Tech support scams: a look behind the curtain

My previous post about fake support calls from Microsoft generated a lot of reactions. I was quite astounded by how many other people also had similar experiences and that this was still going strong. In this post, we will try to better understand how such companies operate and why despite so many complaints, they are still operating shamelessly.

Last October the US Federal Trade Commission launched a crackdown on more than a dozen companies and individuals mostly based in India. The FTC froze their assets in the US and shutdown many of their websites and telephone numbers. The screenshot below shows an excerpt of the court case against one of the defendants:


Before going into more details, it’s important to clarify something about offshore companies providing business services. There are many legitimate ones and we should not let a few bad actors paint a bad picture for an entire country. Having said that, Business Process Outsourcing (BPO) is a double-edged sword. On the one hand, companies can streamline processes and cut costs; on the other hand they open up their systems and their customers’ databases to foreign companies with the risks that it entails.

Lies, lies and more lies

Rogue call centers are plentiful in India and have no shame in advertising in local newspapers, online ads, or even Facebook and Linkedin. Below is a (somewhat dated) job posting for a “sales executive” out of Kolkata, a place known to house many such rogue companies.


And here is one of the companies’ profiles on Linkedin:


The sales people do not really need to know much about computers but they do need to be good at selling and even going the extra mile which sometimes involves “tricking the customer”.

The other type of candidates sought after to do the actual remote sessions with the victims do know about computers. A source of mine told me a lot of them are students fresh out of IT or engineering schools who just can’t find a job. When a company promises them a salary and some perks, they will often accept, even if what it involves does not seem quite right. In my own experience, the remote person knew exactly what to do when he sabotaged my computer.

In a video posted to YouTube we can see alleged workers from one company having a good time -not that there is anything wrong with that – except if the booze and food are paid for by innocent foreigners that have been robbed.


That same company was fined by the Canadian government in late 2012 for several violations:


It is probably safe to say that the front lines (sales people, remote people) aren’t really aware or perhaps don’t really care about doing what they do. Regardless, they are most likely only paid a fraction of what the top guys running those businesses make. Considering that $299 is about 16,000 rupees (not far from the average monthly salary for someone in India), it only takes a few ‘sales’ to call it a good day’s work.

The top guys aren’t shy either. You can find some of them on Linkedin:


Excuses, excuses and more excuses

Despite measures taken by the FTC, the Canadian government and the UK’s Metropolitan police e-crime unit, the calls are still reaching US, UK, Canadian and Australian residents as well as other nations. It’s easy to deny such activities by hiding behind many different names, websites and phone numbers. The lamest excuse I’ve heard was that ‘sometimes an employee may go too far, but actions are taken and the employee is fired’. How could a sales pitch that sounds like it came out of a text book be a one individual problem?

Another issue is when a company plays Dr Jekyll and Mr Hyde by having some of their operations legitimate and some scammy ones at a different shift to get some extra cash.

Finally, money talks or rather can make people keep things quiet. Corruption in India is a big problem and it is not too far fetched to think some of these companies make ‘donations’ to be left alone.



Jérôme Segura

Principal Threat Researcher