Fake Support Calls and Helpdesk Social Engineering

A Galveston HVAC company got a call one Tuesday morning. The caller ID showed "Microsoft Support." The caller claimed they'd detected viruses on the company's computers and needed remote access to "fix" the problem before data was lost. The office manager, who knew just enough to be dangerous, handed over remote access.

By the end of the call, the attacker had installed remote access software, exported several years of customer records, and set up their own admin account for later access. The breach wasn't discovered until three weeks later when the company's antivirus started flagging cryptocurrency mining software.

This is tech support scams and helpdesk social engineering in action. It's not new, but it works—because most people don't know what Microsoft, Apple, or your actual IT provider actually does and doesn't do.

How these attacks work

The tech support scam: You get a call, email, or pop-up claiming your computer is infected, has errors, or needs attention. The attacker asks for remote access or demands payment to "fix" a problem that doesn't exist. Sometimes they install actual malware. Sometimes they just take the payment and disappear.

The vendor impersonation: An attacker calls claiming to be from your internet provider, phone system vendor, or software company. They need "verification" of your account—often your password or security questions. Or they need to "update your settings" and walk you through granting them access.

The helpdesk bypass: An attacker has already compromised an employee's email and uses that access to call IT support pretending to be that employee. "Hey, I locked myself out. Can you reset my password?" If your helpdesk doesn't have good verification procedures, they comply.

The password reset game: More sophisticated attackers call your service desk with enough information (found on LinkedIn, in breached databases, or via prior phishing) to convince them they're a legitimate employee. They get the password reset, then own the account.

What can go wrong

Direct malware installation: Remote access software like AnyDesk, TeamViewer, or LogMeIn gets installed under the guise of "fixing" your computer. The attacker now has persistent access whenever they want.

Credential harvesting: You're convinced to type your passwords into fake login pages or share them directly over the phone.

Data theft: Once inside your systems, attackers export customer databases, financial records, or proprietary information.

Lateral movement: Remote access to one machine becomes access to your network, server, and cloud services.

Ongoing access: Backdoor accounts, additional remote access tools, or modified settings that let attackers return anytime.

What it costs

• Incident response: $3,000 to $25,000 for cleanup, system rebuilding, and security review after a successful attack.
• Data breach costs: If customer data was exposed, $500 to $10,000 in notification, credit monitoring, and legal review.
• Ransomware delivery: Some attackers use tech support access to deliver ransomware. Total costs can reach $50,000 to $500,000 when you factor in downtime, recovery, and lost business.
• Regulatory fines: Industry-specific requirements (HIPAA, PCI-DSS) can impose fines if the breach involved protected data.

Vendor questions (copy/paste)

"We use [Microsoft 365/Google Workspace]. What verification process should our IT helpdesk follow before resetting passwords or granting access over the phone?"

"How do I know if someone has installed remote access software on our computers without my knowledge?"

"Our staff works remotely and calls our cell phones when they need help. What's a secure way to handle support for remote employees?"

"What are the specific things Microsoft, Apple, or [your ISP] will never ask you for over the phone?"

"We had a support vendor in to 'fix' something last month. How do I check if they left anything behind?"

Minimum viable implementation

1. Establish and document what your real IT support (internal or vendor) will never do:

   • Call you unsolicited claiming to have detected viruses
   • Ask for your password over the phone
   • Demand payment in gift cards or cryptocurrency
   • Ask you to visit a website to "verify" your computer

   Write this down. Share it with your team. Most people don't know what legitimate tech support looks like.

2. Create a verification procedure for your helpdesk or IT contact. If someone calls claiming to be an employee locked out of their account, what happens? A callback to a known number? A security question? Document it.

3. Audit remote access software on your systems. Check what installed programs you have and what connects out. Remove anything you didn't install or don't recognize. AnyDesk, TeamViewer, Splashtop, Chrome Remote Desktop—if you didn't set these up, investigate.

4. Enable endpoint protection that can detect unauthorized remote access tools. Modern EDR solutions can flag when remote access software is installed without approval.

5. Educate your staff on the specific call scenarios. Run through what these calls sound like. Make it clear: if something feels off, they can hang up and call your official IT contact directly.

6. Don't give out credentials over the phone to unsolicited callers. Ever. Legitimate vendors have other ways to verify your account.

When to hire help

Call someone today if:

• Someone called claiming to be IT support and you gave them access to your computer
• You see remote access software you didn't install
• Your systems are acting strange after a support call

Call someone this week if:

• You want to audit your current remote access setup
• You need help writing a helpdesk verification procedure
• Your team needs training on what tech support scams look like

You can probably handle it yourself if:

• You know what remote access software is installed on your computers and why
• You have a clear internal policy about not giving out passwords over the phone
• Your team knows Microsoft doesn't call people about viruses

The tech support scam works because it creates urgency and fear. "Your computer has a virus!" When your team knows this is always fake, the calls lose their power.