- Source: Technical support scam
A technical support scam, or tech support scam, is a type of scam in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or via fake "help lines" advertised on websites owned by the scammers. Technical support scammers use social engineering and a variety of confidence tricks to persuade their victim of the presence of problems on their computer or mobile device, such as a malware infection, when there are no issues with the victim's device. The scammer will then persuade the victim to pay to fix the fictitious "problems" that they claim to have found. Payment is made to the scammer via gift cards, which are hard to trace and have few consumer protections in place.
Technical support scams have occurred as early as 2008. A 2017 study of technical support scams found that of the IPs that could be geolocated, 85% could be traced to locations in India, 7% to locations in the United States and 3% to locations in Costa Rica. Research into tech support scams suggests that millennials and those in generation Z have the highest exposure to such scams; however, senior citizens are more likely to fall for these scams and lose money to them. Technical support scams were named by Norton as the top phishing threat to consumers in October 2021; Microsoft found that 60% of consumers who took part in a survey had been exposed to a technical support scam within the previous twelve months. Responses to technical support scams include lawsuits brought against companies responsible for running fraudulent call centres and scam baiting.
Origin and distribution
The first tech support scams were recorded in 2008. Technical support scams have been seen in a variety of countries, including the United States, Canada, United Kingdom, Ireland, Australia, New Zealand, India, and South Africa.
A 2017 study of technical support scams published at the NDSS Symposium found that, of the tech support scams in which the IPs involved could be geolocated, 85% could be traced to locations in India, 7% to locations in the United States and 3% to locations in Costa Rica. India has millions of English speakers who are competing for relatively few jobs. One municipality had 114 jobs and received 19,000 applicants. This high level of unemployment serves as an incentive for tech scamming jobs, which are often well-paid. Additionally, scammers exploit the levels of unemployment by offering jobs to people desperate to be employed. Many scammers do not realise they are applying and being trained for tech support scam jobs, but many decide to stay after finding out the nature of their job as they feel it is too late to back out of the job and change careers. Scammers are forced to choose between keeping their job or becoming jobless. Some scammers convince themselves that they are targeting wealthy people that have money to spare, which justifies their theft, whilst others see their job as generating "easy money". Some scammers rationalize that the victim needs an anti-virus anyway and therefore, it is acceptable to tell the victim lies and charge them for technical support or to charge them for an anti-virus.
Operation
Technical support scams rely on social engineering to persuade victims that their device is infected with malware. Scammers use a variety of confidence tricks to persuade the victim to install remote desktop software, with which the scammer can then take control of the victim's computer. With this access, the scammer may then launch various Windows components and utilities (such as the Event Viewer), install third-party utilities (such as rogue security software) and perform other tasks in an effort to convince the victim that the computer has critical problems that must be remediated, such as infection with a virus. Scammers target a variety of people, though research by Microsoft suggests that millennials (defined by Microsoft as age 24-37) and people part of generation Z (age 18-23) have the highest exposure to tech support scams and the Federal Trade Commission has found that seniors (age 60 and over) are more likely to lose money to tech support scams. The scammer will urge the victim to pay so the "issues" can be fixed.
= Initiation
=Technical support scams can begin in a variety of ways. Some variants of the scam are initiated using pop-up advertising on infected websites or via cybersquatting of major websites. The victim is shown pop-ups which resemble legitimate error messages such as a Blue Screen of Death and freeze the victim's web browser. The pop-up instructs the victim to call the scammers via a phone number to "fix the error". Technical support scams can also be initiated via cold calls. These are usually robocalls which claim to be associated with a legitimate third party such as Apple Inc.. Technical support scams can also attract victims by purchasing keyword advertising on major search engines for phrases such as "Microsoft support". Victims who click on these adverts are taken to web pages containing the scammer's phone numbers. In some cases, mass emailing is used. The email tends to state that a certain product has been purchased using their Amazon account and contact a certain telephone number if this is an error.
= Confidence tricks
=Once a victim has contacted a scammer, the scammer will usually instruct them to download and install a remote access program such as TeamViewer, AnyDesk, LogMeIn or GoToAssist. The scammer convinces the victim to provide them with the credentials required to initiate a remote-control session, giving the scammer complete control of the victim's desktop. The scammer will not tell the victim that he is using a remote control software and that the purpose is to gain access to the victim’s PC. The scammer will say "this is for connecting you to our secure server" or "I am going to give you a secure code" which in reality is just an ID number used by the remote desktop software package.
After gaining access, the scammer attempts to convince the victim that the computer is suffering from problems that must be repaired. They will use several methods to misrepresent the content and significance of common Windows tools and system directories as evidence of malicious activity, such as viruses and other malware. These tricks are meant to target victims who may be unfamiliar with the actual uses of these tools, such as inexperienced users and senior citizens. The scammer then coaxes the victim into paying for the scammer's services and/or software, which they claim is designed to "repair" or "clean" the computer but is either malicious or simply does nothing at all.
The scammer may open Windows' Event Viewer, which displays a logfile of various events for use by system administrators to troubleshoot problems. Although many of the log entries are relatively harmless notifications, the scammer may claim that the log entries labeled as warnings and errors are evidence of "system corruption" that must be "fixed" for a fee.
The scammer may show system folders that contain unusually named files to the victim, such as those in Windows' Prefetch and Temp folders, and claim that the files are evidence of malware on the victim's computer. The scammer may also open some of these files in Notepad, wherein binary file contents are rendered as mojibake. The scammer claims that malware has corrupted these files, causing the unintelligible output. In reality, the files in Prefetch are typically harmless, intact binary files used to speed up certain operations.
The scammer may falsely claim that normally disabled Windows services should not be disabled and that these services were disabled due to a computer virus.
The scammer may misuse Command Prompt tools to generate suspicious-looking output, for instance using the tree or dir /s command which displays an extensive listing of files and directories. The scammer may claim that they are "searching for malware and hackers", and while the tool is running the scammer will enter text purporting to be an error message (such as "ECHO security breach ... trojans found") that will appear when the job finishes, or will open a text file with such claims in Notepad or Word.
The scammer may misrepresent innocuous values and keys that are stored in the Windows Registry as being signs of malware.
The "Send To" Windows function is associated with a globally unique identifier. The output of the command assoc, which lists all file associations on the system, displays this association with the line ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}; this GUID is the same on all recent versions of Windows. The scammer may claim that this is a unique ID used to identify the user's computer, before reading out the identifier to "verify" that they are a legitimate support company with information on the victim's computer, or claim that the CLSID listed is actually a "Computer Licence Security ID" that must be renewed.
The scammer may claim that the alleged "problems" are the result of expired hardware or software warranties and then coax the victim into paying for a nonsensical and fraudulent "renewal service".
The scammer may block the victim from viewing their screen, claiming that it is the result of malware or of a scan being run, and use this time to search the victim's files for sensitive information, attempt to break into the victim's bank account with stolen or found credentials or activate the webcam and see the victim's face.
The scammer may run the command line tool known as netstat, which shows local and foreign IP addresses. The scammer then tells the victim that these addresses belong to foreign hackers that have gained access to their network.
The scammer may claim that the legitimate Windows process rundll32.exe is a virus. Often, the scammer will search Google or Yahoo for an article about RUNDLL32.EXE and will scroll to a section saying that the process name can also possibly be part of a malware infection, even though the victim's computer does not contain malware.
= Payment and impact
=The preferred method of payment in a technical support scam is via gift cards. Gift cards are favoured by scammers because they are readily available to buy and have less consumer protections in place that could allow the victim to reclaim their money back. Additionally, the usage of gift cards as payment allows the scammers to extract money quickly whilst remaining anonymous. Tech support scammers have also been known to ask for payment in the form of cryptocurrency, cheques and direct bank transfers made through automated clearing house (the latter only gives victims 60 days to recover their funds).
If a victim refuses to follow the scammer's instructions or to pay them, scammers have been known to resort to insulting and threatening their victim to procure payment. Scammers may also resort to bullying, coercion, threats and other forms of intimidation and psychological abuse towards their target in an effort to undermine the victim's ability to think clearly, making them more likely to be forced further into the scam. Crimes threatened to be inflicted on victims or their families by scammers have ranged from theft, fraud and extortion, to serious crimes such as rape and murder. Canadian citizen Jakob Dulisse reported to CBC in 2019 that, upon asking a scammer who made contact with him as to why he had been targeted, the scammer responded with a death threat; 'Anglo people who travel to the country' (India) were 'cut up in little pieces and thrown in the river.' Scammers have also been known to lock uncooperative victims out of their computer using the syskey utility (present only in Windows versions previous to Windows 10) or third party applications which they install on the victim's computer, and to delete documents and/or programs essential to the operation of the victim's computer if they do not receive payment. On Windows 10 and 11, since Microsoft removed the syskey utility, scammers will change the user’s account password. The scammer will open the Control Panel, go into user settings and click on change password, and the scammer will ask the user to type in his password in the old password field. The scammer will then create a password that only he knows and will reboot the computer. The user won’t be able to log into his PC unless he pays the scammer.
Microsoft commissioned a survey by YouGov across 16 countries in July 2021 to research tech support scams and their impact on consumers. The survey found that approximately 60% of consumers who participated had been exposed to a technical support scam within the last 12 months. Victims reported losing an average of 200 USD to the scammers and many faced repeated interactions from other scammers once they had been successfully scammed. Norton named technical support scams as the top phishing threat to consumers in October 2021, having blocked over 12.3 million tech support scam URLs between July and September 2021.
Response
Legal action has been taken against some companies carrying out technical support scams. In December 2014, Microsoft filed a lawsuit against a California-based company operating such scams for "misusing Microsoft's name and trademarks" and "creating security issues for victims by gaining access to their computers and installing malicious software, including a password grabber that could provide access to personal and financial information". In December 2015, the state of Washington sued the firm iYogi for scamming consumers and making false claims in order to scare the users into buying iYogi's diagnostic software. iYogi was also accused of falsely claiming that they were affiliated with Microsoft, Hewlett-Packard and Apple.
In September 2011, Microsoft dropped gold partner Comantra from its Microsoft Partner Network following accusations of involvement in cold-call technical-support scams. However, the ease with which companies that carry out technical support scams can be launched makes it difficult to prevent tech support scams from taking place.
Major search engines such as Bing and Google have taken steps to restrict the promotion of fake technical support websites through keyword advertising. Microsoft-owned advertising network Bing Ads (which services ad sales on Bing and Yahoo! Search engines) amended its terms of service in May 2016 to prohibit the advertising of third-party technical support services or ads claiming to "provide a service that can only be provided by the actual owner of the products or service advertised". Google announced a verification program in 2018 in an attempt to restrict advertising for third-party tech support to legitimate companies.
= Scam baiting
=Tech support scammers are regularly targeted by scam baiting, with individuals seeking to raise awareness of these scams by uploading recordings on platforms like YouTube, cause scammers inconvenience by wasting their time and protect potential victims. A good example of this is the YouTube community Scammer Payback
Advanced scam baiters may infiltrate the scammer's computer, and potentially disable it by deploying remote access trojans, distributed denial of service attacks and destructive malware. Scam baiters may also attempt to lure scammers into exposing their unethical practices by leaving dummy files or malware disguised as confidential information such as credit/debit card information and passwords on a virtual machine, which the scammer may attempt to steal, only to become infected. Sensitive information important to carrying out further investigations by a law enforcement agency may be retrieved, and additional information on the rogue firm may then be posted or compiled online to warn potential victims.
In March 2020, an anonymous YouTuber under the alias Jim Browning successfully infiltrated and gathered drone and CCTV footage of a fraudulent call centre scam operation through the help of fellow YouTube personality Karl Rock. Through the aid of the British documentary programme Panorama, a police raid was carried out when the documentary was brought to the attention of assistant police commissioner Karan Goel, leading to the arrest of call centre operator Amit Chauhan who also operated a fraudulent travel agency under the name "Faremart Travels".
See also
Advance-fee scam
Antivirus software
Cybercrime in India
IRS impersonation scam
SSA impersonation scam
Telemarketing fraud
Virus hoax
List of scams
References
Further reading
"Global Tech Support Scam Research – Global Summary" (PDF). Microsoft Corporation. September 2018.
Semuels, Alana (September 18, 2024). "Welcome to the Golden Age of Scams". Time. Archived from the original on September 18, 2024.
External links
Official Microsoft support page on technical support scams
Official Symantec support page on technical support scams
Investigation with recordings by a security research group
Dial One for Scam: A Large-Scale Analysis of Technical Support Scams
Kata Kunci Pencarian:
- Penipuan dukungan teknis
- Festival Film Cannes 2017
- Technical support scam
- AnyDesk
- Technical support
- Scam baiting
- Scammer Payback
- Romance scam
- Overpayment scam
- Scam
- Mosagallu
- List of scams