Microsoft Support Scam

Been a victim of a Microsoft Support scam? We have recently seen a spate of calls from customers who have had calls claiming to be from Microsoft or "Microsoft Support". The agent usually states that your Windows computer is infected with malware / spyware / a virus, and that they can clean it for you.

Assuming you believe them, they ask you to download some remote control software. It could be one of these common ones, all of which are legitimate programmes in their own right to allow people remote access to computers. The difference here is what the criminals intend to do once they get in.

Common remote access software

aeroadmin logo Chrome remote desktop logo logmein logo Teamviewer logo


The attacker then proceeds to do a number of things to your computer, which to the untrained eye could look like trying to remove the aforementioned malware, spyware or virus. In fact they are systematically disabling all of the recovery features built in to Windows, before executing their finale.

And what a finale it is. They exploit a little-known feaure of Windows called SysKey. It allows encryption of the Security Accounts Manager (or SAM for short). The SAM is the database that contains your Windows password. The end result is that when you restart the machine you will be asked for a Start Up password in a window that looks similar to this:

Syskey dialogue box Start up password

You will then get a call back from the fake "Microsoft Support" again. Some calls have been blatant, saying they will remove the password for money, while others have been a little more subtle, apologising for not being able to fix your machine in time before the malware / spyware / virus took effect. But guess what? They'll fix it for a fee! That's sarcasm, of course. DO NOT pay these people any money! You have no guarantee that they will unlock your computer, and since they're almost certainly in another country, no recourse if they take your money but don't unlock it.

SysKey is not a virus, nor is it malware or spyware. It is an obscure security feature of Windows. Since it isn't a virus, no antivirus utility can remove it. Also, since you can't get in to Windows, most users won't be able to run any software anyway.



stay protected against scammersStay Protected

Don't be the latest victim of the Microsoft support scam. Microsoft don't provide over-the-phone technical support to residential customers, unless you are a subscriber to some specific Microsoft services like Office 365.

In any case, no matter who you are, Microsoft have no way of knowing what is on your PC. In fact neither do the criminals; they're guessing you have a Windows PC (because so many people do), and they're abusing your trust of the genuine Microsoft brand.

So, needless to say, if you get a call like this one, treat it with suspicion.



Microsoft support scam fixFixing it

If you get caught out and let someone on to your computer:

1)Unless you've already got the SysKey password box coming up, DO NOTHING. Leave your machine running, or put it into sleep mode. Call in some genuine IT support at this point. Also, if the fake support people ring back asking you to pay them to fix it, DO NOT pay them any money! You have no guarantee they will fix it, even after you pay them.

2) If you have the SysKey password box coming up, try a few common passwords, like 12345. You never know! We managed to have a conversation with one of these criminals while fixing this issue for a customer, and they told us the password was Monkey123. Worth a shot!

3) Try starting your PC in recovery mode, and use system restore to reset the computer back to its previous working state. If you're not comfortable with how to do this, call in some genuine IT support.

Genuine IT professionals have some more advanced tools at their disposal to fix your computer: They may be able to reverse the SAM encryption and restore the old password, giving you your machine back as you knew it, or at worst should be able to recover your files and reinstall Windows for you.


Contact us today if you are in Northern Ireland and are experiencing this problem. We'll have you back up and running as quickly as possible.