By Florin R. Ferrs (Tech Writer)
IT call center scams are as old as the internet (older actually). Still, these scams have grown exponentially in the last few years, preying on the most significant vulnerability inside your network: the human factor.
IT and MSP professionals focus on managing helpdesks that actually help their customers because this is the smartest way to help their businesses grow. It is also true that most IT pros base their entire careers on actually solving customer problems and generally use their helpdesks and call centers as a force of good.
So it comes as no surprise that when the New York Times reported that just one of the hundreds of India-based "pirate" IT call centers currently operating managed to scam unsuspecting Americans out of 14 million dollars, it makes honest IT and MSP helpdesk managers shake their heads in disbelief.
It's when the details of the scams come to light and how they prey on the elderly and vulnerable that the sheer evil of it all comes to light. Then there's the massive number of these call centers set up exclusively to run these scams. That's when disbelief turns into anger and the feeling that, as IT pros, we've got to do “something” to prevent our customers and loved ones from becoming the next victims.
Most IT helpdesks and call centers set up by tech companies big and small in India, the Philippines, Mexico, and other developing countries are 100% honest and doing a very tough job for small pay. But the rise of "pirate" IT call centers and helpdesks focused exclusively on scamming unsuspecting vulnerable customers in the West is a stain on an industry that has grown exponentially in the last few years.
The Microsoft Scam
One common scam making the rounds is the so-called Microsoft scam (scammers will generally pretend they work for large, reputable tech companies like Microsoft, Facebook, or Apple, or even the US Government).
The way the scam typically works is that either a robocall leaves an official-sounding voicemail message or a pop up on the victim's screen informing them that their computer has been infected by a virus or that they've been overcharged by mistake for a Microsoft subscription and to call a (fake) Microsoft Hotline to solve the issue. Variations of this scam include voicemails from well-known antivirus software companies asking for a callback because the victim was "overcharged" for a subscription.
Once the victim calls this supposed Microsoft Hotline, the "pirate" helpdesk tech will initiate remote access to the victim's computer. Once access is granted, the bad actor will then ask the victim to log into their bank account to receive the refund. Once the victim logs into their bank account, the scammer manipulates the victim's account page's HTML to make it look like they have received a deposit (usually a large amount, around five or ten thousand dollars). Of course, this is all fake, just manipulated HTML, but many victims fall for it.
The next step (as ludicrous as it sounds) involves the scammer telling the victim that they were wired five thousand dollars instead of five hundred dollars (or similar amounts) and that they need the $4500 difference back or the scammer will "get fired" from their job. In a testament to perhaps naiveté, or just general trustworthiness, the victim is then coached into driving to their nearest big box store like Target, WalMart, or Best Buy to purchase $4500 worth of gift cards. The victim then reads the gift card numbers back to the scammers (or sends them a photo), and the pirate helpdesk artists get away with $4500.
Variations of the scam involve coaching the victim into driving to their bank and wiring large sums of money or simply putting large amounts of cash in an envelope that is then mailed to a US address where the scammer's partners receive the money (usually an Airbnb).
MSP Client Phishing Scam
MSP pros may think that their customers are not vulnerable to the typical call center scam because those scammers prey on the elderly and rely on high amounts of social manipulation and coercion (that is surprisingly effective). Still, a lot of MSP pros have also reported a sharp increase in corporate phishing scams. One recent case saw an MSP customer send 300 W2s to an email scammer.
As call center and corporate phishing scams increase, what additional steps can IT and MSP pros do to protect their customers? Because any MSP worth its salt is already managing its customer's spam filters and updating them accordingly.
Fight Back With Awareness & Education
Since most of these scams work by social manipulation vs. your classic hacking, they are in a way harder to combat with the usual tools that IT pros are used to deploying against hackers and other more technical intrusions.
Since education and awareness is the name of the game, here are some bullet points to drill into your team and your MSP customer's minds. These tips may sound basic and obvious to some, but not having a safety philosophy plugged into day-to-day operations is the reason why scammers make millions of dollars every year.
Things You Must Drill Your MSP Customers On:
-Never use public or unsecured WiFi networks (provide them with a VPN)
-Do not use public or shared computers or devices (see above)
-Use strong, unique passwords with two-factor authentication (help them manage this)
-Always verify that you are accessing an official URL (educate users on the correct URLs)
-MFA everything possible in the network, even personal accounts (set it up for them)
-Create a culture where "If you're not 100% sure it's legit, ask your IT manager"
-Ensure that your customers remember that Apple, Microsoft, BofA, Google, their bank, the IRS, whoever will never call or reach out to them asking to verify logins, account numbers, etc.
Create a no-fault security philosophy with your team and MSP customers where it's better to spend five minutes verifying things and being safe than five days being sorry because you were hacked or scammed. This goes for email, logins, the website, everything. When MSP customers are afraid to ask, breaches usually happen, either through phishing or social hacking. This needs to be nurtured and developed both within your MSP and your customer's companies. Most phishing wouldn't happen if people felt free to ask someone if a login request was legit.
IT Call Center Scam Warriors
There are a few self-appointed anti-call center scam warriors out there who have focused their energies on making these scammers waste their time on fake customers by either using bots or socially manipulating them back. The longer these scammers spend with these bots or social warriors, the less time they spend scamming your elderly relatives or your MSP customers. Some of these call center scam warriors take it a step further and use social manipulation to obtain the bank accounts of these scammers (to get them shut down) or use the same remote access the scammer is using to delete the scammer's data (their victim list, bank accounts, etc.).
Here are some examples of these calls. These recordings would be comedy gold if the scammers were not real, but in the case of these calls, we can at least rejoice at the fact that the marks are not real, and every minute the scammers waste talking to bots and call center scam warriors, is time not spent scamming real people, like your relatives or customers.
Bot Against Windows Scam
Closing Scammers Bank Accounts