Tech support scammers go analog, ask victims to mail bundles of cash – Source: go.theregister.com

Cybercriminals are taking their business offline in a new approach to familiar technical support scams recently identified by the US Federal Bureau of Investigation.

In a bulletin published yesterday, the FBI’s Internet Crime Complaint Center says it’s noticed a recent uptick in technical support scams across the US that, rather than urging victims to wire funds, send cryptocurrency or hand over gift card codes, is asking them to mail magazine-wrapped wads of cash.

For those familiar with tech support scams, the operation discovered by the FBI will sound familiar.

Scammers, who the FBI says in this case are mostly targeting older adults, initiate contact via a text message, email or popup window on the victim’s computer claiming to be a legitimate company. The scammer tells their intended victim there has been fraudulent activity on their account, or that they’re due a subscription refund, but tells them the only way to get the money is to allow the scammer to connect to the victim’s computer so the scammer can make the deposit.

This, of course, requires the downloading of a remote access tool that could be loaded with a multitude of malware, and once connected the scammer asks their victim to log in to their bank’s website, potentially giving them a chance to harvest credentials as well. 

The scammer then “deposits” money into the victim’s account, but accidentally transfers too much. They then point out the error and tell victims to please remit the difference or the poor scammer could be fired.

It’s here that the tactics change, according to the FBI.

“The scammer instructs the victim to send the money in cash, wrapped in a magazine(s), or similar method of concealment, via a shipping company to a name and address provided by the scammer,” the Feds warn in their bulletin. Most recently, they reckon scammers have been directing victims to send packages to pharmacies and other businesses designated as package pickup locations, obscuring their ultimate destination.

• California man’s business is frustrating telemarketing scammers with chatbots
• Google changes email authentication after spoof shows a bad delivery for UPS
• Ads for lucrative jobs in Asia fail to mention chance of slavery as crypto-scammer
• Uncle Sam strangles criminals’ cashflow by reining in money mules

While we hope El Reg readers are wise to such scams, it doesn’t mean the people you support or work alongside are. The FBI urges all the usual forms of caution to prevent cases like these, like not downloading software from unknown sources, not allowing unknown individuals to remotely control a computer and not clicking on any link or calling any number sent via text, email or popup.

And it goes without saying, but if a representative from a supposedly legitimate business asks you to send an obfuscated package stuffed with cash to a random address … don’t.

It’s not clear why scammers are employing the new tactic, but it could have something to do with payment processing firm Nexway being accused by the US Federal Trade Commission in April of knowingly processing credit card payments for Microsoft-themed account scammers.

While originally facing a fine of $49.5 million, the FTC agreed to suspend the larger fine in favor of a smaller $650k one after Nexway said it would stop processing payments for scammers and better monitor its platform to prevent illegal activity.

While blatant tech support scams like sending packages of cash tend to target older adults unfamiliar with the intricacies of digital platforms, it’s not necessarily the case that older folks are the most common victims.

According to a 2021 report from Microsoft, overly confident millennials and Gen Z’ers are most likely to fall for tech support scams. In other words, be sure to check in with your younger end users to ascertain they haven’t mailed any bundles of cash lately either. ®