Age proved to be no barrier in the world of cyber fraud, as a 16-year-old boy managed to swindle a staggering Rs 100 crore in the span of a single year. His target was the website of power utility UPPCL, the portal through which consumers pay their electricity bills. By spotting and exploiting a technical weakness in this very system, the teenager inflicted a Rs 100 crore loss on the company.
First, How a Normal Bill Payment Works
Explaining the case, a cyber expert laid out how the bill-payment mechanism usually functions. When a person pays an electricity bill, a fresh session is created on the billing website. This session opens access to the bank from which the payment is to be made. The consumer then enters their login password and completes the transaction. The bank records the payment and sends back an acknowledgement to the main website. That acknowledgement reaches UPPCL confirming the payment was successful, after which the consumer's bill is updated. This is an entirely routine feature.
The Teen Spotted the Weak Link
It was within this very process that the boy identified a flaw. He began placing advertisements in newspapers, inviting anyone who wanted their electricity bill slashed to come to him. His operation grew so quickly that people started flocking to him. Someone would walk in and say, "Sir, this is a bill of Rs 5,00,000" — and in return he would charge just Rs 50,000. He reduced bills by as much as 80 to 90 percent. As his business expanded, he ended up cheating UPPCL out of a total of Rs 100 crore.
The Zero-Balance Accounts and the 'Shark Tool'
His trick was to make payments from bank accounts that carried a zero balance. Naturally, a payment from a zero-balance account would fail, and the bank would send back a negative acknowledgement stating the transaction had failed. But right in the middle of this process, he would deploy a 'virus shark tool' that positioned itself between the two applications. This tool would convert the negative acknowledgement coming from the bank into a positive one and push it forward.
Money Showed in the Ledger, but Never Reached the Account
As a result, UPPCL's ledger would register the payment as received, even though not a single rupee actually landed in the company's account. He would then print out this 'successful' payment confirmation and hand it over to the consumer. It was through this method that the power utility UPPCL was defrauded of Rs 100 crore.
How He Was Finally Caught
Despite executing the scam with such finesse, the teenager made one slip — he placed an advertisement in a newspaper. That very ad became the reason for his arrest. The method he used left the investigating officers themselves stunned.
