twitter facebook rss

Tech Support Scams: a Beginner’s Guide

Posted by on November 26, 2015.


I’ve spent a lot of time over the last few years writing and talking about tech support scams. That is, scams implemented by persuading victims that they need help to deal with a problem on their computer. Perhaps it’s time to rethink what potential victims need to know in order to make them less vulnerable to scammers. I don’t know how many relatively technically-inexperienced people read this blog, but perhaps the more tech-savvy readers will find it useful to think about how they can raise awareness.

Basic scam gambits

Often, the scammer claims that the victim’s PC has been hacked, or is infected or affected by viruses or other forms of malware.

The classic cold-calling scam works something like this: you get a telephone call from someone telling you that he is from or working with Microsoft, and that your Windows PC has been reported as being compromised in some way. There are a number of standard tricks (most of which are described in a paper Martijn Grooten, Craig Johnston, Steve Burn and I wrote for Virus Bulletin) that this kind of caller uses to persuade you that he really knows something about your PC.

The CLSID scam gambit

A longstanding favourite is the CLSID gambit, when he tells you that this string of characters is unique to your system: ZFSendToTarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

CLSID scamshot

In fact the ASSOC command will show this very same string on just about any Windows machine.

The Event Viewer gambit

Another gambit is to ‘prove’ that your PC is ‘infected’ by misrepresenting the results of running standard utilities such as Event Viewer. He’ll tell you that those alarming yellow triangles with the word ‘Warning’ next to them are to tell you that your system has been hacked, or infected with malware. In fact, 99 times out 100 they signify a transient glitch – a minor issue that may only affect your system for microseconds.

Utilities like EventViewer do have their uses, of course, for a tech looking for real problems. The trouble is, it’s easy for a scammer to misrepresent their output when talking to someone who isn’t knowledgeable about Windows internals.

Event Viewer scamshot

The Netstat scam gambit

Another tool that the scammers sometimes misuse is Netstat, which gives information about your network/internet connections. The scammers use the output to con you into believing that the ‘foreign addresses’ it shows represent hacking attacks. Actually, a foreign address is simply any internet system to which you might connect in the course of a normal computing session. If there weren’t any ‘foreign addresses’ you almost certainly wouldn’t be connected to the internet at all.

netstat scamshot

The New Wave

All those ploys and gambits are still there, still being used by scammers. However, they’re less likely to be presented by scammers in out-of-the-blue cold calls: rather, they’ll be used when the scammer has lured the victim into calling the scammer, rather than vice versa.

Nowadays, there’s an accelerating trend among support scammers towards luring victims using pop-up ‘security alerts’ and fake system crashes. These invariably incorporate a phone number which is supposed to be to an ‘appropriate’ help line, thus trying to trick victims into making the initial telephone contact. For the scammer, this approach has an additional advantage: the scams can easily be changed to target users of OS X and iOS, Android and even Linux. Furthermore, as long as people aren’t aware of this variation on the scam theme, it can be implemented without the complicated social engineering sometimes involved in misrepresenting system utilities, messing about with batch files, and so on.

For example, a longer article for my Mac Virus blog compares a fake system crash targeting iOS users, a typical Windows fake Blue Screen of Death (BSOD) screenshot, and a fake OS X ‘systems crash’. All of them alarming to see, and none of them presenting a real threat: they’re designed only to trick the victim into ringing a fake helpline.

What do I do now?

However, blog comments come up time and time again from people who’ve been sucked at least part way into the scam, asking ‘What should I do now?’

I’m not comfortable making some sort of blanket recommendation: it’s a question best answered on a case-by-case basis, though I’m afraid I can’t generally offer one-to-one support. Still, it’s perhaps a question most easily answered when the victim has actually given away pretty much everything the scammer has asked for.

  • If you gave them access to your device and haven’t restarted it, do that. They generally warn you against restarting, but that’s because it then becomes obvious that you aren’t looking at a real, permanent problem.
  • Run a reputable security program to check for anything untoward they may have installed.
  • Change any passwords you’ve given them. If you gave them remote access, change any passwords to which they might have had access without your knowing.
  • Contact your credit card provider for their advice on stopping payment, getting money back, and if necessary, replacing cards.
  • Contact law enforcement: even if the police can’t help as regards restitution and prosecution of the scammer, they can advise you on the possibility of identity theft. You can also file a report with the FTC in the US, or Action Fraud in the UK.

Let me help you trash your system

There have been cases where the scammer’s ‘solution’ to the non-existent problems on the victim’s system has actually caused significant damage. Sometimes, though, the scammer sets out to cause deliberate damage, most often to a Windows system. This usually occurs when the victim has allowed the scammer access to the system and then decided not to pay for the ‘service’. The scammer may then delete files and/or lock the victim out of his own system, more often than not by using Microsoft’s own Syskey utility. There are a number of sites that offer advice about self-help in such a case, but my fear is that in some cases even well-meant advice may actually make the situation worse. In any case, computer users who fall for this scam are not usually particularly tech-savvy, and it seems wrong somehow to expect them to undertake a potentially technically complex salvage operation on their own. Better to get professional help as soon as possible.


In spite of the widespread and longstanding nature of the problem, information on this kind of scam tends to be piecemeal. Even the security industry doesn’t in general spend much time on it. You might think that at least the anti-malware industry would be driven to give regular exposure to the issue: after all, the scammers are making money out of stealing our clothes.

Where to get information

One of the few blogs that does regularly explore the issue, often in some technical depth, is Malwarebytes, which also has a resource page that summarizes the problem and includes some advice to victims. My own resources page at AVIEN offers links to other resources. Not only to my own articles and papers, but useful commentary from any source that I happen to come across, including the occasional article from other anti-malware vendors.

Detecting deception

The best way to counter the problem, though, is to forestall it by being aware that:

  • You can’t trust unsolicited phone calls: anyone can ring you up and say they’re calling from or on behalf of Microsoft. (Or anyone else.) Ring back to a known genuine number, if you think it might be a genuine call.
  • The circumstances under which some random caller can really know anything about your computer(s) are very rare. In general, if someone rings and says your PC is infected, it’s a scam. If he or she asks you for money to fix it, it’s always a scam. Or, at best, aggressive marketing, which is sometimes barely distinguishable from fraud.
  • The current spate of pop-ups showing security alerts or even something that seems to be a system crash involve two main strands of social engineering:
    • Persuading you to ring a specific phone number (which real systems crashes and alerts hardly ever do)
    • Persuading you to do so immediately so that you don’t notice that what appears to be a Blue Screen of Death is actually just a pop-up.

Have I been hacked?

The most common requests for help I get are from people saying something like ‘I ran ASSOC: could that have allowed him to hack my system?’ (Or EventViewer or Netstat, or one of the other common Windows utilities the scammers misuse and misrepresent.)

And while I won’t claim to give authoritative advice regarding a system I’ve never seen, the answer is generally no. The scammer can’t do anything to your system if you don’t give him remote access to that system. Of course, it’s sometimes convenient for a real support tech to be able to access your PC when you have a real system problem. (Depending on the nature of the problem, of course: sometimes a lack of network connection is the problem, so remote access isn’t an option.)

How do you know?

So how do you know if you’re talking to a real support tech? Well, if it’s some random phone caller telling you about a problem you didn’t know you had, it’s a fairly safe bet that it’s a scammer. If you have some sort of support contract that might just possibly involve someone calling you out of the blue, make sure you have a way to verify their bona fides. If you see some sort of pop-up message or even a Blue Screen of Death including a ‘helpdesk’ telephone number, expect the worst. If it turns out you really do have a problem, find a more reliable local source for a helpdesk number.

Good links, bad links

Bear in mind, though, that a search engine is likely to find links to scam pages as well as to companies offering genuine support services, including sites that have deceptive names suggesting links with Microsoft or Windows or Apple or Android. By sites, I mean not only company sites, but secondary sites such as Facebook pages and blog pages, where a great deal of unpleasant content of all sorts can be found lurking.

Given what I do for a living, I suppose you’d expect me to recommend security software, but there is plenty of software passed off as a security product that ranges from useless to downright malicious. And it wouldn’t be appropriate for me to make specific recommendations, since much of my income derives from a security vendor.

What I can do is recommend that you try one of the mainstream security product testing organizations. I don’t always agree with their testing methodologies and claims, but they’re not usually fooled into recommending fake products. A good starting point would be the testers who are represented in AMTSO including (apologies if I’ve missed any):

  • AV-Comparatives
  • AV-Test
  • Dennis Technology Labs
  • ICSAlabs
  • NSS Labs
  • Veszprog
  • Virus Bulletin
  • Westcoast Labs

Links are given on that AMTSO page. I’m not going to say that I’d always agree with their recommendations, but they do look at genuine products, and they do tend to conform to ethical guidelines.

David Harley


9 thoughts on “Tech Support Scams: a Beginner’s Guide

  1. Here’s another solid article about the spam aspect of fake tech support.

    It talks about how to spot a fake support number, how to avoid it, and will provide a wide array of examples of fake tech support activities:

  2. I just want to know why these scams are so popular all of a sudden. I mean, they can’t even be that effective… can they?

    • Well, it’s not sudden. I first became aware of them in 2010. You might think that the supply of potential victims must have run dry by now, and in fact I’m seeing far fewer reports of the cold-caller-type scam than I did 4-5 years ago, but there’s a lot more use of pop-ups and scam web sites. It isn’t all coming out of India any more, either, so the stereotype of the cold-caller with the Asian accent has been subverted. I guess if you think you’re talking to Apple or Symantec because you called ‘their’ helpline, the EVENTVWR nonsense and all that is more believable, even though it hasn’t changed that much recently. (Some of these jerks have been pretty inventive in finding ways of ‘proving’ that the victim has a problem, though.) I keep writing about new wrinkles in the hope that more people will get the message, but you can’t reach every potential victim.

  3. Tara Taubman on said:

    Thank you for these clarifications.
    I am still getting many ‘Microsoft’ phone calls.
    At a recent Neighbourhood Watch meeting a Microsoft representative advised to make them waist their time as they all believe people in the UK live in big houses with big gardens. He suggested to tell them to wait for the husband working in the back garden. So I became curious to apply the formula. Few times, after few minutes waiting, they hanged on me. Last time, he guy get a bit angry and started to call me back from different phone numbers. This happens even I am registered on the Telephone Reference Service.
    [Edited: sorry, but I won’t approve shortened URLs in blog comments, or recommendations for products of which I don’t have experience, or links that require registration.]
    What do you think of the interest of reporting the scams?

    • Tara Taubman on said:

      Reporting the scam, I would have thought could help to know the techniques used, eventually where they come from and what to do to avoid them. I might be wrong. The URL I added came from the Trading Standard and Microsoft help. This is where the general public is sent to learn more and share experience.

      • I don’t say you shouldn’t report the calls, only that you shouldn’t expect too much by way of an individual response. But if the agency you report to gets to learn something they didn’t know from your report, that may benefit you indirectly, eventually.

        I know what your URLs are (apart from the post), but I won’t approve shortened URLs on principle: dangerous material can be spread that way. Some security blogs won’t allow _any_ URL in a blog comment. If Trading Standards and Microsoft sent you shortened URLs, they weren’t following best practice.

    • I’m not saying the cold calls have stopped, though in many cases they’re now promoting other scams: the point is that the scammers are now also using approaches that are probably more efficient, from their point of view. As far as they’re concerned, it’s better to get the individual to ring their helpline than for them to waste time coldcalling individuals who in many cases have been hearing the same rubbish for years, and will either ring off or try to waste their time. I certainly don’t have a particular objection to wasting a scammer’s time, but I don’t particularly advocate it, either. It’s up to the individual. The Telephone Preference Service isn’t guaranteed to stop scammers. There’s nothing to stop them ignoring the existence of the TPS – one scammer from India I spoke to flatly refused to believe there was such a thing – and when they give false contact details, the TPS can’t follow up. In any case, overseas scammers are generally out of the remit of the TPS. In my experience, reporting scam calls is of limited use in individual cases. An organization that you report incidents to may benefit in terms of understanding new developments in the scam, but that won’t necessarily help you as an individual. No agency has the resources to follow up on every scam call.

      • Tara Taubman on said:

        You are very right to say they are new forms of scam appearing, more sophisticated.
        My recent personal experience is an increase of call scams.
        On the effect of reporting, if it is true that many use hidden phone numbers, some do get trapped and fined by the ICO

        See also BBC News Feb 2015: “Imposing fines of up to £500,000 on the companies behind cold calls and nuisance text messages is to become easier under changes to the law being made by the government. The move follows tens of thousands of complaints about cold calling.
        Currently, firms can only be punished if the Information Commissioner can prove a call caused “substantial damage or substantial distress”.
        But from 6 April, that legal requirement is to be removed.
        More than 175,000 complaints were made to the Information Commissioner’s Office (ICO) last year about nuisance calls and text messages.”

        I had the hope that complaints and reports could help to raise awareness.

        • I’m all in favour of raising awareness: I’ve spent quite a few years trying to do just that. 🙂 It’s good to have the legislation, but unless significant resources are spent on enforcing it, its impact is limited.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley | Tags: , , , ,