How tech support scams work
Cold calls from fake Microsoft (etc) agents
The scam is straightforward: pretend to be calling from Microsoft, gain remote control of the machine, trick the victim with fake error reports and collect the money.
If you ever get a call from a Microsoft or Windows tech support agent out of the blue, the best thing to do is simply hang up. Scammers like to use VoIP technology so their actual number and location are hidden. Their calls are almost free which is why they can do this 24/7.
As per Microsoft:
“You will never receive a legitimate call from Microsoft or our partners to charge you for computer fixes.“
Toll-Free Numbers (TFN) for fraudulent tech support companies
Located in India but also in the US, these companies heavily advertise on popular search engines as well as websites with high traffic. People call them for assistance and get fooled with similar techniques employed by Indian cold callers.
Another source for these companies comes from some of their existing customers or customers of parent companies sent to them. The remote technician upsells the customer who only came to activate their software but ends up forking hundreds of dollars on “Windows support”.
Fake pop ups claiming your computer is infected (reminding of FakeAV) are used by scammers to reel in innocent victims.
If you decide to call in for remote computer assistance, you need to be very careful about which company you are going to deal with. Simply picking the top ad on a search results page could end very badly.
Unfortunately, the company or technician being from the US is not a guarantee for honest service. Many businesses in the US are using dirty tricks to take advantage of people, with the unsavvy and elderly as their prime targets.
If you don’t feel comfortable doing this online, brick and mortar computer repair shops are a good alternative.
The ‘technician’ requests to have remote access to your computer (taking control of it) and may use one of the following programs. Note that these applications are perfectly legitimate, however, it is important to remember that if you run remote login software you are effectively giving a complete stranger total control of your computer.
A method that has been gaining popularity by tech support scammers is to spread malware with the sole purpose of locking the user out of his own computer. We call this type of malware screenlockers and the installers are detected as Trojan.TechSupportScam . They may look like a BSOD (Blue Screen Of Death) or a warning that you are using illegal software (asking for a registration key). The malware is offered as part of a bundle or posing as an installer for something else.
The ones that look like a BSOD usually have a telephone number on them that belongs to the scammers outfit. Once you call that number they will tell you a trick to get rid of the BSOD to gain your trust, but of course the trick was built into the program for that reason.
The type asking for a registration number, usually has a telephone number as well, but often they come with a few links that will open sites with popular remote assistance/desktop software like TeamViewer, LogMeIn, Ammy Admin, Supremo, and others. In these cases the scammers will ask you to install that software and give them your access code, so they can “repair” your computer. Selling you overpriced solutions and “service contracts” is the real goal obviously.
If you are interested in some examples we have blogposts about some of these:
- Tech support scammers using Winlogon
- Tech support scammers get serious with screen lockers
- TechSupportScams And The Blue Screen of Death
- Dodge four tries to escape from being scammed
Should you be confronted with one of these screenlockers, do a search on our forums for the displayed telephone number. With any luck we have already reverse engineered the screenlocker and you can find a removal guide among the Malware Removal Self-Help Guides for your particular version.
Tricks you should look out for
Once logged into your computer, the remote technician will attempt to trick you by fabricating errors or even viruses on your computer. They like to use the default Windows tools and turn them against you, hoping you’ll get scared and follow up their directions.
Getting help if you have been scammed
Getting scammed is one of the worst feelings to experience. In many ways you feel like you have been violated and are really angry to have let your guard down. Perhaps you are even shocked and scared and don’t really know what to do now. The following tips will hopefully provide you with some guidance.
If you already let them in
- Revoke remote access (if unsure, restart your computer). That should cut the remote session and kick them out of your PC.
- Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes Anti-Malware to quickly identify and remove threats.
- Change all your passwords (Windows password, email, banking, etc).
In some cases (you did not pay or called them names), scammers will seek revenge on your machine. Here are some things they might try and what to do to recover from them:
- Master password lock out
There are various ‘hacks’ to reset that password. One method is to use a Linux boot CD to mount Windows and then use the chntpw utilty. It is described here.
- Missing software drivers
First, try to do a System Restore. If it fails, you should be able to reinstall them by going to the manufacturer’s website and download the appropriate driver.
- Missing files
First, try to do a System Restore. If it is not available, check for backups you may have made and stored somewhere else. As a last resort, there are programs that can scrape your hard drive and attempt to recover the missing files.
If you already paid
- Contact your financial institution/credit card company to reverse the charges and keep an eye for future unwanted charges.
- If you gave them personal information such as date of birth, Social Security Number, full address, name and maiden name you may want to consult the FTC’s website and report identity theft.