So, my friend got his computer “locked” and there was a number to call a Microsoft support agent. He called it and talked to him for awhile, and he got talked into letting the scammer remotely access his computer and took him to the registry where it shows all the area and started trying to sell him an anti-virus. Once he started being marketed to, he hung up and turned the wi-fi and his laptop off. He has tax documents on his computer with private information, so just to be safe I had him file a fraud alert with TransUnion.
I was wondering, if he watched the guy remotely access his computer the whole time and the scammer never tried opening up any documents or anything, how likely is it that any files or personal information were taken? I told him to also keep an eye on bank statements and credit card statements to be extra safe. His passwords aren’t saved on his browser or anything, but I read somewhere they could have stolen his cookies and use those to log into some accounts? I don’t know, I’m just worried but I think I’ve had him take all the necessary precautions for now. Are there any other steps I should have him take?
My mom fell for this scam along with paying them $500.00…. Doing a complete reformat of the computer is the only correct answer.
They could’ve gotten basically everything and he wouldn’t know it. They would be working on taking his data in the background while he watches them remotely navigate his PC. Just because he didn’t see doesn’t mean it didn’t happen. Needs to wipe the PC most likely.
Consider the PC compromised and do not boot into Windows without wiping the storage drive and fresh installing Windows. There’s no telling what kind of files were silently uploaded and executed when they remoted in.
It all depends whether the scammer had them set up unattended access and he wasn’t aware of it.
What I would do is first or foremost uninstall and get rid of the remote access software whether it’s TeamViewer or any desk.
And I would do that before you reconnect it back to the internet.
Your friend should assume that any login entered on that machine is compromised. They should also assume that machine itself is still compromised.