If you have a business, your business depends on your computer system, and without access to your data or computer system, your business will fail. In larger companies, tech-support technicians operate and maintain computer systems and networks. But most companies are small businesses, and tech support is generally an additional task for someone in the company. This reliance on the network and computer systems is a vulnerability that is often easily exploited. Consequently, one of the most common types of computer fraud is Tech Support Fraud. As with all cybercrime, this has become more sophisticated over time. According to the 2021 FBI Internet Crime Report, Tech Support Crime is number seven on the list of crime types by the number of victims and is sixth in financial loss. It is also a growth sector for internet crime, growing by 137% in terms of victim financial losses compared to 2020.
Internet crime and espionage are international businesses. It is no longer individuals acting alone, though some instances exist. This is an industry that employs tens, if not hundreds of thousands of people throughout the world. Tech Support Fraud is a good example, and as with any industry, there are divisions of labor; there are marketing departments, call centers that answer and respond to victim calls, tech support centers that provide a veneer of legitimacy, and accounting departments that collect revenue from different sources. There are also supporting businesses that supply services, like mailing lists of prospective victims. As with any marking campaign Tech Support Fraud begins with lists of prospective victims. These are email lists of businesses or individuals; they are also domain names or network addresses. As with any marketing campaign, it is a numbers game. These criminals send out millions of emails or notices daily, and the greater the number of notices, the greater the number of responses. An interesting fact is that if you have been compromised before, there is a good probability that within a year or so, you will be hit again.
The success of this scam relies on convincing the company or individual to call the “support center.” To accomplish this, there is a concerted effort to impersonate legitimate tech companies. This approach is now expanding to include banks and utility companies. Though these are not strictly tech-support calls, the result is the same. Common to all of these approaches is the call for immediate action; it is the fear that something is wrong with your computer system, and you must act now. Another call-to-action example is using the local utility company email to notify you that the electricity, water, and gas will be shut off immediately if you do not call now. Bank notices or alerts are along the same lines, a legitimate-looking email notice requiring you to call immediately to stop a fraudulent transaction. A few things happen when you do respond; your email address or domain name is flagged, indicating these are legitimate, and there was a positive response. This means there was a bite at the bait, and it is worth another try for the criminal. When you call, your phone number is also collected; though you may do nothing more, the criminal has information about you, and you are now on the future targets list. Of course, the call center experience will begin with a friendly acknowledgment along the lines of good that you called; we are here to help. Granted, the call centers for these frauds are different; however, they are staffed with specialized and trained employees. They are armed with scripts that will address any question you may have. What is common is the pressure to act now to avoid catastrophic consequences. It is fear that is the motivator. In the instance of tech support, they will try to get access to your computer to fix the non-existent problem, download malware, or sell a software package that will do nothing if you are lucky; the goal is to collect your money. A point to remember is that if you use your credit card, you have a good chance of getting the bank to reverse the charge. If you are convinced to pay by gift cards, bitcoin, etc., you are out of money.
What can you do to avoid getting caught in this fraud? The first is to educate your team. They must know that tech companies will not contact their customers to fix problems or request information. For example, Microsoft states that it does not send emails to fix technical problems and will never ask for personal or financial information. Getting notices from tech companies about problems is not going to happen, and if you do, no matter how convincing the notice is, it is a scam. Second, in all cases, banks and utility companies are not going to threaten you with dire consequences. The public utilities are required to go through a shutoff process, one they must adhere to. Banks are not going to threaten their customers. If you are unsure, do not call the phone number in the notice. Call the utility company or bank and talk to them directly. If you do call a help center and there is a demand for immediate action to avoid an event, it is a scam, and if there is a request that you pay by gift cards or cryptocurrencies, that is the definition of a scam.