An employee gets a phone call, pop-up, or email warning about a problem with the office computer. In an effort to be helpful – or perhaps concerned they clicked on something that caused the glitch – the employee follows instructions to send money, turn over personal information, or provide access to your system. As a small business owner, you know it’s a tech support scam, but are you sure every member of your team has the savvy to spot it? The FTC has new resources to help protect your company from cybersecurity risks, including tech support scams.
How the Scam Works
Scammers often pretend to be from a well-known computer-related company. They use confusing tech talk and smoke-and-mirrors chicanery – perhaps a bogus “scan” of your system – to convince your employee that emergency action is necessary.
The next step varies depending on what the scammer is after. Data thieves may propose a “fix” that gives them remote access to your network. Once in, they steal sensitive data or install malware to facilitate future invasions.
Others just care about the cash. They may try to convince your employee to enroll in a worthless computer “maintenance” or “warranty” program. Or they’ll ask for a credit card number so they can bill your business for bogus repairs. In a variation on the scam, they may direct your staffer to a website where they ask for account information, passwords, or personal data.
How To Protect Your Business
If someone calls your employee and says there’s a problem with the computer – even if it looks like a local number or the caller ID says it’s from a well-known company – instruct your staffer to hang up.
If it’s an email that appears to come from a trusted business, don’t respond. Don’t click on any links. Don’t share passwords. And don’t call a phone number in the message.
If it arrives as a pop-up, the advice is the same: Don’t respond. Don’t click. Don’t share. Don’t call. Tech support scammers are experts at falsifying caller IDs, email addresses, URLs, etc. So those aren’t reliable methods for separating the tricky from the trustworthy.
Of course, some pop-up messages about computer issues are legitimate and sometimes your IT people need to talk to a staffer. Train your employees to respond by calling or emailing a co-worker you designate, using a number or address you have provided in advance.
What To Do If You’re Scammed
If someone at your business has shared a password with a scammer, change it on every account that uses that password. Insist on unique passwords for each account.
To protect against malware, use legitimate security software and keep it current. Use the software’s scan feature and delete anything it flags as a problem. If you need help, consult a trusted security professional in your community. If a computer infected by malware is connected to your network, you or a security professional should check the entire network for intrusions. Report an attack right away at FTC.gov/complaint.
If an employee bought bogus services from a tech support scammer, ask your credit card company to reverse the charges. Keep checking your monthly statements to make sure the scammer doesn’t try to go back for seconds – and report it to the FTC.
Raise these points at your next staff meeting, using this factsheet as a discussion starter.
Next: Vendor security
3 Comments
Read Our Privacy Act Statement
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
Comment Policy
This is a moderated blog; we review all comments before they are posted. We expect participants to treat each other and the bloggers with respect. We will not post comments that do not comply with our commenting policy. We may edit comments to remove links to commercial websites or personal information before posting them.
We won’t post:
Comments submitted to this blog become part of the public domain. To protect your privacy and the privacy of others, please do not include personal information. Also, do not use this blog to report fraud; instead, file a complaint.