The ‘Tech Support’ and ‘Refund’ Scams

Today I am going to cover something a little different, yet still tech related. This from the ‘dark or evil’ side of tech, the ‘Tech Support’ and ‘Refund’ or ‘Gift Card’ Scams.  Both of these while having a different ‘hook’ end the same, hours later the victim is handing over large sums of money (sometimes their entire savings) to the scammer and the scammer has complete access to their computer and/or phone. You may have heard about these and even wondered how they work and for that matter why do people fall for them. At the end of this post are links to three YouTube content creators who have dedicated their time and resources to educate people and show how these scammers work.

The Tech Support scam usually starts from either a pop-up or an automated phone call. You are visiting a certain website such as adult related content or using a questionable video streaming site when Wham! This annoying pop-up with blaring siren and automated robotic announcement informing you your computer has been locked-up and to call Microsoft at the number listed. Others will display your IP address and name of your Internet Service Provider along with something along the lines of ‘unusual activity’. These pop-ups also try to scare you saying that if you bypass this message your system will be deleted or locked should you try to close the pop-up or tab. Plus, it just comes right back and loops over-and-over and over. The phone number looks like a legitimate US phone number, however it just a cover and number will actually re-route overseas to the scammers call centers in India (sometimes Turkey or Syria). When you call the number they will usually answer with an Indian accent using a very generic American name as well as company name. Sometimes they even claim to be from Microsoft. The first thing they will do is demand money to ‘unlock your computer’.  Once they have the money they will give you instructions on how to rid the obnoxious pop-up. Next they will tell you to download and install remote access software such as Team Viewer or Any Desk so they can check for ‘other problems;’. Once you do that and give them complete access and control of your computer they will start showing you other ‘issues’. Usually something along the lines of malicious software installed or other ‘hackers’ using your IP address or accessing your computer. To those who have some advanced computer skills, it just a random script that is meaningless. This will usually lead to them demanding even more money and locking you out of your system (either from the remote access software allowing them to lock mouse/keyboard and blank the screen or installing some type of password application) if you do not pay.

The scammers can also try to scare you with an automated phone call (robo-call). The call can claim to be from Amazon (those are more along the lines of the Refund Scam which I will touch on later) or from your Internet Service Provider or even impersonating your local utility provider. The latter usually demands payment within 10-minutes or your power (or Internet) will be shutoff. Further they will want payment via a gift card, BitCoin or some other untraceable and neatly impossible to reverse/stop method. A legitimate utility (Power/Internet) company is never going to ask for payment by these methods (and normally like the IRS will send you notices via snail mail before trying to contact you via phone.). In the case of the Internet Provider the automated phone call says they detected ‘unusual or suspicious activity’ and to press 1 to speak to someone or call a certain number or else your service will be disconnected.

So how to avoid these scams? First off, don’t visit questionable sites. If a streaming site claims to allow you to watch or download  premium content’ for free it best to steer clear. But sometimes you don’t even mean to, this is what I call making a ‘wrong turn’ on the Internet. You mistype an address or you clicked a  ‘Sponsored’ result link (advertisement and not always legitimate) on Google or link from within an email that appears to be real. So how do you get rid of the pop-up that just keeps coming back every time you close it? Force close your browser by going into Windows Task Manager via CTRL+ALT+DELETE. Select your browser (Google Chrome, Mozilla, Microsoft Edge, etc) and click ‘End task’. Now when you restart the browser it should alert you it did not shut down correctly and ask you if you wish to recover your session. Select the option NOT to restore your session and you should be fine. If this does not resolve the issue then you will need to take your computer to a local repair shop or have a tech-savvy friend/co-worker help you out. Sure it is embarrassing or awkward, but much better than losing hundreds or thousands of dollars. In the case of the automated phone calls, don’t press anything and don’t call the number they give you. HANG UP. Find a bill for your provider and call their customer service/billing number on your bill. Be careful when using Google to avoid clicking on the ‘Sponsored’ results as these are usually ads bought by the scamming company with a bogus phone number or even website.

The Refund Scam is quite elaborate, complex and ever evolving. The majority of the time it starts out with an email from what appears to be a real company, such as Amazon, Microsoft, Netflix, etc. Sometimes even from PayPal for a ‘purchase’ that you didn’t make. The first thing to do is inspect the return email address, while it may display as Microsoft, Amazon or Paypal the actual from address is either completely different or very similar. One I saw claiming to be from PayPal was pay-pal.club and while .club is an actual top-level domain (TLD) there is not a dash in PayPal and they don’t use the .club tld. These invoices state the money has been taken from your bank account. If you want to cancel and get a refund call the number listed. Again, it may look like a normal US phone number but calling the number connects to a server over-seas which re-routes the call to the scammer.

If you call the phone number they will usually ask for a reference number listed (which tells them which scam). From there they will say they can issue a refund, but they want you to download and install the Team Viewer or Any Desk software. STOP! Never, ever download and install remote access software to get a refund. Once the victim has downloaded and installed the software they gain access to your computer and can see what you are doing. Next they will ask you to go your banking site and sign in. To justify this, they will say they want to ‘make sure the refund goes through’. Next they will send you an e-mail or ask for you to fill out a form asking for lots of personal information (name, address, phone, drivers license, last four of SSN, bank name, account number, online banking user name/password) along with entering the amount of the refund. Interestingly enough, the form does not usually have a ‘submit’ button. First off, a real company is going to just issue you the refund without asking you to provide this information much less wanting access to your bank account “to verify’. Once you have completed the form you’ve given the scammer loads of valuable personal and sensitive information which they will sell to other scammers.  Next, the scammers will try to distract you with small talk while they black-out your screen so you can not see what they are doing. While your screen is blacked out and your mouse/keyboard are locked out they start manipulating things on your computer. Remember with Team Viewer/Any Desk they now have full remote access to your system. The first thing they are going to do is take a screenshot of the form you just completed and send that off to be added to their database. Next they will change the amount of the refund you inputted on the form. Say you were suppose to get $29.99 back, they will change it so it is $2999. Finally, they have saved a copy of your online banking web page to your computer. They will make some quick edits on the local (saved on your computer not from your bank) version of your banking page showing the wrong refund and an inflated balance.

At this point they will give you access back to your computer and will say something went wrong and they gave you ‘too much money’ back. They will show you the form with the modified refund amount. They will insist YOU forgot the decimal or YOU added an extra digit. They will ask you to refresh/reload your online banking (which again is now the modified local copy NOT at your bank they have manipulated on your computer) and when you do it shows the ‘extra money’ in your account. The scammers will really emphasize that is was YOU who made the mistake. Now for this scam to work, the victim does need to actually have that much money in the bank (which is why the scammer wants access to your online banking so they can see that there is that amount of money in a different account such as Savings, Money Market or IRA). The next part of the scam, they will say they need to talk to their ‘senior’ about reversing or correcting YOUR error. They may put you on hold,/mute or they may talk to someone next to them or even transfer you. At that point they say they can not reverse this. However, instead of having you have your bank reverse it they tell you to withdraw the cash (and not from the checking account). Furthermore it is very important NOT to tell anyone why you are withdrawing such a large amount. If probed  just say it is personal. Based on your address you have provided on the form, the scammer then instructs you to go to a local Walgreens, CVS, Target, Walmart, etc. and purchase several gift cards for the amount of the extra refund. They will want you to remain on the phone with them as you do this or ask you call them after you have bought the gift cards. Most common are Target and Google Play gift cards. They will then ask you to provide the numbers of the back of the card (which gives them instant access the gift card). The victim returns home and goes back on to their bank site and discovers the money ‘refunded’ was never in their account in the first place and they are now out the additonal money from the gift cards (which have already been redeemed).

Since more merchants are being proactive in regards to the gift card scams the scammers are adapting. They may ask you to setup a Zelle (instant money transfer service) account through your bank. It is important to note Zelle does have a two-factor authentication or verification/confirmation, where a code is sent via text to your mobile phone. Furthermore the text message almost always warns to never give out this code. Nonetheless the scammers will make up a valid excuse as to why they need the verification code. Another technique is to have the victim setup a Coin Base (wallet/brokerage for Crypto Currency) account and add a credit card to that account. Again, the hacker has full access to your computer and can look at your stored passwords in your browser. They may have you setup a ‘test or dummy’ transaction. What they are going to do is use your credit card to buy BitCoin or other crypto currency (which by the way is reported to the IRS). While they black out your screen again, they will change the email/password on the Coin Base account to lock you out AND still use your credit card on the account. Lastly, they may simply ask the victim to go to ‘The UPS or The FedEx’ to send the cash overnight. This is illegal, which they are well aware of and they will instruct you on how to ‘hide’ the money. They may have you send a hard cover book and stick the money in between pages. They may have you saran wrap the money (so dogs can not detect) and/or wrap in foil (can not be x-rayed). They will give you an address to send the package usually with a (fake) business name, but a real contact person (a money mule). If you were to Google the address 99% of the time it is a private residence or a hotel. The scammers will usually rent an Air B&B for the next day (and never check-in). This simply a burner address to in that they will use a different address the following day to avoid detection. The scammers of course will ask for the UPS/FedEx tracking number so they can follow the shipment and then instruct the money mule as to when they should be at the address to get the package. The Money Mule will usually be waiting for the UPS or FedEx driver and intercept them before they even get to the door. A signature and ID are usually required which is why they will use a real name (or likely a name on a fake ID). These mules are just middle people to collect the packages. The packages are then handed off to a supervisor who pays the Mule (could be $50 to $100 per package with 7 to 10 packages a day). The ‘supervisor’ will record themselves open the packages and take their share  and ‘launder’ the rest usually into crypto currency.

What should have been a simple 10-15 minute phone call has now lasted hours and the victim defrauded of their savings. The scammers usually target older adults who “want to do the right thing”, are not as tech-savvy and often will feel embarrassed or foolish that they fell from the scam therefore not reporting it to the local/national authorities. Here’s what you can do to protect yourself (and your family/friends):

  • Review the email carefully, Look for typos, grammar errors, check the email address. Is it from a .COM or .NET or that of your country .CA for Canada or .CO.UK or .NET.UK for the UK? A .club or .info or any other non-common (.COM/.NET./ORG) TLD is usually a red flag.  When in doubt do a Google search for the TLD. For example .CO can be used  as an acronym for company or cooperation and typically used when the .COM version is already taken. However .CO is what is called a ccTLD or County Code Top Level Domain and the domain for the country of Colombia.
  • Never call the number or click a link provided in the email.  In the case of the robo-calls, just hang-up and block the number. If you are unsure, Google the phone number and if the first results are not the company’s website it is a scam. If the call claims to be from your utility company or Internet Provider, hang up and call them with the number on your bill.
  • Check your credit card/bank and see if there really is a transaction for the amount and from the merchant. 99% of the time there will not. If there is, there will be a phone number as well., Again, do your research and verify the phone number before calling. If in doubt call your bank or card issuer and report the fraud. Same applies for calls or emails from Amazon or WalMart, or any other popular merchant you may actually do business with. Log into your account as you normally do from your browser and check to see if there is such a transaction. If there is contact customer support from within their website/your account. DO NOT Google Amazon or Wal Mart customer support as very likely the first results are paid fakes.
  • If you do call the company for a refund, they WILL process the refund on their end without any interaction from you (they may ask you to cancel the service). If they start asking for banking information or sensitive (date-of-birth, license number, social security number or mother’s maiden name) personal information hang-up and take the mater up with your bank or credit card company. If they want you to go download and install software hang up.
  • If you have installed said software, shut down your computer immediately by holding down the power button for about 5-seconds. Unplug your modem/router and then power on the computer again and remove the software. With your modem/router disconnected the scammers can not remote access your computer and try to prevent you from removing the software.
  • Sadly a lot of US based companies have out-sourced their customer support to India so just because the person your are speaking to has an Indian accent does not mean it is a fake company or scammer. However, most US companies that have outsourced will have support agents who speak English very well (good grammar) and have expectations/policies in place on how they interact with a customer. If the agent is cursing and/or yelling/screaming or threatening you, it is a scammer. A real support agent would be fired on the spot for such abusive behavior.
  • Most important the phone call (at least portion of talking to the agent) should only last 10-minutes. If you have been on the phone speaking to an agent for lot longer just to get a refund, it is scam.
  • NEVER send cash via USPS/FedEx/UPS, not only is this illegal, but there is no way you will ever get your money back. NEVER purchase gift cards as a form of payment, after all they are to be used as GIFTS. Never give out the number on the back of the card over the phone or type on a scammer’s form/site as they will transfer the money off the cards that instant.
  • If a scammer has claimed they transferred money into your bank account while having remote access to your computer, double check on another computer or your phone. Chances are what you see there will not be the same what shows up on the compromised computer. Also, many times it can take a day or two for a real refund to show on your bank or credit card, it is very rarely instantaneous.
  • DO NOT send money via Western Union or Zelle to someone you don’t know. Never setup a Coin Base account to get a refund. Again, the scammers will temporally lock you out of your PC while they change the password and email to the Coin Base account.  Fortunately, many credit card companies impose strict limits on Crypto Currency transactions or prohibit them all together, minimizing the amount of money you can possibly loose. Also, again ALL Crypto Currency transactions must be reported to the IRS (or your county’s tax authority) which you will need to prove to them you were a victim of fraud.

Below are three YouTube content providers that have dedicated their time and resources to educate people and show how these scammers work. Some even have turn the tables on the scammers:

  • Jim Browning (Tech Support Scams). Based in the UK. His channel show his tracking and identifying scammers who knock his front door, call or shove popups onto computer screen. His videos show how sophisticated, organized, in-depth and down right convincing these scams are.
  • Scammer Payback. Based in the US. His channel is all about bringing awareness to this critical problem with humor and fun. Like Jim Browning, he takes advantage of the scammers using remote connection software, as it does work BOTH way. While the scammer has access to YOUR PC, you have access to the SCAMMERS PCs as well.
  • Mark Rober. Also based in the US, is former NASA and Apple engineer. Well known for his ‘Glitter Bomb’ packages first used to foil Porch Pirates and since used to catch Money Mule ‘supervisors’ red (well in this case multi-colored and sparkly) handed. Sadly, for legal reason he is not able to sell his Glitter Bomb packages as much as many of us would love to bait a Porch Pirate.