(405) 919-9901

by Dave Moore, CISSP
02/12/2023

Many times per week, sometimes many times a day, I get phone calls from concerned folks telling me the same story. The story starts with, “I got a call from Microsoft…”

But, sometimes, the story begins with, “A message from Microsoft popped up on my screen…” A similar story begins with, “I had a problem, so I called Microsoft and they told me…”

I don’t even need the caller to finish the sentence. The story is always the same, one that ends badly, with the caller losing money or control of their computer. This is the story of the Fake Tech Support Scam.

The scam has three ways of getting started: (1) you get a phone call from someone claiming to be Microsoft tech support, or (2) a screen-dominating popup appears, allegedly from Microsoft, alerting you to call them, or, (3) you call a number you found somewhere on the Internet, thinking you are calling Microsoft tech support.

No matter which method is used, the result is the same: you are not talking to a Microsoft expert who wants to help you. Instead, you are talking to a professional career criminal, an experienced con-artist who wants to trick you into giving them some money.

It’s an old story, so old that Microsoft has put up a webpage describing it in detail at

www.microsoft.com/wdsi/threats/support-scams. The FBI also has a page on the subject at ic3.gov/media/2016/160602.aspx; The Federal Trade Commission has one at consumer.ftc.gov/articles/0346-tech-support-scams.

When I get a call from someone who has experienced a fake tech support scam, I have two goals in mind: (1) help them understand what’s actually happened, and (2) help them mitigate any damage that has occurred. The scam has four stages of development, with the final stage being the worst: stolen money.

Stage One involves tricking you into thinking something is terribly wrong with your computer. Viruses, infected IP addresses, Windows security violations, all sorts of phony baloney problems and consequences are presented in an effort to bamboozle you into believing you need to move to Stage Two: completing the call.

Stage Two involves asking for help from the fake Microsoft experts who have called you, or by calling them at the number provided on your screen. During the call, the scammers explain the seriousness of the situation, the dire consequences of inaction, and urge you to allow them to move to Stage Three: giving them remote control of your computer so they can “help” you.

Stage Three of the scam marks when things really start to go downhill for the victim. When someone calls me about their contact with tech support scammers, I always ask upfront, “did you give them remote control of your computer?” If they answer “no,” then perhaps all that’s needed is to clean up their computer and remove the source of the persistent popups that may be there.

If, however, the answer is “yes,” a much sketchier situation exists. They have given the scammers remote control of their computer, granting a dangerous level of access and control to everything that’s in it. As we say in the computer security field, their system is now “completely compromised,” and there’s no telling how bad things could be.

Next begins an elaborate dog-and-pony show, a mind-numbing song-and-dance routine filled with bogus technical terminology and on-screen trickery designed to confuse you into submission. The scammers show you countless “problems” that only they can fix, and they must protect you from in the future. Finally, hoping you will succumb to their wishes, they move in for the kill: Stage Four. Hopefully, things do not progress to Stage Four.

Stage Four of the fake tech support scam is the coup de grâce of the whole affair, when scammers ask for money to pay for present and future services. When victims call me and say yes, they gave remote control of their computer to the bad guys, I quickly ask if they also gave the crooks a credit card number. I’m always glad when they say “no,” but when they say “yes,” I tell them to end our call, immediately call their credit card company, and explain what’s happened.

Recently, though, victims tell me no, they did not give out a credit card number, the scammers did not ask for a credit card number. Instead, they asked for access to their bank account, which was granted granted. “Forget credit cards, go straight for the bank account,” seems to be the criminal’s new strategy. Yikes.

Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd., he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.org