Tech support scams are on the rise. Clients get tricked by a phone call, a pop-up or a search engine ad. Once they’re on the phone with the scammer, they’re convinced something is wrong with their computer. Eventually, they’ll rely on you to clean up the mess. Each situation will be a little different, but here’s a general guide.
Most clients who call your business realize they’ve been scammed. After all, if they thought the scammers were legitimate they wouldn’t be calling you. They’d rely on the fake tech support company.
Occasionally, we’ve found clients who don’t realize they’re a victim. When we see remote control software like TeamViewer running, we’ll confirm they know what the program does and why it’s there. Other times, the client asks us a very specific tech support request like “I have a problem with my IP address” or “my event viewer shows a problem.” In these cases, we’ll ask what lead them to the problem. Scam victims will tell us they got a phone call from Microsoft or their ISP.
Victims of scams feel both ashamed and guilty this happened. They should have known better and been able to detect the scam earlier. Sometimes they’ll even take it out on you. How did you let this happen to the computer?
Explain to the client that these scammers are part of a large-scale operation optimized to take advantage of people. Helpful links from the FTC and Microsoft show this is a wide-spread and ongoing problem. The clients need reassurance they did nothing wrong even if they made an error in judgement.
Once you calm the client, try to figure out the details of what happened and if they need a service call. If the client got a phone call, pop-up or email and didn’t act on it, they’re probably fine. I don’t like victimizing the client further here. If they didn’t do anything to the computer and didn’t give control to another company, the client’s computer should be fine.
Even if the scammer asked the client to check an event log or type a few commands in terminal, I don’t think you need to do a service call. Absent any other symptoms or action, the client made no changes to the computer. There are other reasons you may want to visit the client, but this is not a sufficient reason.
I recommend a service call (either on-site or remote) in three scenarios where the client:
In all three cases, you need to determine if the scammers did any damage to the computer or the client’s security.
When you look at the computer, the first thing you’ll look for is any remote control software running. Since the tools aren’t malware, you can’t rely on a malware scanner. Look at what’s running in the background or system tray. Sometimes the fake companies use TeamViewer, but other times it’s an instant solution that doesn’t leave any software behind.
After you’ve shut down any potential remote control clients installed by the fake tech support people, retrace the steps of the scammer. Look through the client’s recent browser history (some scammers clear the history) and interview the client about what sites they went to during the scammer’s phone call. If they accessed any password-protected websites, you’ll need to change those after you fix the system.
Before you run the malware scan, check for any recently installed programs. Even if the program seems legitimate, I’d remove it if it was added during the call. That could be a customized version of a popular program. I wouldn’t trust anything installed by these fake support companies.
Then go ahead and run your standard malware removal procedures. Even if you don’t see any outward symptoms of an infection, you never know what these bad people installed on your client’s system behind the scenes. Software like keyloggers won’t show any obvious symptoms.
While you don’t want to take advantage of a client in a difficult situation, at this point in the service call, it’s a good idea to discuss security. I recommend reviewing the security software on the system and password procedures. If the client fell for the scam that means that they don’t trust the security software so it’s time to review it. I’ll also position a backup solution at this point.
When you’re on-site, the client’s’ guilt and embarrassment will often show through. The more damage that’s done to the system, they more frustrated they get. They’ll need that reassurance again from step one.
The ultimate goal of these tech support scams is to convince the buyers to buy some overpriced products or services. If the client paid, they’ll need to contact their bank or credit card company and dispute the charges. The client needs to do this right away because all financial institutions require you to do this as soon as possible. If it’s the same day, it might not even show up on the client’s bank statement. You might have to fill out an affidavit or write a statement on behalf of the client that the product or service the client bought isn’t legitimate.
On rare occasions, clients don’t want to dispute the charge. They’re embarrassed or too busy to fight the charge. I don’t like my clients wasting money, so I’ll strongly encourage them to start a chargeback. We don’t want these tech support companies to be rewarded for what they did to your client.
I also recommend contacting the Consumer Affairs Division of the Attorney General (or your jurisdiction’s equivalent) and the Federal Trade Commission (or country equivalent). These agencies can’t intervene in individual cases, but can track trends. The client also feels like they did something to help law enforcement act against these people.
If the financial institution won’t reverse the charges, check with homeowner’s or business insurance. They’ll sometimes reimburse losses due to fraud.
If you’ve got a good relationship with your clients, they’re less likely to fall for the scams. If they have a question about the computer, they should call you after all! The latest wrinkle on this scam (and it happened to one of my clients) is the fake caller pretends to be your company. The scammer found out who the top computer repair search result is in an area and calls pretending to be that company. In my client’s case, they couldn’t understand the accent of the caller, so that worked in my favor.
Don’t assume the caller will be foreign. The tech support scams are now originating in the United States and the person calling doesn’t even know they are part of a scam. They’re just reading from a script and out to make a sale.
The best way to stop these scams is to educate your clients. It’s a great opportunity to contact them and remind them you’re the person they go to for computer problems. Explain to the client what to do when they get these calls:
The most powerful tool you have to prevent these problems is training your clients. They should call you instead of trusting an ad, a phone call or a search engine result. That tool isn’t foolproof, so these procedures should clean up the mess. Feel free to leave your own suggestions or tech support scam stories in the comments.
Written by Dave Greenbaum
Session expired
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.
First thing we do is determine if they have given their credit or debit cards details to the scammers. If the have, we suggest that they contact their bank as a matter of urgency as we have known the scammers to withdraw vast sums of money from victims accounts. Once they have contacted their bank, then we deal with the PC issues.
That’s exactly our response over the phone. Even in cases where they didn’t provide a card number, we always look at the PC. We haven’t seen a case yet where they didn’t have malware. After all; that popup with the urgent message and phone number came from somewhere. Additionally; we find that customers often don’t reveal the full story over the phone. Once you’re face to face, you can get all the details. There hasn’t been a case yet where the customer DIDN’T have caller ID, so we school them about using that technology to the fullest.
Those ads can come from legitimate sites even without an infected computer (Mac or PC).
For our existing customer base, we employ Adblock Plus so it makes it easy to distinguish if the source of the number is an invading application. If it’s a new customer, we’re on our way to retrieve the machine very quickly. In fact; they usually haven’t finished alerting their financial institutions before we arrive on site. Once the machine is in the shop, no Internet access is granted until we’ve utilized numerous removal applications. The process has served us well for nearly 16 years. Thus far; the worst case involved a new customer whose family members received irritating phone calls from the same group that was granted remote access by our customer.
You might reconsider that approach in some cases. If the scammer finds out that the charge was reversed, they might try to remotely lock the computer. It’s happened a few times.
I’ve seen them drop the PowLiks rootkit on several systems where the victim/client allowed them to remote-control the system. In case you haven’t heard of it, the code for this rootkit is hidden in an invalid registry key which will be missed by most AV scans. Malwarebytes Anti-Rootkit should find it though. Also run Crowd Inspect to check for any bad/injected DLL connections. I also mandate (not recommend) that they change all passwords after you have found an infection. I’ve seen some success in getting my clients to dispute the credit card charge after providing a detailed statement of infections found/work done. You might not be able to prove that they installed malware, but you can defiantly verify that you removed infections after their supposed “repair”, thus proving that the promised service was not delivered.
Our customer have had success in disputing charges also. We provide a list of dos and don’ts for all customers. It states that a change of passwords is strongly advised once the clean PC is returned.
For those that want to know more about how the scammers get in…Carey did a great video on this…quite informative. https://www.youtube.com/watch?v=GVQoAlQrnSg
One client recently had this happen. Had an email telling him he had problems. Searched and found Yahoo Helpline, or something like that.
Called them and before he knew it had paid out £360 (about £550) before he finished the call. They charged him £240 for ‘fixing’ the computer remotely and then another £120 for their ‘special software’ that he had to run every time he had a problem.
The ‘special software’ was a .bat file that cleared the event logs, that’s all, nothing more.
He tried doing a charge back but as he had been billed through a third party, his credit card company couldn’t refund him as the third party company had not done anything wrong.
Even after explaining to him that he had been double scammed he still didn’t believe me. After some pondering and another phone call he contacted me adn I removed all malware, remote software etc.