Tech support scams and the call of the void

TechSupport_Scam-623x432.jpg

The importance of providing the best possible after-sales service to customers.

L’appel du vide is an expression meaning “the call of the void”, with a similar meaning to what Poe called The Imp of the Perverse: you might define it informally as the sudden irresistible urge to do something harmful, to oneself or perhaps to others.

I was reminded of the concept when I came across a piece written by Christopher Burgess for Security Boulevard on what happens When Scammers Fill the Tech Support Void.

Burgess says: “I still haven’t figured out why those companies that provide tech support tend to hide the connectivity to these saviors of their brand in the weeds of the website, but they do, and we search—and sometimes we strike gold.”

However, I don’t think the reluctance of companies to draw attention to their support services is too much of a mystery.

Thanks for your support

It’s to be hoped that most legitimate companies feel responsible for providing the best possible after-sales service. After all, when the time comes to replace or update hardware or software, a positive support experience is one incentive to stay loyal to a brand. (Even if a company is sometimes over-eager to sell an update or replacement to a customer who is unwilling or unable to trade up.)

So why do some products and services offer no direct support at all? Why do software companies usually farm out support for free products to a forum or third-party provider? Why are telephone support lines invariably painfully time- and money-consuming to negotiate?

In fact, reluctance to engage directly with customers goes far beyond tech support. I’ve often asked myself why law enforcement agencies make it so hard to report fraud and other criminal activity online, by requiring the complainant to fill in an inadequate and inflexible web form. Why are many other government agencies and public organizations so reluctant to publicize contact points? And why are emails to corporate addresses so often responded to with silence or an irrelevant boilerplate response?

Why so shy?

There may be a number of factors contributing to these shortcomings, such as:

  • Poor website and email administration and maintenance, with links that go nowhere or throw the information-seeker into a never-resolving loop or result in email that generates only pro-forma responses or overflowing mailbox error messages.
  • Fear of exposing staff to (even more) spam, BEC (Business Email Compromise) scams, ransomware and so on.
  • Insert your own conspiracy theories here.

The bottom line is the bottom line

But I don’t think it’s cynical to point out a factor that constantly limits the effective delivery of a service or product: the cost of processing support requests and other customer input. The more effective the support, the more it tends to eat into budgets.  So it may be understandable if under-publicizing contact points and support availability is sometimes a conscious policy decision, but is it defensible?

I’m reminded of a university that made available a very useful, free networking utility: however, if you actually sent them an email, there was an automated response on receipt, then a long silence. Eventually you received a boilerplate message inviting you to resend your query, as otherwise they’d assume that you’d managed to sort it out yourself. An extreme case, perhaps, but it’s understandable if the providers of a free service don’t want to spend time supporting it. Fortunately, though, not all free services are quite so reserved. Yet all too many organizations in both the private and public sectors are.

To quote Burgess again: “…perhaps most importantly, companies shouldn’t hide the ways and means by which customers can contact them. That little bit of assistance may be the ticket to a long-term relationship with their customers.” Indeed it may, but its absence casts doubt on the intentions of the provider, certainly if the product or service provided comes at a cost.

The tech support scammer often succeeds in part by appearing to offer a support service that a legitimate provider fails to offer, or at least fails to publicize adequately. Which isn’t to say that provider reticence is the only factor: for example, many a victim owes his or her misfortune to a search engine that displays dodgy sponsored ads ahead of legitimate links, a malicious script that pops up a deceptive message, or a conveniently placed Facebook page. And, in some cases, a lack of caution that may bring to mind the activities of that Imp of the Perverse, or at least an unfortunate “Susceptibility to Persuasion”.

Conclusion

Still, if a customer is exposed to fraud because the fraudster appears to offer a support service that the real provider fails to offer, it seems to me that the provider should bear some of the responsibility. However, since we can’t always rely on organizations (commercial or otherwise) to do the right thing, those of us who use their products and services also need to take responsibility for our own (in)secure behaviour, and help others to do the same. I won’t repeat everything I’ve published on the topic here, but here are two things worth remembering (there are some links with further information in the references section below):

  • People who ring you up out of the blue do not have some mysterious power to see malware on your computer. And it’s unlikely that they’re ringing from Microsoft (or the other companies sometimes misrepresented by these scammers).
  • Messages that pop up out of nowhere telling you to ring their helpline for help with dealing some sort of virus aren’t from Microsoft either. And those ‘helplines’ are not to be trusted.

References

My PC has 32,539 errors: how telephone support scams really work

Hanging on the Telephone

Scams: Tech Support, Accident Insurance, PPI, Oh My My

Support-Scammer Tricks

written by David Harley, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s