Everything to know about Tech Support Scams

Singaporeans are increasingly being targeted for Tech Support Scams. According to the Singapore Police Force, the overall number of Tech Support Scams reported in 2020 have more than doubled since 2019, resulting in 507 cases. A total of S$22.8 million was lost to such scams, which is a 63% increase as compared to 2019.

This is also a trend observed by software giant, Microsoft, in its Global Tech Support Scam Research. The study found that 1 in 3 individuals in Singapore received an unsolicited call in 2021, almost twice the number as compared to 2018. This was also significantly higher than the global average of just 25%.

With individuals and businesses clearly becoming the subject of more Tech Support Scams in Singapore, and work-from-home arrangements potentially creating more opportunities for scammers to target remote workers, it is paramount for employees to be educated on its perils. This will help them (and your business) better identify such scams and avoid becoming a victim.

What is a Tech Support Scam?

At its heart, Tech Support Scam is a type of impersonation scam. The scammers would pretend to be computer technicians from financial institutions, government agencies or reputable telecommunication/IT companies, and claim that there are problems with your computer.

While this is commonly associated with receiving telephone calls, other methods are also used to prey on unsuspecting victims. These include unsolicited emails (which could fall under Business Email Compromise Scams), website redirects, pop-up windows and ads.

Scammers may also employ creative strategies such as pretending to provide a refund for a digital service you have never purchased or asking to verify credit card details for services you may have subscribed to. Regardless of the strategy, they are ultimately trying to cheat you by stealing sensitive personal/business information, or getting you to make payment for a service/product you don’t need (which probably doesn’t exist either).

According to the Microsoft study, victims are usually asked to:

• Download a software (30%)
• Go to a specific website (29%)
• Buy a service/product (27%)
• Run security scan showing virus infection (24%)
• Give remote access (22%)
• Disclose credit card information or other payment information (22%)
• Type something into their computers (20%)
• Download software on their individual computers (18%)
• Give personal details like full name and NRIC (17%)
• Go to their banking website (16%)

As you can tell, multiple instructions could be given to victims during a call. Even if an individual is not immediately scammed or asked to provide payment, downloading an unknown software and collecting sensitive data could lead to other types of attacks in the future. This also makes it less obvious that they are being scammed. The same study also found that 27% of individuals have engaged with a scammer, and more than half of them would either lose money to the scam or spend money to check and repair their devices.

Here’s how a Tech Support Scam is typically carried out

Charles is an admin manager at XYZ Pte Ltd. While working from home, he receives a phone call from David, an "employee" of a reputable Telco company.

David shares that they have detected abnormal behaviour from third parties trying to access the company’s network which is causing it to slow down. Charles has indeed been experiencing slower network speeds and complies with David's instructions. To prevent the attackers from hacking the company’s network, David instructs Charles to grant him access to the computer so that he can make the necessary updates. As such, Charles downloads and installs remote access softwares such as TeamViewer, Anydesk and UltraViewer.

After providing remote access to David, he runs some technical tests. While doing this, he also asks Charles to log in to various accounts, including his online banking account. Charles then receives notifications of transactions being performed, but David informs him that these are just test messages and asks him to ignore it. He then informs Charles that the matter has been resolved.

A few days later, Charles notices that some company funds are missing. Upon further inspection, he realises that he was the one who provided authorisation for the transfers.

After speaking to the police, Charles finds out that the call he had taken a few days ago was from a scammer, who had gained access to his device and performed fraudulent transactions after he had unwittingly revealed his banking credentials.

What can a business do to prevent Tech Support Scams?

Never take scams for granted in your organisation as anyone can fall for them. In the Microsoft study, Gen Z (aged 18-23), Millennials (aged 24-37), and males were more likely to continue a scam interaction and go on to lose money. These groups of individuals may consider themselves more digitally savvy or aware of scams, but are actually more prone to being scammed.

As a business, you should also identify the red flags of a Tech Support Scam and ensure that everyone in the company is familiar with them. If you are unsure or are under the pressure of time, don’t panic – this is the aim of Tech Support Scams.

Contact your company’s IT department or simply hang up on the call and call back the service provider via the official number to verify the issue.

Some things that should trigger an alarm bell include:

• Anyone who calls you with news to make you feel vulnerable, such as the security of your internet, computer device, or company’s network.
• Any cold calls that lead to free or paid software upgrades.
• Any incoming calls with a prefixed plus sign “+”, as this is a measure put in place by IMDA to help users better identify that these may be international incoming spoof calls. Local calls will not appear with the “+” prefix.

Businesses should also educate employees on the preventive measures they can take:

• Ignore any instructions to download and install softwares, type commands into your computer, or click on URLs provided by the caller, regardless of the presumed urgency. Scammers may also use Caller ID spoofing technology to mask the actual phone number and display a different number.
• Beware of unsolicited calls or pop-up messages from people claiming that they are a staff of a telecommunication service providers , financial institution or from a government agency, even if they claim that there are issues with your telecommunication devices or allege that you are implicated in a criminal offence. When in doubt, always call the official hotline of your telecommunication service provider, financial institution, or government agency to verify.
• Never divulge personal, company or banking data to callers, especially online banking login credentials and credit card numbers. Do not give out any One-Time Password or provide OneToken authorisation without knowing what the transaction is being used for.

Another thing you can do is to encourage everyone in your company to stay up to date with scams and related scam stories in Singapore on the Scam Alert website or the SingCERT website.

You can also protect your business by improving your company’s IT infrastructure via the SME Digital Hub, where you can leverage the expertise of cybersecurity specialists who have over 30 years of experience. They will be able to advise you on the pre-approved solutions covered under government funding. Such solutions may be covered under the Productivity Solutions Grant (PSG) as well, which provides up to 80% government co-funding until 31 March 2022.

Under the SME Go Digital programme, SMEs can also tap on the CTO-as-a-service (CTOaas) to gain access to a shared pool of skilled CTOs for more in-depth digital advisory, such as cybersecurity and digitalisation. There will be CTO-equivalents managed by IT consulting firms appointed by IMDA. This will give SMEs tailored recommendations on digital solutions and consultancy without having to spend an excess amount to build an internal tech team that may lack scale and in-house resources.