Week 43: Company-like structures among fake support scammers

31.10.2023 - Threatening calls claiming to be from the authorities have been one of the phenomena most frequently reported to the NCSC since July 2023, and the surge in reports received by the NCSC is attributable primarily to them. As the calls are made during office hours, it can be assumed that the fraudsters are organised like a company.

Since the summer, the NCSC has been receiving a growing number of reporting forms concerning threatening calls supposedly from the authorities. The scam starts with a telephone call ostensibly from a police or customs authority claiming to want to help (fake support). There are several variants. What they all have in common, though, is that a computer-generated voice speaking impeccable English asks the person being called to press 1 to get more information. After that, they are connected to a supposed police officer. In a frequently encountered variant, it is then claimed that there is a warrant for the victim's arrest, but that the police assume someone is misusing the person's identity and that they are actually innocent. The police officer claims to want to help the victim. To gather evidence of innocence, the caller tells the victim to install a remote access tool in order to gain access to their computer. In addition to the remote access tool for the computer, the caller also insists that it be installed on the victim's mobile phone and tablet. This gives the attackers full access to all devices and allows them to bypass other security elements such as two-factor authentication.

The fraudsters then claim that bank accounts will soon be blocked and that they want to help the victim secure the money beforehand, which is why the victim is told to transfer their money to cryptoaccounts. Of course, the attackers also have access to these accounts and withdraw the money as soon as it is transferred. Occasionally, the victim is additionally told to leave the computer running overnight. This makes it easy for the attackers to carry out further transactions unnoticed and without the victim becoming suspicious.

If victims become suspicious, they are given a website that indicates the official Interpol phone number. They then receive a call from this number, but obviously it is spoofed. For the victims, however, it is further proof that the case must be genuine.

Website listing the official telephone number of Interpol.
Website listing the official telephone number of Interpol.

Days with no activity and office hours

Since telephone calls are involved, the NCSC assumes that reports on this phenomenon are submitted to it quickly and that the time of report receipt can more or less be equated with the time of the telephone calls. Unlike with emails, which are usually reported with a time lag, meaningful statements can thus be made about the fraudsters' activity times in the case of this phenomenon.

The analysis reveals that the reporting process follows regular office hours, starting on Monday morning and ending on Friday afternoon. There are no reports on Saturday and Sunday. It can thus be concluded that the attackers are organised in company-like structures that also employ staff according to customary work schedules.

In addition, other patterns can also be seen in the statistics. There are days or whole weeks when there is nearly no activity. One example is 14 and 15 August 2023, two days on which the NCSC received no reports of this phenomenon. Similarly, in the week of 4 September 2023, there was virtually no activity, and in the following weeks it started off at a low level until October, when there were again large numbers of calls.

There are several explanations for this observation. Either only one fraudulent company is involved in the attacks and on the days in question there were IT or other operational problems, for example, or else several groups from the same region are involved and the days with no activity are public holidays or general holiday periods. However, the figures for a longer period would be needed for further analysis.

Trend over time of reports on the phenomenon of "threatening calls from the police". The NCSC got no reports on weekends (grey arrows). On 14 and 15 August (red) and in the week of 4 September (yellow), no reports were received either.
Trend over time of reports on the phenomenon of "threatening calls from the police". The NCSC got no reports on weekends (grey arrows). On 14 and 15 August (red) and in the week of 4 September (yellow), no reports were received either.
  • End such phone calls immediately. Neither the police nor other authorities will call to gain access to your devices.
  • Do not give anyone remote access to your devices. If you granted remote access, there is a possibility that your computer has been infected.
  • The first step is to uninstall the remote access program.
  • If you suspect an infection, have your computer examined immediately by a specialist and cleaned if necessary. The safest option is to completely reinstall the computer. However, do not forget to back up all personal data beforehand.
  • If you have suffered a financial loss, report the matter to your bank and file a criminal complaint.

Last modification 31.10.2023

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2023/wochenrueckblick_43.html