Based on new reporting, the Internet Crime Complaint Center (IC3) is providing updated guidance regarding technical support fraud. Tech Support Fraud involves a criminal claiming to provide customer, security, or technical support in an effort to defraud unwitting individuals. This type of fraud continues to be a problematic and widespread scam.
In 2017, the IC3 received approximately 11,000 complaints related to tech support fraud. The claimed losses amounted to nearly $15 million, which represented an 86% increase in losses from 2016. While a majority of tech support fraud involves victims in the United States, IC3 has received complaints from victims in 85 different countries.
Criminals may pose as a security, customer, or technical support representative offering to resolve such issues as a compromised e-mail or bank account, a virus on a computer, or to assist with a software license renewal. Some recent complaints involve criminals posing as technical support representatives for GPS, printer, or cable companies, or support for virtual currency exchangers.
As this type of fraud has become more commonplace, criminals have started to pose as government agents, even offering to recover supposed losses related to tech support fraud schemes or to request financial assistance with “apprehending” criminals.
How the Fraud Occurs
Initial contact with the victim typically occurs through the following methods:
Telephone: A victim receives an unsolicited telephone call from an individual claiming the victim’s device or computer is infected with a virus or is sending error messages to the caller. Callers are generally reported to have strong, foreign accents.
Search Engine Advertising: Individuals in need of tech support may use online search engines to find technical support companies. Criminals pay to have their fraudulent tech support company’s link show higher in search results hoping victims will choose one of the top links in search results.
Pop-up message: The victim receives an on-screen pop-up message claiming a virus has been found on their computer. In order to receive assistance, the message requests the victim call a phone number associated with the fraudulent tech support company.
Locked screen on a device: The victim’s device displays a frozen, locked screen with a phone number and instructions to contact a fraudulent tech support company. Some victims have reported being redirected to alternate Web sites before the locked screen occurs.
Pop-ups and Locked Screens
- Often accompanied by a recorded, verbal message to contact a phone number for assistance.
- Frequently programmed into links for advertisements or popular topics on social media.
- Web addresses of popular Web sites (such as social media or financial Web sites) can be typo-squatted to result in a pop-up or locked screen if the victim incorrectly types the intended Web site address.
Phishing e-mail warning: The victim receives a phishing e-mail warning of a possible intrusion to their computer or an e-mail warning of a fraudulent account charge to their bank accounts or credit cards. The e-mail provides a phone number for the recipient to contact the fraudulent tech support.
Once the fraudulent tech support company representative makes verbal contact with the victim, the criminal tries to convince the victim to provide remote access to the victim’s device. If the device is a tablet or smart phone, the criminal often instructs the victim to connect the device to a computer. Once remotely connected, the criminal claims to find expired licenses, viruses, malware, or scareware. The criminal will inform the victim the issue can be removed for a fee. Criminals usually request payment through personal/electronic check, bank/wire transfer, debit/credit card, prepaid card, or virtual currency.
Another widespread issue is “the fake refund.” In this scheme, the criminal contacts the victim offering a refund for tech support services previously rendered. The criminal requests access to the victim’s device and instructs the victim to login to their online bank account to process a refund. As a result, the criminal gains control of the victim's device and bank account. With this access, the criminal makes it appear as if too much money was refunded to the victim's account and requests the victim return the difference back to the criminal’s company via a wire transfer or prepaid cards. In reality, there was no refund at all. Instead, the criminal transferred funds among the victim's own accounts (checking, savings, retirement, etc.) to make it appear as though funds were deposited. The victim “returns” their own money to the criminal. The “refund and return” process can occur multiple times, resulting in the victim potentially losing thousands of dollars.
Variations and Trends
Tech support fraud was originally an attempt by criminals to gain access to devices to extort payment for fraudulent services. However, criminals are creating new techniques and versions of the scheme to advance and perpetuate the fraud.
Re-targeting previous victims and contacts
- Criminals pose as government officials or law enforcement. The criminal offers assistance in recovering losses from a previous tech support fraud incident. The criminal either requests funds from the victim to assist with the investigation or to cover fees associated with returning the lost funds.
- Criminals pose as collection services claiming the victim did not pay for prior tech support services. The victim is often threatened with legal action if the victim does not pay a settlement fee.
Virtual currency is increasingly targeted by tech support criminals, with individual victim losses often in the thousands of dollars.
- Criminals pose as virtual currency support. Victims contact fraudulent virtual currency support numbers usually located via open source searches. The fraudulent support asks for access to the victim’s virtual currency wallet and transfers the victim’s virtual currency to another wallet for temporary holding during maintenance. The virtual currency is never returned to the victim, and the criminal ceases all communication.
- Criminals who have access to a victim’s electronic device use the victim’s personal information and credit card to purchase and transfer virtual currency to an account controlled by the criminal.
Increasing use of victim’s personal information and accounts to conduct additional fraud
- Criminals use the victim’s personal information to request bank transfers or open new accounts to accept and process unauthorized payments.
- Criminals send phishing e-mails to the victim’s personal contacts from the victim’s computer.
- Criminals download personal files containing financial accounts, passwords, and personal data (health records, social security numbers, tax information, etc.).
Additionally, IC3 complaints report:
- Criminals who took control of victims’ devices and/or accounts and did not release control unless a ransom was paid.
- Viruses, key logging software, and malware were installed on victims’ devices.
- Criminals have become more belligerent, hostile, and abusive if challenged by victims.
Suggestions for Protection
- Remember that legitimate customer, security, or tech support companies will not initiate unsolicited contact with individuals.
- Install ad-blocking software that eliminates or reduces pop-ups and malvertising (online advertising to spread malware).
- Be cautious of customer support numbers obtained via open source searching. Phone numbers listed in a “sponsored” results section are likely boosted as a result of Search Engine Advertising.
- Recognize fraudulent attempts and cease all communication with the criminal.
- Resist the pressure to act quickly. Criminals will urge the victim to act fast to protect their device. The criminals create a sense of urgency to produce fear and lure the victim into immediate action.
- Do not give unknown, unverified persons remote access to devices or accounts.
- Ensure all computer anti-virus, security, and malware protection is up to date. Some victims report their anti-virus software provided warnings prior to attempt.
If you are a Victim
- Individuals who receive a pop-up or locked screen, should shut down the device immediately. Ignore any pop-ups instructing to not power off or restart the computer. Victims who reported shutting down the device and waiting a short time to restart usually find the pop-up or screen lock has disappeared.
- Do not re-contact fraudulent tech scam companies. Expect additional fraudulent calls as these companies often share their customer database information.
- Should a criminal gain access to a device or an account, individuals should take precautions to protect their identity. Immediately contact financial institutions to place protection on accounts as well as change passwords and actively monitor accounts and personal information for suspicious activity.
File a Complaint
Individuals who believe they may be a victim of an online scam (regardless of dollar amount) should file a complaint with the IC3 at www.ic3.gov. The more often fraud and scams are reported, the better equipped law enforcement can be to address the issues.
To report tech support fraud, please be as descriptive as possible in the complaint including:
- Identifying information of the criminal and company. Include Web sites, phone numbers, and e-mail addresses used by the criminal and company or any numbers you may have called.
- Account names and numbers and financial institutions receiving any funds (e.g., bank accounts, wire transfers, prepaid card payments, virtual currency wallets) even if the funds were not actually lost.
- Description of interaction with the criminal.
- The e-mail, Web site, or link that caused a pop-up or locked screen.
Complainants are also encouraged to keep all original documentation, e-mails, faxes, and logs of all communications.
Because scams and fraudulent Web sites appear very quickly, individuals are encouraged to report possible Internet scams and fraudulent Web sites by filing a complaint with the IC3 at www.ic3.gov. To view previously released PSAs and Scam Alerts, visit the IC3 Press Room at www.ic3.gov/media/default.aspx.