With business communication becoming less face-to-face and more virtual, criminals could contact your firm disguised as a customer support specialist from one of your vendors.
According to a recent press release from the FBI Internet Crime Complaint Center (IC3), 2021 saw an increase in the number of complaints about the impersonation of customer support pros.
These crooks tell your team they’re from a well-known company’s customer support department and that they’ve been asked by someone in your organization to resolve a serious issue. Examples include a compromised email or bank account and computer viruses.
IC3 reports that many victims of customer support scams are directed to make wire transfers – typically to overseas accounts – or pay using prepaid cards. Fraudsters are also stealing from businesses via their cryptocurrency accounts.
Here are some of the ways criminals are attempting to steal company money, access your files, install malware, harm your network and damage your business.
What the scams looks like
Tech support scammers: They call your staffers and, mentioning a lot of technical terms, try to convince them there’s a technology problem that doesn’t actually exist. They may ask your people to open some files or run a scan on their computer. Then, they’ll ask you to purchase services you didn’t need, such as renewing a software license or security subscription, or enrolling in a worthless warranty program.
Travel industry scammers: Your road warriors need to be on their guard. Crooks are impersonating customer support personnel from rental car, airline and hotel companies, and offering a “great deal” or taking fake reservations. Payment is usually requested by prepaid card. Victims arrive at the reservation counter to find there’s no car, hotel or flight reservation under their name.
Cryptocurrency support impersonators: They call, text or email to “alert” you about a security problem with the company crypto wallet. To fix it, they either need access to the wallet, or to transfer currency to another wallet to “safeguard” the contents. Also, fraudsters create fake support sites to entice crypto-owners to contact them directly and convince them to provide login information.
Utility company scammers: Someone impersonating a utility or internet provider company representative claims your company has an unpaid bill that A/P must pay immediately to avoid discontinuing service. An alternate version of the scam involves a rep calling to offer “great savings” for your business.
Banking support impersonators: When calling or texting to report a fake issue with a company account, they’ll try to trick a staffer into providing access to their credentials to correct the issue. The scammer then uses the access to make transfers from the account and other accounts associated with it.
Warding off bogus customer support
Because cybercriminals are experts in exploiting human nature, your team members could use some key security reminders:
- Legitimate customer, security or tech support teams don’t initiate contact out of the blue. (You may want to share this fact with your customers and clients, as well.)
- If you don’t know the person, or can’t easily verify who they are, they shouldn’t be given remote access to devices or accounts.
- Avoid using customer support contact information obtained via an internet search. Phone numbers that pop up in a “sponsored” search results section are likely there as a result of boosted search engine advertising. Instead, use the contact info listed on the company’s official website.
- Resist being pressured to act fast. (It’s a go-to criminal tactic.)
- Ensure that all antivirus, security and malware protection is up to date.
In addition, you may want to huddle with IT about possibly installing ad-blocking software to reduce popups and “malvertising,” which is online advertising intended to spread malware. The Federal Trade Commission (FTC) has some examples of what that looks like on its website.
In case of a breach
If a leak of sensitive data may have happened, IC3 says to:
- call a trusted contact at your financial institutions immediately to stop/reverse fraudulent transactions and protect your accounts
- let IT know what’s going on because they may have to check your company network for problems
- update your security software and run a scan to check for potentially malicious software installed by scammers
- change all device passwords that may have been compromised
- be on the lookout for additional fraud attempts by other scammers (they often share their victim database information), and
- file a complaint at www.ic3.gov.
When contacting IC3, they’ll want as much info as possible, such as:
- identifying information of the criminal and company, including websites, phone numbers, email addresses and phone numbers
- the account names and financial institutions where funds were supposed to be sent, even if no funds were actually lost (e.g., bank account number, wire transfers, prepaid card payments or cryptocurrency wallets)
- description of the interaction with the criminal, and
- any email, website or link that caused a pop-up or locked screen.
The FTC also may be able to help. Visit ReportFraud.FTC.gov.
It’s a good idea to hold onto any original communication documentation from scammers, including emails, faxes and communication logs.