An employee gets a phone call, pop-up, or email warning about a problem with the office computer. In an effort to be helpful – or perhaps concerned they clicked on something that caused the glitch – the employee follows instructions to send money, turn over personal information, or provide access to your system. As a small business owner, you know it’s a tech support scam, but are you sure every member of your team has the savvy to spot it? The FTC has new resources to help protect your company from cybersecurity risks, including tech support scams.
How the Scam Works
Scammers often pretend to be from a well-known computer-related company. They use confusing tech talk and smoke-and-mirrors chicanery – perhaps a bogus “scan” of your system – to convince your employee that emergency action is necessary.
The next step varies depending on what the scammer is after. Data thieves may propose a “fix” that gives them remote access to your network. Once in, they steal sensitive data or install malware to facilitate future invasions.
Others just care about the cash. They may try to convince your employee to enroll in a worthless computer “maintenance” or “warranty” program. Or they’ll ask for a credit card number so they can bill your business for bogus repairs. In a variation on the scam, they may direct your staffer to a website where they ask for account information, passwords, or personal data.
How To Protect Your Business
If someone calls your employee and says there’s a problem with the computer – even if it looks like a local number or the caller ID says it’s from a well-known company – instruct your staffer to hang up.
If it’s an email that appears to come from a trusted business, don’t respond. Don’t click on any links. Don’t share passwords. And don’t call a phone number in the message.
If it arrives as a pop-up, the advice is the same: Don’t respond. Don’t click. Don’t share. Don’t call. Tech support scammers are experts at falsifying caller IDs, email addresses, URLs, etc. So those aren’t reliable methods for separating the tricky from the trustworthy.
Of course, some pop-up messages about computer issues are legitimate and sometimes your IT people need to talk to a staffer. Train your employees to respond by calling or emailing a co-worker you designate, using a number or address you have provided in advance.
What To Do If You’re Scammed
If someone at your business has shared a password with a scammer, change it on every account that uses that password. Insist on unique passwords for each account.
To protect against malware, use legitimate security software and keep it current. Use the software’s scan feature and delete anything it flags as a problem. If you need help, consult a trusted security professional in your community. If a computer infected by malware is connected to your network, you or a security professional should check the entire network for intrusions. Report an attack right away at FTC.gov/complaint.
If an employee bought bogus services from a tech support scammer, ask your credit card company to reverse the charges. Keep checking your monthly statements to make sure the scammer doesn’t try to go back for seconds – and report it to the FTC.
Raise these points at your next staff meeting, using this factsheet as a discussion starter.
Next: Vendor security
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.