Unlucky Trend Micro customers ensnared in the insider hack at the antivirus company are being bombarded with fake tech support calls seeking access to their computers.

"The first call seemed very legitimate to me," one customer named Rona told PCMag. "I almost fell for it."

Rona, who requested her last name be withheld, was among the estimated 68,000 Trend Micro users who had their names, email addresses, phone numbers, and customer support ticket numbers exposed in the breach. Since August, Trend Micro has been investigating why customers were receiving fake tech support calls and sourced it back to a rogue employee who was selling customer information to an unknown third party.

How the Scam Works

Rona, who is based in Alberta, Canada, said she tried to warn Trend Micro about the potential hack in early October when she received a mysterious call on her cell phone from the scammers. The man, who had an "Indian or Pakistani accent," said he was contacting her on behalf of Trend Micro to report a problem with the company's antivirus software, which she's used for the past decade.

The mysterious man knew Rona's name, as well as how she had recently called Trend Micro's help line to install the company's antivirus software on her mother's computer. He then asked Rona to open an email he had sent, which outlined the steps she needed to take to fix the problem.

"I asked why they were not sending the fix through normal downloads. They said the servers were also infected and that is why they needed to do the fix via email, Rona said. "Since I was at work we decided that they would call me on Saturday, when I would be at my laptop."

If Rona had been at her laptop when the scammer had called, she might have simply followed the man's instructions, assuming the request to be legit. But after the call, she thought the whole story of an infected Trend Micro server was suspicious. "So I phoned Trend Micro (the real company) and they told me it was scam," she said, which caused her to promptly delete the email the mysterious man had sent.

According to Trend Micro, the company's technical support never makes unsolicited phone calls to customers. A call will only be made if it's been pre-scheduled. Nevertheless, many Trend Micro customers are probably unaware of the policy.

Red Flag No. 1: A Valid Support Ticket Number

In Rona's case, the calls from the scammers didn't stop. Mere days after the first call, she received another from a man who also had an Indian accent, but sounded different from the first. Knowing that the man was likely part of the same scheme, Rona attempted to tease out details from the caller.

"Eventually, he realized that I knew that he was scammer," she said. The man then made an alarming proposal. "He said, 'You have a really nice voice. You can pay me money and I'll sleep with you. How much do you want to pay?' Maybe he was trying to get my bank account number. I don't know."

Rona promptly hung up. But the scam calls continued. She remembers receiving a third call from a man who was able to quote a valid Trend Micro customer support ticket number she has received from the company. That's when she began to strongly suspect Trend Micro had a serious breach on its hands.

"I phoned them (the real Trend Micro) and I'm like how did they get my valid ticket number? That's not something you guess. And they just said, 'I'm sorry for the inconvenience," she recounted. "It was pretty obvious to me that an employee was behind this, but I didn't think Trend Micro was treating it seriously."

In the meantime, scammers tried another tactic: bombarding her phone number with robocalls—sometimes three times a day—claiming Trend Micro was going to charge or credit her bank account, and that she need to respond. In all cases, the calls came from different numbers, making them unblockable.

Why No Earlier Warning?

The story from Rona matches the experiences other Trend Micro customers have been reporting to the company.

"I received four phone calls this morning from someone saying they were with TrendMicro and that my account has been auto-renewed for $299.99," wrote one user in Trend Micro's support forums a month ago. "They told me I needed to log in to my computer and they would walk me through it; they told me they could help me get my computer to run faster free of charge."

One customer reports the scammers trying to trick him into visiting a fake login portal for Trend Micro after supplying a valid support ticket. "When it was obvious they were up to no good and would not explain what they were doing, I disconnected my Ethernet cable and hung up," the user wrote in a separate forum post.

Another user reported the scammers wanting bank account numbers on the pretenses of supplying a refund.

So far, Trend Micro has remained mum on what the scammers were after, and if they were trying to install malware on to victims' computers. Whether Trend Micro will cover the costs for victims who fell for the scammers' schemes is also unknown. For now, the company has said it's continuing to investigate the breach with the help of law enforcement. The unnamed employee accused of supplying the customer information has also been terminated.

Earlier this week, Trend Micro sent out emails to affected consumers notifying them about the breach. However, Rona questions why the antivirus vendor didn't warn customers about the threat sooner. Although Trend Micro did issue an advisory about the scam on Sept. 20, it was confined to a post on the company's support site.

"It was really hypocritical of them. They put announcements on their web page about different companies having security problems, but they don't talk about their own," she said. "It feels like they are trying to hide it. There are people like my mother who could have easily fallen for this."

In response to her concerns, Trend Micro's CEO Eva Chen did send an email to Rona apologizing for the breach. "We are taking actions to trace the data flow and collect evidence in an effort to assist shutting down the scammer group," Chen says in the email. "I promise that we have learned from this event and have already begun taking steps to help prevent this type of incident frm happening again."

However, Rona says she's canceled her account with the company.

Further Reading

Security Reviews