This month we had a report of a customer who contacted the legitimate tech support number listed on the bill for a major Internet service provider. In the course of that call, the support analyst determined that his options for helping the customer had been exhausted and transferred the customer to another support line.
The secondary support (Technicalsupport4u in India) took remote control of the victim's computer, asked for a credit card number and ended up charging $399 (from a bank in Paris) to that credit card. Frighteningly, that "support analyst" called to follow up the next day; although the problems were still not solved, that follow-up call adds to the seeming legitimacy of the scam. When the victim contacted the ISP, they said that they would never do such a thing or charge that much to a credit card. The victim ended up having to cancel that credit card and change bank routing numbers, which is a huge hassle.
We followed up with the security team at the ISP, as it is alarming that while most telephone scams begin with the scammers contacting the victim, in this case the victim contacted a legitimate, trusted service and ended up connected to the scammers. They acknowledged that while their tech support has a list of vetted contacts for other support teams, sometimes the support analyst just Googles for support numbers instead of using the list, and transfers the customer in order to be helpful. They said they would investigate.
Important take away: Constant vigilance! Even if the starting point is trusted, beware transfers to other locations.