Atechnical support scam, ortech support scam, is a type ofscam in which a scammer claims to offer a legitimatetechnical support service. Victims contact scammers in a variety of ways, often through fakepop-ups resemblingerror messages or via fake "help lines" advertised onwebsites owned by the scammers. Technical support scammers usesocial engineering and a variety ofconfidence tricks to persuade their victim of the presence of problems on theircomputer ormobile device, such as amalware infection, when there are no issues with the victim's device. The scammer will then persuade the victim to pay to fix the fictitious "problems" that they claim to have found. Payment is made to the scammer viagift cards or cryptocurrency, which are hard to trace and have fewconsumer protections in place.Technical support scams have occurred as early as 2008. A 2017 study of technical support scams found that of the IPs that could be geolocated, 85% could be traced to locations inIndia, 7% to locations in theUnited States and 3% to locations inCosta Rica. Research into tech support scams suggests thatMillennials andGen Z have the highest exposure to such scams; however, senior citizens are more likely to fall for these scams and lose money to them. Technical support scams were named byNorton as the topphishing threat toconsumers in October 2021;Microsoft found that 60% of consumers who took part in a survey had been exposed to a technical support scam within the previous twelve months. Responses to technical support scams includelawsuits brought against companies responsible for running fraudulent call centres andscam baiting.
A 2017 study of technical support scams published at theNDSS Symposium found that, of the tech support scams in which the IPs involved could begeolocated, 85% could be traced to locations in India, 7% to locations in the United States and 3% to locations in Costa Rica.[12] India has millions ofEnglish speakers who are competing for relatively few jobs. One municipality had 114 jobs and received 19,000 applicants.[13] This high level ofunemployment serves as an incentive for tech scamming jobs, which are often well-paid.[14] Additionally, scammers exploit the levels of unemployment by offering jobs to people desperate to be employed.[13] Many scammers do not realise they are applying and being trained for tech support scam jobs,[15] but many decide to stay after finding out the nature of their job as they feel it is too late to back out of the job and change careers.[15] Scammers are forced to choose between keeping their job or becoming jobless.[13] Some scammers convince themselves that they are targeting wealthy people that have money to spare, which justifies their theft,[15] whilst others see their job as generating "easy money".[14][15] Some scammers rationalize that the victim needs an anti-virus anyway and therefore, it is acceptable to tell the victim lies and charge them for technical support or to charge them for an anti-virus.
Technical support scams rely on social engineering to persuade victims that their device is infected with malware.[16][17] Scammers use a variety of confidence tricks to persuade the victim to installremote desktop software, with which the scammer can then take control of the victim's computer. With this access, the scammer may then launch various Windows components and utilities (such as theEvent Viewer), install third-party utilities (such asrogue security software) and perform other tasks in an effort to convince the victim that the computer has critical problems that must be remediated, such as infection with avirus. Scammers target a variety of people, though research by Microsoft suggests that millennials (defined by Microsoft as age 24-37) and people part of generation Z (age 18-23) have the highest exposure to tech support scams and theFederal Trade Commission has found that seniors (age 60 and over) are more likely to lose money to tech support scams.[18][19] The scammer will urge the victim to pay so the "issues" can be fixed.[1][20][21]
A Recent Changes page from aMediaWiki site affected by technical support scammers promoting fake "help lines"
Technical support scams can begin in a variety of ways. Some variants of the scam are initiated using pop-up advertising on infected websites or viacybersquatting of major websites. The victim is shown pop-ups which resemble legitimate error messages such as aBlue screen of death[22][23][24] and freeze the victim'sweb browser.[25][26] The pop-up instructs the victim to call the scammers via a phone number to "fix the error". Technical support scams can also be initiated viacold calls. These are usuallyrobocalls which claim to be associated with a legitimate third party such asApple Inc.[27][20] Technical support scams can also attract victims by purchasingkeyword advertising on major search engines for phrases such as "Microsoft support". Victims who click on these adverts are taken toweb pages containing the scammer's phone numbers.[28][29] In some cases, mass emailing is used. The email tends to state that a certain product has been purchased using their Amazon account and contact a certain telephone number if this is an error.
Once a victim has contacted a scammer, the scammer will usually instruct them to download and install aremote access program such asTeamViewer,AnyDesk,LogMeIn orGoToAssist.[22][30] The scammer convinces the victim to provide them with the credentials required to initiate a remote-control session, giving the scammer complete control of the victim's desktop.[1] The scammer will not tell the victim that he is using a remote control software and that the purpose is to gain access to the victim’s PC. The scammer will say "this is for connecting you to our secure server" or "I am going to give you a secure code" which in reality is just an ID number used by the remote desktop software package.
After gaining access, the scammer attempts to convince the victim that the computer is suffering from problems that must be repaired. They will use several methods to misrepresent the content and significance of common Windows tools and system directories as evidence of malicious activity, such as viruses and other malware.[22] These tricks are meant to target victims who may be unfamiliar with the actual uses of these tools, such as inexperienced users and senior citizens.[1][27][31] The scammer then coaxes the victim into paying for the scammer's services and/or software, which they claim is designed to "repair" or "clean" the computer but is either malicious or simply does nothing at all.[32]
The scammer may open Windows' Event Viewer, which displays alogfile of various events for use bysystem administrators to troubleshoot problems. Although many of the log entries are relatively harmless notifications, the scammer may claim that the log entries labeled as warnings and errors are evidence of "system corruption" that must be "fixed" for a fee.[20][33]
The scammer may show system folders that contain unusually named files to the victim, such as those in Windows'Prefetch andTemp folders, and claim that the files are evidence of malware on the victim's computer. The scammer may also open some of these files inNotepad, wherein binary file contents are rendered asmojibake. The scammer claims that malware has corrupted these files, causing the unintelligible output. In reality, the files in Prefetch are typically harmless, intact binary files used to speed up certain operations.[33]
The scammer may falsely claim that normally disabled Windowsservices should not be disabled and that these services were disabled due to a computer virus.[20]
The scammer may misuseCommand Prompt tools to generate suspicious-looking output, for instance using thetree ordir /s command which displays an extensive listing of files anddirectories. The scammer may claim that they are "searching for malware and hackers", and while the tool is running the scammer will enter text purporting to be an error message (such as "ECHO security breach ... trojans found") that will appear when the job finishes, or will open a text file with such claims in Notepad or Word.[20]
The scammer may misrepresent innocuous values and keys that are stored in theWindows Registry as being signs of malware.[20]
The "Send To" Windows function is associated with aglobally unique identifier. The output of the commandassoc, which lists allfile associations on the system, displays this association with the lineZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}; this GUID is the same on all recent versions of Windows. The scammer may claim that this is a unique ID used to identify the user's computer, before reading out the identifier to "verify" that they are a legitimate support company with information on the victim's computer, or claim that theCLSID listed is actually a "Computer Licence Security ID" that must be renewed.[34][35][36]
The scammer may claim that the alleged "problems" are the result of expired hardware or softwarewarranties and then coax the victim into paying for a nonsensical and fraudulent "renewal service".[33][37]
The scammer may block the victim from viewing their screen, claiming that it is the result of malware or of a scan being run, and use this time to search the victim's files for sensitive information, attempt to break into the victim's bank account with stolen or found credentials or activate the webcam and see the victim's face.[38]
The scammer may run the command line tool known asnetstat, which shows local and foreignIP addresses. The scammer then tells the victim that these addresses belong to foreignhackers that have gained access to their network.[39][40][41]
The scammer may claim that legitimate Windows process such asrundll32.exe are viruses. Often, the scammer will search Google or Yahoo for an article about RUNDLL32.EXE and will scroll to a section saying that the process name can also possibly be part of a malware infection, even though the victim's computer does not contain malware.[20]
The preferred method of payment in a technical support scam is viagift cards.[42] Gift cards are favoured by scammers because they are readily available to buy and have lessconsumer protections in place that could allow the victim to reclaim their money back. Additionally, the usage of gift cards as payment allows the scammers to extract money quickly whilst remaining anonymous.[43][44] Tech support scammers have also been known to ask for payment in the form ofcryptocurrency,cheques and directbank transfers made throughautomated clearing house (the latter only gives victims 60 days to recover their funds).[45]
If a victim refuses to follow the scammer's instructions or to pay them, scammers have been known to resort to insulting[46] and threatening[47][48] their victim to procure payment. Scammers may also resort tobullying,coercion,threats and other forms ofintimidation andpsychological abuse towards their target in an effort to undermine the victim's ability to think clearly, making them more likely to be forced further into the scam.[49] Crimes threatened to be inflicted on victims or their families by scammers have ranged fromtheft,fraud andextortion,[50] to serious crimes such asrape[51] andmurder.[46]Canadian citizen Jakob Dulisse reported toCBC in 2019 that, upon asking a scammer who made contact with him as to why he had been targeted, the scammer responded with adeath threat; 'Anglo people who travel to the country' (India) were 'cut up in little pieces and thrown in the river.'[47][52] Scammers have also been known to lock uncooperative victims out of their computer using thesyskey utility (present only in Windows versions previous toWindows 10)[53] or third party applications which they install on the victim's computer,[50][54][55] and to delete documents and/or programs essential to the operation of the victim's computer if they do not receive payment.[33] On Windows 10 and 11, since Microsoft removed the syskey utility, scammers will change the user’s account password. The scammer will open the Control Panel, go into user settings and click on change password, and the scammer will ask the user to type in his password in the old password field. The scammer will then create a password that only he knows and will reboot the computer. The user won’t be able to log into his PC unless he pays the scammer.
Microsoft commissioned a survey byYouGov across 16 countries in July 2021 to research tech support scams and their impact on consumers. The survey found that approximately 60% of consumers who participated had been exposed to a technical support scam within the last 12 months.[17] Victims reported losing an average of 200USD to the scammers and many faced repeated interactions from other scammers once they had been successfully scammed.[17]Norton named technical support scams as the top phishing threat to consumers in October 2021, having blocked over 12.3 million tech support scamURLs between July and September 2021.[56]
Legal action has been taken against some companies carrying out technical support scams.[57] In December 2014, Microsoft filed a lawsuit against aCalifornia-based company operating such scams for "misusing Microsoft's name and trademarks" and "creating security issues for victims by gaining access to their computers and installing malicious software, including a password grabber that could provide access to personal and financial information".[58] In December 2015, thestate of Washington sued the firmiYogi for scamming consumers and making false claims in order to scare the users into buying iYogi's diagnostic software.[59] iYogi was also accused of falsely claiming that they were affiliated with Microsoft,Hewlett-Packard andApple.[60]
In September 2011, Microsoft dropped gold partner Comantra from itsMicrosoft Partner Network following accusations of involvement in cold-call technical-support scams.[61] However, the ease with which companies that carry out technical support scams can be launched makes it difficult to prevent tech support scams from taking place.[62]
Major search engines such asBing andGoogle have taken steps to restrict the promotion of fake technical support websites through keyword advertising.[63][64] Microsoft-ownedadvertising networkBing Ads (which services ad sales on Bing andYahoo! Search engines)[65] amended its terms of service in May 2016 to prohibit the advertising of third-party technical support services or ads claiming to "provide a service that can only be provided by the actual owner of the products or service advertised".[63][64] Google announced a verification program in 2018 in an attempt to restrict advertising for third-party tech support to legitimate companies.[66]
Tech support scammers are regularly targeted byscam baiting,[46] with individuals seeking to raise awareness of these scams by uploading recordings on platforms likeYouTube, cause scammers inconvenience by wasting their time and protect potential victims. A good example of this is the YouTube communityScammer Payback.[67][68]
Advanced scam baiters may infiltrate the scammer's computer, and potentially disable it by deployingremote access trojans,distributed denial of service attacks and destructive malware.[69] Scam baiters may also attempt to lure scammers into exposing their unethical practices by leaving dummy files or malware disguised as confidential information[70] such as credit/debit card information and passwords on avirtual machine, which the scammer may attempt to steal, only to become infected.[46] Sensitive information important to carrying out further investigations by alaw enforcement agency may be retrieved, and additional information on the rogue firm may then be posted or compiled online to warn potential victims.[70]
In March 2020, an anonymous YouTuber under the aliasJim Browning successfully infiltrated and gathereddrone andCCTV footage of a fraudulent call centre scam operation through the help of fellow YouTube personalityKarl Rock. Through the aid of the British documentary programmePanorama, a police raid was carried out when the documentary was brought to the attention of assistant police commissioner Karan Goel,[71] leading to the arrest of call centre operator Amit Chauhan who also operated a fraudulenttravel agency under the name "Faremart Travels".[72]
^Miramirkhani, Najmeh; Starov, Oleksii; Nikiforakis, Nick (February 27, 2017).Dial One for Scam: A Large-Scale Analysis of Technical Support Scams. NDSS Symposium 2017. San Diego: Internet Society. pp. 1–15.arXiv:1607.06891.doi:10.14722/ndss.2017.23163.
^Harley, David (November 30, 2011)."Support-Scammer Tricks".WeLiveSecurity.ESET.Archived from the original on December 25, 2014. RetrievedNovember 15, 2014.
