FTC fights the cybercrooks who put CryptoLocker to shame


Take this test!

Put a name to the clear and present cybercrime danger that:

  1. Deliberately preys on users who are less well informed or prepared than average.
  2. Messes around with your data.
  3. Blackmails you into paying about $300.
  4. Makes you wonder if the crooks will be back, and if so, when?

You might be thinking, “CryptoLocker,” but I’m talking about crookery that is in many ways much worse: fake support call scams.

Throughout the English speaking world, including at least the USA, Canada, UK, South Africa, Australia and New Zealand, innocent people, minding their own business, are being plagued by these callous callers.

Fortunately, the call scammers have stuck to a standard formula, which makes it easy (for now) to advise your friends and family on what to look out for; unfortunately, this consistency tells us they’re still making money without an awful lot of effort.

How the scam works

You’re probably aware of how it goes, but I’ll review it here:

1. You get a call out of the blue. Usually it seems to come from a local phone number, so if you’re in Sydney, Australia, your phone will show a number like +61.2.8xxx.xxxx; if you’re in Oxford, you’ll probably see +44.1865.xxx.xxx; and so on.

2. The caller will tell you – or almost tell you – he’s from Microsoft. Or Dell. Or McAfee. Or, for that matter, Sophos. Maybe because some lawyer said it would make a difference, he probably won’t state outright he’s an employee of Sophos, or McAfee, or whomever, but will use weasel words like “I’m working with XYZ support.”

3. He’ll tell you your computer has a virus, and you need help. He may be cajoling, or sympathetic, or stern, or even downright threatening. However he chooses to behave, one thing is for sure: there isn’t much that will make him take “No” for an answer.

→ Saying you had a Mac, or that you didn’t have a computer at all, used to shut these guys up. But even that isn’t guaranteed. The only thing that really works is to hang up immediately. Don’t argue. Don’t rant and rave. Hang up, right away, without saying a single word. Mr Miagi’s Karate Kid defence: “Best way to avoid punch – no be there.”

4. He’ll get you to open the Windows Event Viewer.

5. He’ll find an innocent error message with a nice, loud warning triangle or a bright red X, and tell you that’s because you’re infected.

6. He’ll get you to give him remote access to your PC, using a legitimate remote support service. Because you can see what’s he’s up to, due to it being a legitimate “dual control” remote access service, you might feel slightly less uneasy about letting an unknown outsider in.

→ You can expect any sympathy to evaporate about now, and for the tenor of the call to become much more threatening. After all, if you did have a virus, you probably would be causing hassles for other internet users: spamming them, for example, or racking up bogus connections to their web server. So the fake call scammers exploit this to leave you wondering if you might end up in trouble – with the authorities, with your ISP, with the imaginary company you might inadvertently be attacking – and use your concern to intimidate you into what comes next.

7. He’ll rummage around in a visually interesting but technically pointless way for a while, and then claim to have fixed a security problem you didn’t have.

8. And then he’ll take $300 off you, in return for nothing.

→ Worse than nothing, in fact. At best, he’s tricked you into believing you are more secure than before, which is false. At worst, for all you know, he’s stolen data, planted new malware for some repeat business, or simply messed up something through ineptitude.

Almost all of these calls seem to come out of India – a sort of alternative call centre business that seems to be bringing plenty of money into that country’s economy.

But these callers, and the businesses that employ them, are not exactly a good advert for India as an outsourcing centre: they are demanding money by threatening you; they’re charging you for a service you didn’t need, and that in any case they didn’t actually provide; and they typically seem quite unrepentant about it.

They don’t care for Do Not Call registers; they may call over and over again (I have met people who get pestered repeatedly with these phone calls at home, and are powerless to make them stop); and in many cases, they seem to have a fair idea who you are from their cold-calling database, wherever or however they might have acquired it.

You have every right to be worried about this: a cold caller who cares nothing for regulations in your country, who has called you several times before, who doesn’t like to take “No” for an answer, who is rude and intimidating, and whose aim is to extort $300 out of by telling you a giant pack of lies…and as far as you can tell, he knows where you live.

So, what can be done, apart from the swift-and-silent hangup I mentioned above?

Well, the United States Federal Trade Commission (FTC) is trying, and has just achieved a modest success against one such scammer:

It looks as though Mr Pasari folded early, leaving his fellow defendants to the ongoing wrath of the FTC.

Agreeing to pay technically doesn’t make him guilty, but it will cost him $14,369, agreed as the amount he made out of the scams.

How big is the rest of this business?

The FTC has at least six matters on the boil right now, and I suggest you take a few minutes to browse through the open cases.

The FTC has, in my opinion, put together some excellent summaries of how the scams unfold, with a dispassionate and objective explanation of why these guys really do charge for absolutely nothing.

By the way, one of the FTC’s complaints alleges that the perpetrators were able to spend more than $1,000,000 in two years on Google adwords to bring up their phone number when potential victims searched for terms such as “McAfee Customer Support,” “Avast phone number,” and “Norton Support.”

So these guys do indeed also seem to be making lots of money for absolutely nothing.

Don’t let your friends and family fall victim

Here’s what you can do to protect your own friends and family from intimidation and exploitation by these scammers:

  • Make sure they are aware that they should not feel any obligation to accept computer support they didn’t request.
  • Encourage them to hang up silently and swiftly.
  • Offer to help them find a local computer support service if ever they really need one.

Remember that every $300 someone you know puts into the coffers of these bogus givers of support is $300 that is effectively stolen from your local economy.

Say no, and here’s some advice on how:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Worse than CryptoLocker?

Maybe not, but you can certainly make the case that this scam is as bad.

(For $300, the CryptoLocker guys actually do seem to sell you your data back. I’m not calling that “honour among thieves,” but the call scammers charge you the same money for absolutely nothing.)

What you you think? Let us know in the comments!