As recently as October 2022, the FBI observed several instances nationwide of scammers conducting computer-technical support scams, where criminals pose as service representatives of a company’s technical or computer repair service and contact victims through email or by telephone about a highly-priced, soon-to-renew subscription. Scammers request victims contact the scammers at a provided telephone number or email to cancel the renewal and receive a varying refund amount. After the victims contact the scammers, they attempt to obtain personal and banking information that is then used to conduct unauthorized wire transfers of funds held within the targeted victim’s accounts. Targeted victims generally fall within the elderly population.
HOW THE SCAM WORKS:
Scammers target their potential victims through email, sending elaborate messages from email domains that seem authentic and claiming to provide a form of technical service, such as those that would be found at major electronic store chains that sell electronics, computers, and other digital devices. In this case, the scammers claim to aid in securing a refund through remote access to the victim’s computer.
The subject line of the scam email hints at a pending renewal of a subscription, generally within the next 24 hours, for a service such as a computer protection plan or a warranty. Within the body of the email, the scammers will indicate the specific service to be renewed with a price commonly in the range of $300 to $500 USD, provoking a sense of urgency in the victims to contact them and provide information for a refund.
- Example subject line: “Service Renewal from [Company Name]”
Scammers include their contact information within the email, such as a telephone number and email address, and encourage the victim to reach out to cancel the false subscription renewal and receive a full refund. The phone number provided in the email is sometimes made to represent a service number beginning with 1(800) ###-#### or 1(888) ###-####, for example. Alternatively, the scammers may provide a specific URL website for the victim to visit that is potentially infected with malware or other phishing vectors.
Once the victim contacts the scammers to request a refund or receive an explanation of the service renewal, the scammers persuade the victim to download remote desktop protocol software,a request that the victim grant full control access to the computer to provide efficient technical support and begin the process to issue the refund. The scammers may offer a higher refund amount as enticement for the victim and to persuade them to provide access.
Once access to the victim computer is obtained, scammers will indicate that they are refunding the subscription renewal amount to the victim’s bank account and persuade the victims to verify that the refund was successful by logging into their bank accounts. When the victim accesses the bank account, the scammer can obtain the logon credentials. Once the victim accesses the bank account, the scammer can lock the victim out of their computer or place a black screen as they conduct unauthorized wire transfers to external bank accounts. Alternatively, the scammers will deposit money into the victims account as a “mistake” and ask the victim to correct it through a victim-initiated wire transfer or by providing additional banking information, which is then used to empty the victim bank accounts through wire transfers, and usually to foreign bank accounts.
Scammers have also been observed running a short script file to collect victim information and provide legitimacy. The executable will generally run a command prompt made to look like a service screen, echoing commands (printing questions) that request the following information and capture it into variables:
- Full Name
- Bank Name
- Zip Code
- Refund Amount (amount entered is at the discretion of the victim; no check parameter exists within the script)
Additionally, the script contains commands to write information to a text file, and several pauses that provoke user engagement as they “wait” for a refund or other action to take place.
SAMPLE INTERACTION SCREEN:
HOW TO PROTECT YOURSELF
- RESIST the pressure to act quickly. Scammers thrive on instilling panic into their victims
- Do NOT send wire transfers, especially to foreign banks, at the instructions of someone you have only spoken to online or via phone.
- Do not respond to unexpected emails about unsolicited services or services you did not purchase.
- Do not download software you are unfamiliar with. Do not download software from unofficial websites. Do not grant remote access to your computer to unknown persons or entities.
- Do not conduct banking activity while providing remote access to your computer.
- Do not use public hotspots or computers to conduct personal or work-related banking activities
- Note: Public WiFi networks are normally unsecured and can be monitored to capture information entered on the internet before it reaches the intended institution. This could allow a person to observe passwords, and other logon information.
- If you are being charged for a service you did not request, contact your banking institution or credit card provider first for cancellation and refund options.
- Do not provide banking or personally identifiable information (date of birth, social security numbers, addresses) over email or telephone. These can be used to open credit or banking accounts without your consent.
- Financial Institutions do not generally contact clients first to request personal information such as social security numbers, bank account or routing numbers, etc.
- When clients contact financial institutions to conduct actions, banks generally verify general information already provided in the past such as a full name, address, and a preset passcode.
- When in doubt, search online for accurate financial institution information and initiate the communication from your end. If you are called by someone claiming to be an official institution, look up the contact information and call back.
- Monitor your credit card and bank account transactions for any unauthorized activity and immediately contact your financial institution of you observe irregular or unauthorized activity.
HOW TO REPORT
File a complaint with the IC3, www.ic3.gov, as soon as possible.
If available, include the following:
- Identifying information of the scammer including websites, phone numbers, and email addresses or any numbers you have called.
- Account names, phone numbers, and financial institutions receiving any funds (e.g., bank accounts, wire transfers, prepaid card payments, cryptocurrency wallets) even if the funds were not actually lost.
- Description of interaction with the scammer.
- Copy and paste the email into the complaint.
- Keep all original documentation, emails, faxes, and logs of all communications.
