Cybersecurity for small business: Tech support scams

used with permission from FTC.gov
Andrew Smith, Director, FTC Bureau of Consumer Protection

An employee gets a phone call, pop-up, or email warning about a problem with the office computer. In an effort to be helpful – or perhaps concerned they clicked on something that caused the glitch – the employee follows instructions to send money, turn over personal information, or provide access to your system. As a small business owner, you know it’s a tech support scam, but are you sure every member of your team has the savvy to spot it? The FTC has new resources to help protect your company from cybersecurity risks, including tech support scams.

How the Scam Works

Scammers often pretend to be from a well-known computer-related company. They use confusing tech talk and smoke-and-mirrors chicanery – perhaps a bogus “scan” of your system – to convince your employee that emergency action is necessary.

The next step varies depending on what the scammer is after. Data thieves may propose a “fix” that gives them remote access to your network. Once in, they steal sensitive data or install malware to facilitate future invasions.

Others just care about the cash. They may try to convince your employee to enroll in a worthless computer “maintenance” or “warranty” program. Or they’ll ask for a credit card number so they can bill your business for bogus repairs. In a variation on the scam, they may direct your staffer to a website where they ask for account information, passwords, or personal data.

How to Protect Your Business

If someone calls your employee and says there’s a problem with the computer – even if it looks like a local number or the caller ID says it’s from a well-known company – instruct your staffer to hang up.

If it’s an email that appears to come from a trusted business, don’t respond. Don’t click on any links. Don’t share passwords. And don’t call a phone number in the message.

If it arrives as a pop-up, the advice is the same: Don’t respond. Don’t click. Don’t share. Don’t call. Tech support scammers are experts at falsifying caller IDs, email addresses, URLs, etc. So those aren’t reliable methods for separating the tricky from the trustworthy.

Of course, some pop-up messages about computer issues are legitimate and sometimes your IT people need to talk to a staffer. Train your employees to respond by calling or emailing a co-worker you designate, using a number or address you have provided in advance.

What To Do If You’re Scammed

If someone at your business has shared a password with a scammer, change it on every account that uses that password. Insist on unique passwords for each account.

To protect against malware, use legitimate security software and keep it current. Use the software’s scan feature and delete anything it flags as a problem. If you need help, consult a trusted security professional in your community. If a computer infected by malware is connected to your network, you or a security professional should check the entire network for intrusions. Report an attack right away at FTC.gov/complaint.

If an employee bought bogus services from a tech support scammer, ask your credit card company to reverse the charges. Keep checking your monthly statements to make sure the scammer doesn’t try to go back for seconds – and report it to the FTC.