Tech scammer “baiting” game rules

Posted on Fri 22 July 2016 in Trolling.

Ooooh. A blog post. Don’t feint.

Since TalkTalk don’t know how to security and leak customer details everywhere, we’ve been inundated with scammers claiming to be from “TalkTalk Internet/Technical/Broadband Department” (or combinations thereof) and we’ve got issues with our internet, usually someone is “downloading files without authorization” and other general naughtiness.

They can fix the issue, but first they need access to our computer to provide the fixes.

Standard tech support scam stuff ;

  1. State they are calling from Microsoft/Apple/your ISP,
  2. Frighten the mark with jargon,
  3. Show the “frightening errors” to the mark,
  4. Offer to fix it,
  5. Gain access to copy data, access account details, get a one-off payment immediately, or infect with malware for later pilfering.

So, being aware of the scam, and wanting to waste some of their time, I began playing along on my Fedora install and noting the amount of time I could keep them on the line for.

At the time of writing, my current record is 40 minutes 26 seconds .

To keep it roughly fair and allow some comparison, I devised a vague set of rules to follow.

Safety notices

I have to put this, else someone will do something silly.

  1. Don’t do this to cold callers wanting to sell you new doors or such, just politely decline and hang up. [1]
  2. Don’t give out personal information,
  3. Don’t give them access to your machine,
  4. Hang up before things get out of hand,
  5. Don’t take the game seriously, it really isn’t,
  6. Don’t blame me if you get doxxed/SWAT’ed/phished/eaten whilst doing this; all take part at their own risk.

Rules of the game

So, if you want to play along at home, here are the “rules” I go by:

  1. Only play whilst it’s fun, hang up otherwise.

    If you’re not having fun, are uncomfortable with what’s going on or just not in the mood, hang up.

    The worst thing they can do is call again, and that’s remedied by hanging up, or leaving them to talk to themselves.

  2. Only play if you’re using Linux, preferably not Ubuntu.

    I say this as the scammers are expecting you to use Windows or Mac, and using Linux will screw up 98% of them.

    I say “Not Ubuntu” because if they do “do Linux”, they’ll likely only know about Ubuntu, so any .deb files they ask you to download will be opened in ArchiveManager and not installed or run.

    • Side note: check before playing that .exe, .deb and such open in ArchiveManager or equivalent, and not Wine/gDebi/Software Center, it kinda defeats the point.
  3. Let them do the talking, don’t offer up information.

    This lengthens the process, winding them up, and also limits the risk you slip up and tip them off you know what you’re doing.

    For example, most scammers assume Windows with Google Chrome as the browser, so let them continue with those assumptions.

    Nearly every call results in their confusion because they’re giving instructions on how to open downloaded files in Chrome, whilst you’re using Firefox. [2] Untangling that can take a good few minutes.

  4. Don’t lie. Fibbing to protect personal information is fine.

    You can’t trip yourself up if you’re just reporting what you see.

    Answering vaguely is advised, and doesn’t help them either, as it doesn’t give anything away, for example: “Do you have a Windows machine you can use?”, “No, none that I have access to” is a truthful answer if you’ve got a Windows laptop that is in another room.

    Little lies to protect personal info, like what bank you use, where you live etc are fine - there already have some personal information about you to call you, don’t give them more.

  5. Be indignant if they’re rude, be annoyed if it’s “not working”, but don’t lose your cool with them.

    It is significantly funnier for them to lose their shit and swear at you, but you’re an arsehole if you call them names in return, or launch into racist or sexist diatribes towards them.

    The goal isn’t to vent your spleen about or at them, it is to tie them up for as long as possible.

    Also, remember rule 1.

  6. Wait for them to hang up.

    Again, the goal is to tie them up for as long as possible, so don’t hang up on them, wait for them to hang up on you.

  7. Profit?

    Don’t know about that, does laughter count?

Optional extras

  1. Once they’ve run out of options, tell them you know it’s a scam.

    This is more for your own amusement, and can properly rile them up, so be ready for some backlash.

  2. Make a note of the total time spent on the phone, and the number of people spoken to.

    Again, just for your amusement to tempt you to do better next time.

  3. If they do something interesting, let people know.

    This is more of a herd immunity thing; if the scammers have done something interesting or different, letting others know of it allows the rest of us to be aware of any change in tactics, language, methodology, and so on.

    It makes handling the inevitable calls from family and friends about these scammers easier to spot and advise on.

Mostly, this game is for my amusement, but (slightly) to also keep the scammers occupied and delay them, however briefly, from moving on to people who aren’t as technically literate or aware, who would actually fall for the scam and be harmed by it.

Hopefully, listing the “rules” here will spread some active resistance to these scammers, and make it much less viable to operate in the longer term.

But mostly, it’s for my amusement.

[1]Cold calling is an actual job, and are annoying rather than malicious.
[2]Or if you’re feeling mischievous, elinks.