The Oil and Natural Gas Corporation Limited (ONGC) is one of India's third most profitable companies and as of May posted a consolidated net profit of Rs 18,334 crore in 2014-15. However it lost nearly Rs 200 crore last month to a scam, so disarmingly simple, that it's a testimony to how little the alleged fraudsters must think of the collective intelligence of two of the largest oil companies in the world, to even implement such a scheme.
To summarize, the ONGC had agreed in September to deliver 36000 tonnes of naptha to Saudi Arabia-based oil company Aramco for Rs 100 crore. The delivery was facilitated on behalf of ONGC from the email address 'firstname.lastname@example.org.'
The company usually got money into its State Bank of India account and officials were perturbed that Aramco hadn't paid up several days after deadline. On checking up, ONGC was told that public holidays had delayed payment, to which the beningly-trusting company responded by sending a new consignment of naptha--worth Rs 97 crore--to Aramco.
On October 7, ONGC got an email from Aramco saying that their money had been transferred to Bangkok Bank Public Company Limited "on the request of ONGC."
The frazzled ONGC contacted the cyber wing of the Mumbai police from where it emerged that Aramco had been communicating with email@example.com, ostensibly a fraud website and merely two alphabets in the URL interchanged.
ONGC hasn't responded to the Indian Express and little's known about the identity of the scamsters. The Indian Express report is fairly detailed but some key questions pop out such as:
# If it's an inside job--someone from ONGC actually leaked out information--how was an address change from Aramco's end not viewed by the several layers of officials that typically populate a state-run establishment such as ONGC? Surely government establishments, which ask for invoices in triplicates or quadri-plicates, would have several eyes approving a request to transfer money into an unprecedented new account?
# How did delayed payments not elicit a single phone call--those devices that existed before email--either at ONGC or Aramco's end? The frantic faxes were set into motion only AFTER ONGC registered a Rs 100 crore loss.
# If it was a hack or a security breach, then surely ONGC's transactions must be a public garden, as what are the odds that hackers zero in on the one-among-million email ids, pivotal to the transaction?
# Maybe ONGC is not at fault. The leaks happened at Aramco's end? Shouldn't this then involve the Saudi law authorities too?
Either ways the moral of the story is that cyber crime doesn't always involve sophisticated geeks hacking into Mission Impossible-style fortresses. Sometimes people like leaving their vaults unlocked.
Officers of the BKC cyber police station said an FIR has been registered under Sections 419 (cheating by impersonation), 420 (cheating), 465 (forgery), 468 (forgery for purpose of cheating), 471(using a forged document) of the Indian Penal Code and Sections 66 C (punishment for identity theft) and D (cheating by impersonation using computer resource) of the Information Technology Act.