Tech support scams are “still big business”, ESET’s David Harley has previously said. In this guide we look at how fraudsters dupe their victims into handing over cash, while also corrupting their devices.

Among many other things, the recent cyberattack on TalkTalk has brought to light another associated threat – tech support scams. Interestingly, as various media reports have revealed, very little is actually known about this sophisticated type of fraud, despite it being a longstanding problem.

The result is that time after time, unsuspecting victims are not only being duped out of their money, they are also having their devices infected and their documents destroyed. Our guide offers an insight into this increasingly topical issue, which was recently discussed in a BBC documentary.

Before the scam, there is data

There is always a backstory to a tech support scam and it begins with cybercriminals getting their hands on personal information. They use multiple and extremely sophisticated techniques to access such data.

Once in possession of this sensitive and lucrative informative, they are presented with two options depending on their own interests and capabilities: they either use it themselves or sell it on to other fraudsters. The latter usually happens on one of many marketplaces on the dark web.

Usually, the information that is exchanged is ‘incomplete’, meaning it limits a criminal’s ability to commit certain types of crime. They need further information to complete their ‘identity jigsaw’. This is where tech support scamming comes in, especially the kind that mixes new (the internet) and old (telephone) technology to devastating effect.

First contact and the building of trust

Depending on the context of any particular case, a tech support scammer may immediately contact victims or hold back for a more opportune moment to pounce. It seems to matter very little about whether a data breach has been made public or not – both offer benefits to criminals.

For example, if an attack has gone unnoticed, fraudsters can use this situation – whereby it is ‘business as usual’ guise – as an asset, while similarly, public knowledge of an attack is similarly advantageous (people expect to be contacted by companies, broadband and mobile providers).

When a customer picks up the phone, a charade begins. Through social engineering and clever use of information in their possession – such as names, addresses and account details – the scammer is able to manipulate their victim into believing they are genuine.

This authoritative impersonation of a broadband/mobile provider, bank, law enforcement and/or computer company is a crucial step in gaining trust. All the other demonstrations of technical capabilities and the sense of familiarity exuded by the caller simply add to the growing confidence people have that the reason for the call ( such as there’s been a data breach and you’re affected; your computer has a virus on it; you’ve been the victim of fraud and we’re here to reimburse you and so on).

Another reason why scammers are so effective in this phase of a con is that they often appear unhurried, friendly and conversation. All of these characteristics are the kind most people assume to be absent when fraud of any kind is taking place – it’s quick, it’s impersonal and there’s brevity.

Unlocking the digital door that guards your device

Once a certain level of trust has been established, the fraudster explains in a very matter of fact way that they need to run certain checks, including confirming personal information – security questions and answers, for example – and technical.

The latter pertains to a victim’s computer, a strategy which plays on most people having a limited understanding of the ins and outs of how devices work. The scammer will get them to open up a window, which will ‘evidence’ issues, the kind that could cause serious damage.

Mr. Harley has discussed an example of this in detail in a previous post on We Live Security. The focus here is on Windows users and, on being instructed to open up Event Viewer – which keeps a system log – an individual will see “system events”. Some of these are genuine problems but “they’re usually transient errors and glitches that have already come and gone”.

Nevertheless, on unsuspecting people, this can be an effective tactic. It helps to establish further trust because they appear to be showing you actual problems. Therefore, as you’d allow a plumber into your home to fix your broken pipes, the same applies here. Your digital door is unlocked and the scammer now has your control of your computer.

Working hard to ‘resolve the issue’

A number of scenarios can be played from this point onwards, but a recent scam involving an elderly couple and TalkTalk features all the hallmarks of most cons like this. Harold and Barbara Manley from Kent in the UK and both in their 80s, received a call purportedly from the telecommunications company, saying their computer had been compromised.

They were told that this could be fixed and, moreover, would receive immediate compensation worth £200. However, ‘TalkTalk’ needed access to their computer to fix the vulnerabilities. Afterwards, the caller explained that they had to log into their online account to receive payment.

“On the screen a statement appeared with a £5,200 in credit,” Barbara told This is Money. “They said they had made an error and needed to debit £4,900 and the rest could be kept as compensation. I’m not into computers so I don’t know how they did it but it looked so genuine’.”

Except it is not. Now that they have control over a computer, they are able to manipulate what the victim sees and in this case and many others, what can be seen is not real. Meanwhile, in the background, they are busy taking money out of the account.

The key thing to understand is that the impression of professionalism and apparent resolution of a problem all contributes to a positive experience that unfortunately leaves few victims in doubt. Account details are quoted in full, customer service is impeccable, faults are visibly patched and compensation is given.

And, after everything is resolved, people go about their ordinary business, unaware of what has happened. It’s not until later, maybe that evening, the next day or even longer, when the penny drops. By that time it’s already too late.

Knowledge and appreciation of the threat goes a long way

These kinds of instances needn’t happen. Along with investing in security solutions across all your devices and adhering to best practice like using strong, unique passwords for various accounts, understanding the nature of tech support scams and the seriousness of cybercrime will go a long way in keeping you safe.

The TalkTalk incident highlights that this issue is very real and, as Financial Fraud Action UK, pointed out at the start of November, there is evidence to suggest that there is a boom in scamming.

“Fraudsters are cunning and will go to great lengths to steal your cash,” explained Katy Worobec, director of FFA UK. “This scam is just another example of the tricks they will use. “You should never let someone else have access to your computer remotely, especially if they have contacted you via an unsolicited phone call.”