How Do Tech Support Scams Happen?

Tech support fraud involves criminals claiming to provide technical support to fix problems that don’t exist. Their methods include placing calls, sending pop-ups, engaging misleading lock screens, and sending emails to entice users to accept fraudulent tech support services. Users should NOT give control of their computers or mobile devices to any stranger offering to fix problems. Let’s look more closely at a couple of the most popular types of tech support scams.

Phone Tech Support Scams

How do phone tech support scams happen? Well, first, the phone rings. Usually, the caller ID does not look legit to the recipient, but the recipient answers nonetheless. (– As I explained last month in retelling a story about my Dad.) The tech support imposters (scammers) who call may pretend to be computer support technicians from a well-known or recognizable company that people trust, such as Microsoft or Apple. The scammer will say that their company has found a problem with your computer. You will be asked to give the scammer remote access to your device while the company runs “a diagnostic test to fix the issue” – as in the case of my dad, who was scammed recently.

Suppose the fraudster can install software on your computer due to your interactions. In that case, it might provide false reports stating that everything is working correctly and that the viruses have been removed. However, unbeknownst to you, the installed software can be used to track what you access on your computer or to gather information about you to steal your identity. It may also download malicious software (malware) to your computer.

If you receive a phone call that you aren’t expecting from someone who claims there is a problem with your computer, hang up.

If you don’t hang up, here’s what could happen next:

Once you log in and the tech support imposter has access to your computer, that scammer can install malware so they can steal your login credentials to websites you frequent, such as your financial institutions, utilities, tax sites, email, etc. Your login credentials provide access to valuable information that fraudsters can use to steal both your funds and your identity.

Tech Support imposters usually will demand payment to fix the nonexistent ‘‘issue” and often require payment for their “services” via gift cards by using a person-to-person transfer app (like Venmo, Zelle, etc.) or by wiring money.  Fraudsters prefer these payment methods as they deliver your money into the fraudster’s hands almost instantly.

Scammers Using Pop-Up Messages, Links in Email Messages

Have you ever seen a weird-looking window pop up on your computer? It might be linked to fraudsters. They will try to lure you in with a pop-up window or notification on your computer screen or mobile device, and they will disguise themselves as agents from well-known companies. Just as with the phone call scams, to appear legitimate, they will steal or fake a renowned company’s name, logo, and branding.

Fraudsters usually lure victims in one of two ways: (1) by using scare tactics such as presenting alarming error messages on your screen that warn of security issues on your computer, or (2) by using enticements such as notifying you that you have won a prize or the lottery. The messages require you to click on a link, install a program or application, or call a phone number to get help or redeem the prize.

If you receive an unsolicited call or pop-up on your computer, what should you do? First, do not provide any information or click on links provided in emails. Instead, update your computer’s existing security software and run a scan. Schedule both the updates and scans to automatically run periodically. If you continue to experience similar pop-up messages, turn the computer off and disconnect it from the internet until you or a trusted computer repair company can resolve your computer’s potential virus infection.

How to Avoid Being a Victim

Below are some tips from CISA, the Cybersecurity and Infrastructure Security Agency:

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are confident of a person’s authority to have the information.
  • Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes the following links sent in email.
  • Don’t send sensitive information online before checking a website’s security. (See Protecting Your Privacy for more information.)
    • Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with “https”—an indication that sites are secure—rather than “http.”
    • Look for a closed padlock icon—a sign your information will be encrypted.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is available online from groups like the Anti-Phishing Working Group. (See the APWG eCrime Research Papers).
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. (See Understanding Firewalls for Home and Small Office Use, Protecting Against Malicious Code, and Reducing Spam for more information.)
  • Take advantage of any anti-phishing features offered by your email client and web browser.
  • Enforce multi-factor authentication (MFA). (See Supplementing Passwords for more information.)

Laurie Head is the owner of AIS Network.