[SingCERT] Advisory on Tech Support Scams

Published on Thursday, 17 November 2016 12:00

What is a Tech Support Scam?
The first reports of tech support scams surfaced around 2008 and these scams gradually gained momentum over the years. Their tactics have also evolved. In the past, these scammers cold called users in their attempt to make victims part with their money. Recently, fake tech support websites have been created and scammers use various techniques to trick users into believing that their computing devices are infected or facing some technical issues. Users may also find their computing devices being held ransom after following instructions provided by the scammer.

How do these scams work?
In a fake antivirus scam, scammers display screenshots of "real" antivirus software and some scary-sounding infections. Users are either led to call the scammer to remove the infection or risk having more malware downloaded into their device. In some cases, the scammers may call the user. The scammers will then offer their assistance to remove the infection and charge the user for the service or for some useless software.

For tech support phone scams, scammers typically will cold call users and instruct users to run some common Windows commands (e.g. ipconfig /all, eventvwr.msc) or ask them to visit a website (e.g. https://secure.logmein.com, https://www.teamviewer.com, http://www.ammyy.com) to install remote desktop software so that they can directly control the computer to resolve the issues. During the process, they may ask for the user’s log in credentials. Once they have succeeded in getting the login credentials, they then pretend to fix the computer issues. They may restart the computer and lock it in the process, and subsequently request for payment to unlock the computer.

Sample screenshots of such scams are shown below.

Fake Antivirus Tech Scam  Fake Critical Error

Users should note that a Tech Support Scam differs from Ransomware which encrypts your data, resulting in a victim’s inability to access his/her files or computer system. For information on ransomware and ways to deal with a ransomware infection, please visit https://www.csa.gov.sg/singcert/news/advisories-alerts/ransomware.

Protecting Yourself from Tech Support Scams

  • Do not call the number provided on the website or pop ups that you see.
  • Do not answer calls from people who claim to be from tech support. The only exception is if you are expecting such calls.
  • Do not allow anyone to take control of your computer, especially via remote desktop software.
  • Do not provide your computer's log in credentials and your financial information to anyone over the phone.

Recovering from Tech Support Scam
If you have fallen victim to a scam, take the following steps immediately:

  1. Call your bank immediately to reverse the charges made. If it's not possible, request for a new bank account and cancel your debit or credit card.
  2. Scan your computer for malware and remove any malware found. Do not restart the computer yet.
  3. Back up your files and data to an external device such as an external hard disk or thumbdrive.
  4. Create a new user account on your computer.
  5. Restart the computer to clean up any remnants of malware found.
  6. Try to log in to your usual account. If you are not able to, log in to the newly created account. Restore your data back to your account from your external device.

If you are a victim of a tech support scam, you can lodge a police report at any Neighbourhood Police Centre/Post or via the Electronic Police Centre website at http://www.police.gov.sg/iwitness for Police assistance. All information provided will be kept strictly confidential.

References
https://www.microsoft.com/en-us/safety/online-privacy/avoid-phone-scams.aspx
https://www.consumer.ftc.gov/articles/0346-tech-support-scams
https://blog.malwarebytes.com/tech-support-scams/