A technical support scam, or tech support scam, is a type of scam in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or via fake "help lines" advertised on websites owned by the scammers. Technical support scammers use social engineering and a variety of confidence tricks to persuade their victim of the presence of problems on their computer or mobile device, such as a malware infection, when there are no issues with the victim's device. The scammer will then persuade the victim to pay to fix the fictitious "problems" that they claim to have found. Payment is made to the scammer via gift cards or cryptocurrency, which are hard to trace and have few consumer protections in place. Technical support scams have occurred as early as 2008. A 2017 study of technical support scams found that of the IPs that could be geolocated, 85% could be traced to locations in India, 7% to locations in the United States and 3% to locations in Costa Rica. Research into tech support scams suggests that millennials and those in generation Z have the highest exposure to such scams; however, senior citizens are more likely to fall for these scams and lose money to them. Technical support scams were named by Norton as the top phishing threat to consumers in October 2021; Microsoft found that 60% of consumers who took part in a survey had been exposed to a technical support scam within the previous twelve months. Responses to technical support scams include lawsuits brought against companies responsible for running fraudulent call centres and scam baiting.
The first tech support scams were recorded in 2008. [1] [2] Technical support scams have been seen in a variety of countries, including the United States, [3] Canada, [4] United Kingdom, [1] Ireland, [5] Australia, [6] [7] New Zealand, [8] India, and South Africa. [9] [10]
A 2017 study of technical support scams published at the NDSS Symposium found that, of the tech support scams in which the IPs involved could be geolocated, 85% could be traced to locations in India, 7% to locations in the United States and 3% to locations in Costa Rica. [11] India has millions of English speakers who are competing for relatively few jobs. One municipality had 114 jobs and received 19,000 applicants. [12] This high level of unemployment serves as an incentive for tech scamming jobs, which are often well-paid. [13] Additionally, scammers exploit the levels of unemployment by offering jobs to people desperate to be employed. [12] Many scammers do not realise they are applying and being trained for tech support scam jobs, [14] but many decide to stay after finding out the nature of their job as they feel it is too late to back out of the job and change careers. [14] Scammers are forced to choose between keeping their job or becoming jobless. [12] Some scammers convince themselves that they are targeting wealthy people that have money to spare, which justifies their theft, [14] whilst others see their job as generating "easy money". [13] [14] Some scammers rationalize that the victim needs an anti-virus anyway and therefore, it is acceptable to tell the victim lies and charge them for technical support or to charge them for an anti-virus.
Technical support scams rely on social engineering to persuade victims that their device is infected with malware. [15] [16] Scammers use a variety of confidence tricks to persuade the victim to install remote desktop software, with which the scammer can then take control of the victim's computer. With this access, the scammer may then launch various Windows components and utilities (such as the Event Viewer), install third-party utilities (such as rogue security software) and perform other tasks in an effort to convince the victim that the computer has critical problems that must be remediated, such as infection with a virus. Scammers target a variety of people, though research by Microsoft suggests that millennials (defined by Microsoft as age 24-37) and people part of generation Z (age 18-23) have the highest exposure to tech support scams and the Federal Trade Commission has found that seniors (age 60 and over) are more likely to lose money to tech support scams. [17] [18] The scammer will urge the victim to pay so the "issues" can be fixed. [1] [19] [20]
Technical support scams can begin in a variety of ways. Some variants of the scam are initiated using pop-up advertising on infected websites or via cybersquatting of major websites. The victim is shown pop-ups which resemble legitimate error messages such as a Blue Screen of Death [21] [22] [23] and freeze the victim's web browser. [24] [25] The pop-up instructs the victim to call the scammers via a phone number to "fix the error". Technical support scams can also be initiated via cold calls. These are usually robocalls which claim to be associated with a legitimate third party such as Apple Inc.. [26] [19] Technical support scams can also attract victims by purchasing keyword advertising on major search engines for phrases such as "Microsoft support". Victims who click on these adverts are taken to web pages containing the scammer's phone numbers. [27] [28] In some cases, mass emailing is used. The email tends to state that a certain product has been purchased using their Amazon account and contact a certain telephone number if this is an error.
Once a victim has contacted a scammer, the scammer will usually instruct them to download and install a remote access program such as TeamViewer, AnyDesk, LogMeIn or GoToAssist. [21] [29] The scammer convinces the victim to provide them with the credentials required to initiate a remote-control session, giving the scammer complete control of the victim's desktop. [1] The scammer will not tell the victim that he is using a remote control software and that the purpose is to gain access to the victim’s PC. The scammer will say "this is for connecting you to our secure server" or "I am going to give you a secure code" which in reality is just an ID number used by the remote desktop software package.
After gaining access, the scammer attempts to convince the victim that the computer is suffering from problems that must be repaired. They will use several methods to misrepresent the content and significance of common Windows tools and system directories as evidence of malicious activity, such as viruses and other malware. [21] These tricks are meant to target victims who may be unfamiliar with the actual uses of these tools, such as inexperienced users and senior citizens. [1] [26] [30] The scammer then coaxes the victim into paying for the scammer's services and/or software, which they claim is designed to "repair" or "clean" the computer but is either malicious or simply does nothing at all. [31]
tree
or dir /s
command which displays an extensive listing of files and directories. The scammer may claim that they are "searching for malware and hackers", and while the tool is running the scammer will enter text purporting to be an error message (such as "ECHO security breach ... trojans found") that will appear when the job finishes, or will open a text file with such claims in Notepad or Word. [19] assoc
, which lists all file associations on the system, displays this association with the line ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
; this GUID is the same on all recent versions of Windows. The scammer may claim that this is a unique ID used to identify the user's computer, before reading out the identifier to "verify" that they are a legitimate support company with information on the victim's computer, or claim that the CLSID listed is actually a "Computer Licence Security ID" that must be renewed. [33] [34] [35] netstat
, which shows local and foreign IP addresses. The scammer then tells the victim that these addresses belong to foreign hackers that have gained access to their network. [38] [39] [40] rundll32.exe
are viruses. Often, the scammer will search Google or Yahoo for an article about RUNDLL32.EXE and will scroll to a section saying that the process name can also possibly be part of a malware infection, even though the victim's computer does not contain malware. [19] The preferred method of payment in a technical support scam is via gift cards. [41] Gift cards are favoured by scammers because they are readily available to buy and have less consumer protections in place that could allow the victim to reclaim their money back. Additionally, the usage of gift cards as payment allows the scammers to extract money quickly whilst remaining anonymous. [42] [43] Tech support scammers have also been known to ask for payment in the form of cryptocurrency, cheques and direct bank transfers made through automated clearing house (the latter only gives victims 60 days to recover their funds). [44]
If a victim refuses to follow the scammer's instructions or to pay them, scammers have been known to resort to insulting [45] and threatening [46] [47] their victim to procure payment. Scammers may also resort to bullying, coercion, threats and other forms of intimidation and psychological abuse towards their target in an effort to undermine the victim's ability to think clearly, making them more likely to be forced further into the scam. [48] Crimes threatened to be inflicted on victims or their families by scammers have ranged from theft, fraud and extortion, [49] to serious crimes such as rape [50] and murder. [45] Canadian citizen Jakob Dulisse reported to CBC in 2019 that, upon asking a scammer who made contact with him as to why he had been targeted, the scammer responded with a death threat; 'Anglo people who travel to the country' (India) were 'cut up in little pieces and thrown in the river.' [46] [51] Scammers have also been known to lock uncooperative victims out of their computer using the syskey
utility (present only in Windows versions previous to Windows 10) [52] or third party applications which they install on the victim's computer, [49] [53] [54] and to delete documents and/or programs essential to the operation of the victim's computer if they do not receive payment. [32] On Windows 10 and 11, since Microsoft removed the syskey utility, scammers will change the user’s account password. The scammer will open the Control Panel, go into user settings and click on change password, and the scammer will ask the user to type in his password in the old password field. The scammer will then create a password that only he knows and will reboot the computer. The user won’t be able to log into his PC unless he pays the scammer.
Microsoft commissioned a survey by YouGov across 16 countries in July 2021 to research tech support scams and their impact on consumers. The survey found that approximately 60% of consumers who participated had been exposed to a technical support scam within the last 12 months. [16] Victims reported losing an average of 200 USD to the scammers and many faced repeated interactions from other scammers once they had been successfully scammed. [16] Norton named technical support scams as the top phishing threat to consumers in October 2021, having blocked over 12.3 million tech support scam URLs between July and September 2021. [55]
Legal action has been taken against some companies carrying out technical support scams. [56] In December 2014, Microsoft filed a lawsuit against a California-based company operating such scams for "misusing Microsoft's name and trademarks" and "creating security issues for victims by gaining access to their computers and installing malicious software, including a password grabber that could provide access to personal and financial information". [57] In December 2015, the state of Washington sued the firm iYogi for scamming consumers and making false claims in order to scare the users into buying iYogi's diagnostic software. [58] iYogi was also accused of falsely claiming that they were affiliated with Microsoft, Hewlett-Packard and Apple. [59]
In September 2011, Microsoft dropped gold partner Comantra from its Microsoft Partner Network following accusations of involvement in cold-call technical-support scams. [60] However, the ease with which companies that carry out technical support scams can be launched makes it difficult to prevent tech support scams from taking place. [61]
Major search engines such as Bing and Google have taken steps to restrict the promotion of fake technical support websites through keyword advertising. [62] [63] Microsoft-owned advertising network Bing Ads (which services ad sales on Bing and Yahoo! Search engines) [64] amended its terms of service in May 2016 to prohibit the advertising of third-party technical support services or ads claiming to "provide a service that can only be provided by the actual owner of the products or service advertised". [62] [63] Google announced a verification program in 2018 in an attempt to restrict advertising for third-party tech support to legitimate companies. [65]
Tech support scammers are regularly targeted by scam baiting, [45] with individuals seeking to raise awareness of these scams by uploading recordings on platforms like YouTube, cause scammers inconvenience by wasting their time and protect potential victims. A good example of this is the YouTube community Scammer Payback [66] [67]
Advanced scam baiters may infiltrate the scammer's computer, and potentially disable it by deploying remote access trojans, distributed denial of service attacks and destructive malware. [68] Scam baiters may also attempt to lure scammers into exposing their unethical practices by leaving dummy files or malware disguised as confidential information [69] such as credit/debit card information and passwords on a virtual machine, which the scammer may attempt to steal, only to become infected. [45] Sensitive information important to carrying out further investigations by a law enforcement agency may be retrieved, and additional information on the rogue firm may then be posted or compiled online to warn potential victims. [69]
In March 2020, an anonymous YouTuber under the alias Jim Browning successfully infiltrated and gathered drone and CCTV footage of a fraudulent call centre scam operation through the help of fellow YouTube personality Karl Rock. Through the aid of the British documentary programme Panorama , a police raid was carried out when the documentary was brought to the attention of assistant police commissioner Karan Goel, [70] leading to the arrest of call centre operator Amit Chauhan who also operated a fraudulent travel agency under the name "Faremart Travels". [71]
Scam baiting is a form of internet vigilantism primarily used towards advance-fee fraud, IRS impersonation scams, technical support scams, pension scams, and consumer financial fraud.
The SAM Lock Tool, better known as Syskey, is a discontinued component of Windows NT that encrypts the Security Account Manager (SAM) database using a 128-bit RC4 encryption key.
Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.
Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Microsoft Windows Malicious Software Removal Tool (MSRT) is a freeware second-opinion malware scanner that Microsoft's Windows Update downloads and runs on Windows computers each month, independent of the installed antivirus software. First released on January 13, 2005, MSRT does not offer real-time protection. It scans its host computer for specific, widespread malware, and tries to eliminate the infection. Outside its monthly deployment schedule, it can be separately downloaded from Microsoft.
A computer virus hoax is a message warning the recipients of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipients to forward it to everyone they know, but it can also be in the form of a pop-up window.
Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.
The Client/Server Runtime Subsystem, or csrss.exe
, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem. In modern versions of Windows, it is primarily involved with process and thread management, console window handling, side-by-side assembly loading and the shutdown process. Historically, it had also been responsible for window management and graphics rendering, however, these operations have been moved to kernel mode starting with Windows NT 4.0 to improve performance.
Telemarketing fraud is fraudulent selling conducted over the telephone. The term is also used for telephone fraud not involving selling.
In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.
Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.
Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.
Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.
Ammyy was a company which created the remote desktop software called Ammyy Admin. It was often used by scammers who cold-call homes to try to gain access to their computer.
Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as account login information and banking codes.
AnyDesk is a remote desktop application distributed by AnyDesk Software GmbH. The proprietary software program provides platform-independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality. AnyDesk is often used in technical support scams and other remote access scams.
Kitboga is the Internet alias of an American Twitch streamer and YouTuber whose content primarily focuses on scam baiting against phone fraud. His channel has over one million followers on Twitch, and his YouTube channel has over three million subscribers.
Jim Browning is the Internet alias of a software engineer and YouTuber from Northern Ireland whose content focuses on scam baiting and investigating call centres engaging in fraudulent activities. Browning cooperates with other YouTubers and law enforcement when they seek his expertise in investigating and infiltrating scam call centers. Browning has published several journalistic exposé videos highlighting the results of his investigations.
An SSA impersonation scam, or SSA scam, is a class of telecommunications scam targeting citizens of the United States by impersonating Social Security Administration employees. SSA scams are typically initiated through pre-recorded messages, or robocalls, that use social engineering to make victims panic and ensure they follow instructions given to them. In 2018, over 35,000 instances of SSA scam robocalls were reported to the Better Business Bureau with over $10 million lost by victims. Approximately 47% of Americans were subject to an SSA scam robocall during a three-month period between mid- to late 2020, and 21% of seniors were subject to at least three robocalls during the same time period.
An overpayment scam, also known as a refund scam, is a type of confidence trick designed to prey upon victims' good faith. In the most basic form, an overpayment scam consists of a scammer claiming, falsely, to have sent a victim an excess amount of money. The scammer then attempts to convince the victim to return the difference between the sent amount and the intended amount. This scam can take a number of forms, including check overpayment scams and online refund scams.