The Scam
Learn how Supportaholic was able to trick victims into paying for problems they created.
What is the tech support scam?
The scams that we typically cover on Scammer Payback are refund scams. Essentially, scammers contact victims about a fake charge, gain access to their system under the guise of issuing a refund, then manipulate the screen to show an overpayment and pressure the victim to send money back.
However, Supportaholic was operating a tech support scam. Rather than offering a refund for a supposed fraudulent charge, this scheme involves persuading victims that they must pay to resolve a non-existent issue with their computer. These scams can vary quite a bit. So, how was Supportaholic doing it?
The Two Methods
Since our first contact with Supportaholic in June of 2025, their tactics have changed. The operation now relies on outbound cold calling, conducted through two primary methods.
​
In the first method, an administrator initiates campaigns using Vicidial, a legitimate call center software platform that has been repurposed by the scammers. Large lead lists (sourced from data brokers or shared between similar scam operations) are uploaded into the system. The platform then automates dialing and distributes call information to agents in real time.
The second method targets individuals who did not answer initial calls. Their details are retained and placed into a separate list, which scammers later work through manually in an attempt to reestablish contact.
The call we're going to be pulling from originates from this second method.
​
Note: Some of the audio recordings below are distorted/glitchy due to the scammer's poor internet connection and our recording software.
Stage 1: The Email
At the beginning of the scam, the victim confirms she has just received an unusual email. We know that this message was sent by the scammers as part of the setup for the call. The approach relies on the scammers creating a believable reason for contact (referencing a “suspicious” email) that they can then point to in real time to build credibility.
​
In this instance, the victim happened to have her inbox open and saw the email as it arrived. Despite this, the scammer continues with the script.
Stage 2: Using Your Data
The scammer uses leaked information from the data sheet to reinforce her credibility. At the same time, the victim is still skeptical, prompting the scammer to escalate the approach. As an additional step, the victim is instructed to open the Windows Event Viewer, a tactic commonly used to misrepresent routine system logs as evidence of a problem.
Stage 3: Event Viewer
The Event Viewer routinely displays entries like this, which the scammer relies on to reinforce the narrative of a problem. Remember, these logs are completely normal and not evidence of hackers, a virus, etc.
At this stage, the victim appears to accept the explanation, giving the scammer an opportunity to move forward. The next step is directing the victim to a fraudulent website and instructing them to download remote access software.
Stage 4: Remote Access
Once the scammer gains remote access to the victim’s computer, the groundwork for the scam is complete. From there, the operation typically continues with follow-up calls, during which the victim is charged for resolving issues that do not actually exist on their system. You'll hear the scammer setting this up in Stage 5.
Stage 5: The Call Back
At this point, we intervened. The victim was warned, the remote access software was removed, and we confirmed that no follow-up contact resulted in payment to the scammers.
​
However, we can use some of the other recordings we collected to get a better understanding of what kind of "Tech Support" these scammers are doing.
Stage 6: The "Tech Support"
During this hold period while the victim is waiting for a call back, activity on the system shows the scammers disabling Windows Defender, likely to prevent interference with the software they intend to install. They then return to a fraudulent website they created and download a program presented as a Microsoft cleaning tool. In reality, the software is Remote Utilities.
​
Remote Utilities is a remote access program that provides a higher level of persistence than tools like TeamViewer. Unlike TeamViewer, which requires user approval for each session and provides visible connection prompts, Remote Utilities can be configured to run silently in the background and allow ongoing access without repeated authorization.
​
Once installed, this gives the scammers sustained control over the victim’s system. In many cases, they use this access to modify system settings, including changing the desktop wallpaper to display a phone number tied to their operation. This creates a direct path for future contact under the guise of technical support.
​
They then attempt to charge the victim for these so-called services, regardless of the victim’s financial situation.
We intervened again to ensure the victim did not make any payment. While $59 may appear relatively minor, records obtained during this investigation show that the cost of these fraudulent “services” can escalate significantly.
​
Invoices recovered from the operation indicate charges ranging from approximately $200 to as much as $5,000. You can see some examples on the evidence page.
The Remote Connections
So, what happens to the victim connections after they've already been scammed? Evidence indicates that the remote connections were being stored on a centralized Supportaholic server, allowing scammers to reconnect to victim systems without their knowledge.
​
Activity linked to these connections includes unauthorized purchases, such as buying gift cards through victim accounts, and accessing online payment platforms, including PayPal, to transfer funds. All this was done without the victim's knowledge.
​
In multiple instances, we also identified files left on victim machines containing fabricated warning messages. These appear designed to prompt victims to reinitiate contact with the scammers, allowing them to repeat the exact same scam process.
Other Tactics
Another tactic we identified was the websites they use to support the scam. On supportteam247.com (the primary website used in their operations) we examined a “Check Warranty” feature.
​
Testing showed that regardless of what was entered, the tool returned the same result: a series of alarming warnings intended to suggest that the system was compromised.