It starts with a phone call, an email, or an unexpected pop-up playing to the heart of every tech users’ fears: a virus has infected your device, your personal data is at risk, and you must act immediately to protect yourself against fraud and financial loss.
Monica Ackroyd, a retired woman who lives in the United Kingdom, was deluged by dozens of calls over a few weeks. “Between three and four weeks I must have had 30 to 40 calls purporting to be from my internet service provider,” she says.
Each time, the caller tried to convince Monica that there was a problem with her computer, but she was suspicious and always hung up. An acquaintance had not been so lucky.
“I do know someone who did fall for it and they lost over £6,000,” she says. “These were retired people. I just feel so cross that it could happen to somebody of my age group and they lose everything.”
Monica had narrowly escaped becoming one of the thousands of victims of the insidious technical support scams, in which international cybercriminals have harnessed paranoia about online security and turned it into a multimillion-dollar illicit enterprise. Hundreds of thousands of people have lost money to the tech support scammers, paying for non-existent products to fix non-existent problems. Or, in more serious cases, lost large sums due to compromised bank details or payment to fix viruses which the scammers have planted on the computer via remote access.
“They use that universal acceptance of these big tech giants and their reputation to convince people,” says John McHugh, a senior investigator from Microsoft’s Digital Crimes Unit (DCU). “Once they’ve made the call it’s all about social engineering. It’s all about convincing that person that they have a problem and the scammer is there to help.”
This is an industry wide problem and the impact can be devastating. Currently around 11,000 reports of technical support scams are made to Microsoft each month, with each person losing an average of €300. In one case, and individual lost €97,000 – and the impact goes deeper than people’s wallets.
“There’s a huge impact when people find out they’ve been scammed,” says McHugh.
“If every time you pick up your phone to answer a call or surf online, you fear being scammed, then you are losing your trust in technology and that’s a sad thing.”
Gen Z and millennials were the most likely to continue interactions with a fraudster and lose money to technical support scams.
When the first reports of the con started emerging, the criminals were mainly targeting senior citizens via the telephone, exploiting a perceived lack of technical knowledge in an older demographic. But they are increasingly targeting Gen Z and millennials, using pop-up windows and exploiting the younger generation’s familiarity with and extensive use of the online world to net millions of euros. While the older generation continue to be vulnerable targets, a recent survey by Microsoft found that Gen Z and millennials were the most likely to continue interactions with a fraudster and lose money to technical support scams.
Victims are all over the world. While up to 75% of tech support scams are reported to Microsoft in North America, large financial losses are also being reported in India, China and many European countries. And while the scammers used to speak only English, the police have detected people now being targeted in their native languages.
The increasing sophistication, frequency and global reach of the criminals presents a challenge for law enforcement.
“As hard as we try to keep pace with this threat, it would be fair to say that the offenders are to some degree more agile than us,” says Jonathan Frost, Programme Director for the City of London Police’s National Fraud Intelligence Bureau.
One scam could use a call center in India, an individual in the United Kingdom to receive a cheque, and a bank in Panama to process that payment.
“The cross-border nature of cybercrime creates safe havens for cybercriminals who operate outside law enforcement’s jurisdiction,” says Juan Hardoy, who leads Microsoft’s DCU for Europe, the Middle East and Africa. “The cybercriminal is operating in one country, the critical infrastructure is in a second country, and the victims are spread out across the world. That’s done intentionally so that there are less incentives to pursue them criminally outside their jurisdiction and also it is more difficult to gather the evidence to prosecute them.”
This is where Microsoft has an advantage. Its Digital Crimes Unit fights cybercrime through a combination of technology, forensics, civil actions, criminal referrals, and public/private partnerships. Crucial to tracking down the tech scammers is a system whereby the DCU analyses pop-up boxes targeting users on the Internet and passes them onto law enforcement for further investigation. Machine learning and artificial intelligence are deployed to sift through the tens of thousands of pop-ups appearing every day and to pull out those which relate to the scams. Now, DCU investigators around the globe can connect consumer complaints to pop-up images to gain intelligence in real-time, understand trends and help strengthen legal cases against the criminals.
At the same time Microsoft is working with international experts to develop methods of using technology to disrupt this crime, for example stopping fraudulent pop-ups before consumers see them.
But challenges remain. Even if the analytics are able to pinpoint a call center in India where they believe the scammers are operating from, it is a cumbersome and slow process for police in Europe or the U.S. to request and obtain international legal assistance . Despite limitations, international cooperation is not impossible. For example, earlier this month, Indian police arrested 24 individuals in a raid against 9 call centers in 10 different locations in the cities of Janakpuri, Rohini, Pitampura, Shahdara, Sarita Vihar and other areas based on a complaint filed by Microsoft in New Delhi.
While there have been law enforcement successes – also in the UK four people were arrested last year on charges related to tech scams – police are also looking for creative solutions.
“We realize that we can’t necessarily arrest our way out of a problem,” says Frost. “We need to focus on the individual moving parts of the criminal conspiracy, to either reduce their availability, make them more costly, or ideally, prevent them being available at all.”
“We need to focus on the individual moving parts of the criminal conspiracy, to either reduce their availability, make them more costly, or ideally, prevent them being available at all.”
This means working directly with the banks, giving them red flags to look out for, which could suggest a transaction related to a technical support scam. The police also work with telecoms companies, legitimate payment processing portals, remote access providers, and website hosting services, enlisting their help in disrupting the workings of the scammers.
And in another creative solution, a dedicated expert paid for by Microsoft has been embedded within the City of London police for three years, bringing his technical know-how to the investigative team.
“That’s the formula that we see works – public-private partnerships,” says Hardoy. In an effort to beat the scammers, Microsoft now has memorandums of understanding with law enforcement entities across the globe and collaborates with multinational organizations like Europol and Interpol.
“That’s the formula that we see works – public-private partnerships”
Hardoy also advocates for enhancing the international framework for law enforcement cooperation to improve cross-border access to data for investigations and help the police act as quickly as the criminals.
“The system of Mutual Legal Assistance treaties (MLATs) was not designed for these types of digital crimes,” he says.
For him, the proposed legislation to improve cross border access to electronic evidence in criminal matters across Europe is yet another important step on the path towards a more coherent international framework that may inspire others to follow the EU’s example.
Another crucial step in combatting the tech scams is making people aware of the dangers, and Microsoft has launched appropriate public information campaigns targeting different demographics and set up a web page dedicated to reporting the scams. Working with consumer trade agencies like the Federal Trade Commission in the US as well as consumer organizations in Europe is also key to help get the message across.
“The solution needs to be a multi-pronged approach,” says John McHugh. “We’re looking at education, technical disruption, and enforcement.”
With so many different entities on board – from the banks and the telecoms companies to the police and consumer agencies – McHugh is optimistic that the partnerships will pay off.
“Everybody is already involved, sitting around the table looking for the solutions,” he says. “We have the capability to do this, we just need to be coordinated.”