the British banks, but was in fact a fake site set up by the scammers.
Clicking on her bank’s logo, Ms Collison was confronted with a website that looked like her online account login page. In reality, it was another fake set up by the scammers.
Reassuring Ms Collison, “Mr Anderson” warned her not to tell him her full PIN or password, but simply to type in the requested characters on the web page (a small detail, but the psychological impact on Ms Collison was significant. She repeatedly mentioned that these warnings convinced her this was not a scam, since they so closely echoed official warnings about never giving away your full password).
Thanks to the Remote Access Tool, as Ms Collison typed in the letters and numbers, the scammer was able to pick them up, and simply typed them into the legitimate bank login page.
In Kolkata, “Patrick Anderson” was inside Ms Collison’s bank accounts, and staring at thousands of pounds in savings, which Ms Collison had put aside for her tax bill.
But spiriting the money away wasn’t going to be easy.
In order to transfer the money to another account, the fraudster would need to set up a new payee, and that required access to the card-reader issued to UK bank customers like Ms Collison. And besides, a bank transfer would create a breadcrumb trail which may get the scammer caught.
Instead, “Mr Anderson” opted for a more complex, but ultimately safer tactic. He transferred £5,200 from Ms Collison’s savings account to her current account, and used the Remote Access Tool to show her the current account.
Seeing the new balance, an exasperated Ms Collison told the “TalkTalk employee” that he’d overpaid her by £5,000. At which point, he went into what she described as an “Oscar-winning meltdown performance”, explaining between sobs that the mistake would cost him his job, his family and his home. He explained the error by pointing out that, on the numeric pad on the right of the keyboard, the 5 key is just above the 2 key, and he had pressed both keys by mistake.
(Again, a small detail, but it deftly and coherently explains the apparent error. A good con trick is all about the details).
By this time, Ms Collison had been on the phone for several hours with what she still believed was TalkTalk’s customer services team, and she wanted the quickest way to get rid of them. She offered to simply transfer the money back, but Mr Anderson said this would expose his error to his bosses.
Instead, he said, Ms Collison needed to send the money to a colleague of his in a different TalkTalk office, who would deposit the money and hide the error. He gave Ms Collison the name, “Sohail Hussain”, whom he said was in Bangkok. He talked her through the process of transferring cash via MoneyGram (all you need is a name and a city), and urged her to make the transfer quickly.
So Ms Collison went to the cashpoint, then to the Post Office, and sent £5,000 to a man she’d never met, 6,000 miles away.
At this point in the story, Ms Collison’s behaviour seems inexplicably foolhardy. It is painfully easy to rewind through the events and find all the moments when she could have spotted the crime.
But there are three factors to keep in mind: firstly, you, the reader, have the benefit of following the story knowing from the beginning that it’s a scam. It is impossible, now, for you to put yourself in Ms Collison’s place, as someone not only ignorant of the fraud, but who’d been worked on for several hours by professional crooks.
Secondly, Ms Collison, by her own admission, is not web-savvy. Anyone who has dealt with a panicked IT emergency call from an older relative knows how easy it is to be blinded by technology.
Thirdly and most importantly, the con trick tactics used on Ms Collison have a very, very long pedigree, having been perfected over the course of more than a century.
In his book The Big Con, David W. Maurer describes the world of the late-19th and early-20th Century “grifters”, confidence tricksters who marauded across the US, exploiting the newly emerging cash-rich society that flourished before the Great Depression brought the gravy train to a halt.
The con trick developed into a mesmerisingly intricate art form. It was fictionalised in the film The Sting, but in real life the same tricks were used to net crime gangs what would in today’s money be worth millions.
And their tactics become eerily familiar seen through the prism of the TalkTalk scammers.
Big Con games, or Big Store games, relied on the creation of a fantasy world, in which the victim was convinced they were part of an organised scheme that would result in a pay-out. Vital to the trick was “roping the mark”, in which the victim (the “mark”) was transferred from one person to another, creating the illusion of a legitimate, organised business.
As Ms Collison was passed down the line of fake TalkTalk workers, she was simply a mark being roped.
Another vital step in the Big Con game is called “putting the mark on the send”. Once a gang was sure that a victim was ready to be swindled, they gave the victim the opportunity to escape; to go home or stay in a hotel. Often they would give the victim a small but significant portion of the gang’s money to go away with.
It was a gamble for the crooks, but this psychological trick had the effect of reassuring the mark that they weren’t about to be scammed; after all, why would a bunch of thieves let their victim walk away, especially with a few thousand dollars of their money?
Such was the skill of the Big Con tricksters, the mark would almost always return, only to be fleeced for a huge sum.
Ms Collison was put on a version of “the send”.
Not only did she still believe she was dealing with the real TalkTalk, but if it was a scam, why had they just handed her £5,000?
She was in a superior position, she believed, but wanted to do the right thing by sending back the money, which as far as she was concerned, wasn’t hers anyway.
Meanwhile, thousands of miles away in Bangkok, Sohail Hussain picked up his money. Tamsin would never see it again. But that wasn’t to be the end of the story.
The next part of Ms Collison’s tale is uncomfortable to tell, because it came about as a result of my mistake.
She had been offered a small amount of compensation by TalkTalk. When I reported her story in October 2015 (still unaware of the full scale of the fraud), I stated she had “been paid” the compensation.
It was only two words of script, but the error greatly upset Ms Collison, because it implied she had taken TalkTalk’s money when she had not.
I felt ashamed; journalists rely on people to tell us their stories (often dredging up unwelcome emotions for them), and we make a living out of the results. To get a person’s story wrong is not only a personal and professional failure, it’s potentially fatal to journalism as a whole.
I wanted to make it up to Ms Collison, and I also suspected we stood a chance of finding out more about the people who scammed her. The great thing about technology journalism is that it’s almost impossible for people not to leave a trace, somewhere.
Ms Collison had had her computer wiped, so there was no chance of recovering the gang’s emails, nor backtracking the virus they’d used.
What Ms Collison did have, though, was the MoneyGram receipts, and a single phone number, left on her phone by “Patrick Anderson”, the man who’d convinced her to send the money to Bangkok.
I’d love to claim that I had access to some super-advanced investigative journalism tools that helped me trace the number. But the truth is that I simply typed it into Facebook.
What came up was a picture of a slender young Asian man with the account name Shoaib Khan. This, it seems, was the true face of “Patrick Anderson”. He said he was 22 and lived in Kolkata. His timeline was a string of selfies: smoking a cigarette on a night out, posing with an expensive car, handling a huge snake at the zoo, and in one intriguing shot standing in what looked like a call centre.
I harvested as much as I could, then called the number. A voice answered with an Indian accent: “TalkTalk speaking”. I told him my computer needed fixing and he said he’d call back.
Meantime I asked a colleague in India to call the same number from an Indian mobile. My colleague called me back a few minutes later, and told me the man who answered had identified himself as Shoaib Khan.
Perhaps I went too far in making these calls, because I never heard back from Mr Khan, and when I phoned the number a few days later, another voice answered and claimed to have nothing to do with him.
But the Facebook account was still open, and it yielded up some crucial evidence. Mr Khan had a friend called Sohail Hussain.
And on 25 May 2015, a few days before Ms Collison unwittingly transferred her money to Thailand, Hussain had flown to Bangkok.
“Going for a business meeting” read the status update.
Mr Hussain then posted photos of what looked like a leisurely holiday in Thailand, before returning to Kolkata.
Two months later, Mr Khan’s status update showed him hitting the casino, hashtag: “winning”.
The day before Channel 4 News broadcast the story in December 2015, I contacted Mr Khan and Mr Hussain through Facebook, presented our evidence and invited their comment. When I woke up the next morning the Facebook profiles were gone, and have never returned.
After the story was broadcast I attempted to contact Kolkata police, with no success. I helped Ms Collison update her report on Action Fraud, the UK police’s help centre for fraud victims, which again received no follow up.
I was contacted by several Indian men following the report, all of whom claimed to know of the gang, and who gave me snippets of information. But none could provide enough evidence to move the story on significantly. Some claimed that Hussain and Khan had fled town. This would turn out to be very far from the truth.
Using specialist software I attempted to mine the Facebook data of those linked to the pair, but the connections went nowhere.
My last attempt was to pretend to be a potential client involved in data mining and marketing, with the idea that I could approach Khan and/or Hussain and pose as a buyer of their services. But again, I failed to make any headway.
After six months of working on it, on and off, the trail went cold and the story slipped down my to-do list.
Then on 18th January, a message arrived in my inbox:
“Hi sir I need to talk to you
The message came from a man who claimed to have been part of the TalkTalk fraud operation. Over the next few hours, along with another whistleblower, he told me the inside story of the how the crime worked. Far from just being the work of Khan and Hussain, the sources described a large network of call centres across India that had been set up under the guise of a legitimate company to exploit TalkTalk customer data.
The firm’s offices appear to be typical call centres (they even hire staff through India’s network of IT recruitment sites), but are actually a front for an industrial-scale criminal operation.
As many as 60 employees work in shifts, spending all day calling TalkTalk customers.
The scam factory’s employees are given scripts which, just as in a legitimate call centre, they are trained to read to those who answer the phone. The scripts instruct the call centre workers to claim they work for TalkTalk, and give stock answers to allay victims’ suspicions (for example, reassuring them that only a legitimate TalkTalk employee would have access to a customer’s account information; an argument that worked on Ms Collison).
It was exactly this script that Ms Collison heard from “Shane Williams”, the fake TalkTalk employee.
The two sources had both been hired to work there, they said. They had been among the team who helped install RAT software on victims’ computers, just like Tamsin’s. But both claimed they did not realise they were involved in a crime, because of how the operation was set up.
The scammers had two offices, said the whisteblowers: one in central India, the other in Kolkata. The job of those in the central India office, where they worked, was to call the customers and convince them to install the Remote Access Tool (the job that had been done on Ms Collison).
Once this was complete, the customer’s call would be transferred to the Kolkata office, where the financial fraud would be handled by a different, smaller team.
This astute business decision solved two problems at once: firstly the low-level employees in central India took on the donkey-work of calling round customers, whittling them down and leaving the smaller, senior team free to work on those who bought into the con.
But secondly, it minimised the gang’s chances of getting caught by reducing the number of people aware of the full scale of the crime. The central India employees were told they were working on behalf of TalkTalk, and while it’s hard to imagine they didn’t suspect wrongdoing, they could at least remain willfully blind since they never saw the final crime.
The whistleblowers who messaged me claimed it was only once they saw my report on Hussain and Khan that they realised the crime they were mixed up in.
They expressed remorse for what had been done to TalkTalk customers, some of whom, they claim, had been reduced to tears during the scam calls. They even tried, unsuccessfully, to share the phone numbers of TalkTalk customers they had recently called, requesting that I phone them to warn them off the fraud.
They described how dozens of employees, hired from ads in local newspapers and on social media, make 10,000 Rupees per month (roughly £120) from making scam calls, and can earn a bonus for every person they convince to install the RAT on their computer.
They shared the scripts employees were trained to read out, with instructions for installing the software, and convincing the customer that they really were speaking to TalkTalk’s staff (they contained the address of the company’s head office, for example).
Each employee makes thousands of calls per day using automated software, the whistle blowers told me, but many either go to an answerphone or are not connected. Only a handful of those who answer end up installing the RAT software, but with each victim potentially worth thousands of pounds, the business seems lucrative enough for those who run it.
On that front, the whistle blowers had a surprising revelation. Far from being simple foot soldiers in the operation, Mr Khan and Mr Hussain are in fact among the senior team running the scam. The whistle blowers had seen them around the office, and told me Mr Hussain is frequently in Thailand.
Over the next few days, my two sources repeatedly denied that they had understood the nature of the work before taking the job, and expressed regret for those who had been scammed.
Both have now left the call centre.
They were soon joined by more whistle blowers. In the end, five seemingly separate sources came forward to say they either worked for or were trained by the gang, or had identified Mr Khan within the organisation.
So how did the scam gang get hold of TalkTalk customers’ data?
Remember Wipro, the Indian company TalkTalk had hired back in 2011? Well, in January 2016 three employees at Wipro’s Kolkata office (where TalkTalk’s calls were being handled) were arrested in connection with selling TalkTalk customer data.
The Information Commissioner’s Office has now confirmed that three Wipro accounts were used to steal 21,000 TalkTalk customers’ details. The data watchdog has fined TalkTalk £100,000 for failing to protect its customers’ data.
Wipro works for many British companies, and the vast majority have reported no problems with its services. To lose thousands of customers’ records from such a company seems like a huge stroke of bad luck for TalkTalk – if so, the company’s bad luck didn’t stop there.
The stolen customers’ data then fell into the well-oiled crime machine of Khan and Hussain, who were primed to exploit it en masse, according to a source who says he knows the gang but does not want to be named.
The source claims USB sticks full of TalkTalk accounts were traded for cash at parties in Kolkata, only to end up used in the call centres the whistleblowers described.
There are considerable question marks over what TalkTalk knew and when, and the timings of its reports to the ICO. The company confirmed publicly in February 2015 that “some limited, non-sensitive information” had been stolen from a supplier, but did not name Wipro specifically.
Contrast this with the statement it gave to me when Channel 4 News first reported the Wipro arrests:
“Following the October 2015 cyber attack, we have been conducting a forensic review to ensure that all aspects of our security are as robust as possible, including that of our suppliers. As part of the review, we have been working with Wipro, one of our suppliers, and the local Police in Kolkata.”
So although it seems TalkTalk knew of the problems by early 2015, it was only many months later that it began its “forensic review” to get to the bottom of the leak, and even then, only as a result of an unrelated cyberattack. Had the hack not happened, would the Wipro action ever have been taken?
In response to a request for comment for this article, a TalkTalk spokeswoman said: “We are aware that there are criminals targeting a number of UK and international companies, and we take our responsibility to protect our customers very seriously. This is why we launched our ‘Beat the Scammers’ campaign, helping all our customers to keep themselves from safe from scammers no matter who they claim to be, while our network also proactively blocks over 90 million scam and nuisance calls a month.”
It is hard to overstate the impact of the TalkTalk hack on corporate Britain. Chief executives up and down the country winced as its then CEO Dido Harding was repeatedly grilled on TV news. Keen to avoid the same fate, they have in many cases boosted cyber security, or at least paid lip service to the issue.
The story of the Wipro leak and its attendant scam may be an extreme example, but it taps into a potentially more troubling vein; the security of the global personal data industry. As margins shrink in data-driven businesses, the urge to drive down costs means many are contracting out the donkey-work of data storage, processing, and customer service.
Business Process Outsourcing, as this is called, generates revenues of almost $150bn in India alone, with giants like TCS, Infosys and Wipro vying for business. In order to make it work, personal data on UK customers has to be shipped (albeit virtually) to overseas call centres, and episodes like the leak at Wipro raise serious questions about how safely this can be done.
The ICO reported that 40 Wipro employees had bulk access to up to 50,000 TalkTalk customers’ details, and could tap into the data from outside the company.
Wipro did not respond to my requests for comment for this article.
When things go wrong, who carries the can? While TalkTalk has expressed sympathy for customers caught by the scammers, I have not heard of it reimbursing them for their losses. It seems if a mistake happens further down the supply chain, there’s wiggle room for bigger brands further up the chain (particularly when, as in the TalkTalk case, there were further steps involved in the eventual fraud).
UK companies are obliged, under data protection rules, to take reasonable steps to handle our data securely. But when it comes to outsourced data, what does that actually involve? Visits to data centres in places like Kolkata? Vetting of staff? Super-gluing the USB sockets on computers?
And how fair is this on customers? How can we audit what steps a company has taken to protect our data? Technically it’s not for us, but for our data watchdog the ICO to wade in on this. In TalkTalk’s (admittedly complex) case, that’s taken more than two years.
New regulations may soon change the game. New EU data protection rules in the UK will force companies to report data breaches to the ICO. They face fines of up to 4% of turnover or £17m, and the extent to which they secured the data will help determine the penalty.
The hope is that these tough new rules will trickle down through the data industry, forcing all those in the chain to improve their behaviour.
As for Ms Collison; while it may have been cathartic to find out so much information about those who swindled her, the crime still affects her in very material ways.
During the scam the criminals had told her they would send someone round in person to fix her connection. She believes a member of the gang called at her flat while she was away.
The thought of her name and address being known to criminals, and the prospect of further visits, made her feel increasingly afraid to be in the property. She’d been thinking of moving for some time, she says, and the feeling of violation after the fraud made her mind up. She moved to another area of London. Meanwhile, the whistle blowers claim, Khan and Hussain set up a second scam call centre.