Internal data breaches occur when an employee of a company or organization uses his or her position to gain access to individuals’ personal identifiable information. Typically, the reason for accessing and gathering the information is so the employee can then sell it to identity thieves or use it to open new accounts and make purchases in the victims’ names.

Sometimes these breaches are accidental, such as when an employee accidentally downloads malicious software to a company computer or loses a company laptop with sensitive information stored on it. Of course, intentional internal data breaches are also prevalent, and occur when the employee begins stealing identifying information from data the company has gathered.

One Florida-based telemarketing company has experienced an internal data breach that almost looks too easy. How? Because the company in question, Advanced Tech Support (operated by Inbound Call Experts), is actually a PC repair and tech support company that can gain remote access to your computer if you’re having an issue. This remote access lets someone on a different computer use your computer in real time, and the scammers needed that ability to pull this off.

The fraudsters, posing as employees of ATS, seem to have been using the remote access feature to sift through the customers’ computers for online banking information, and even contacting customers to say that they owed money to the company, which they would say could be paid via wire transfer. They had to have gained access to the customers’ contact information somehow, and that’s where the internal data breach comes into play.

You might think no one would fall for this, but there’s another angle to this story. Advanced Tech support and a few other companies were sued last fall by the Federal Trade Commission for some shady practices, so the scammers reached out to customers to inform them they’re owed a refund due to being overcharged for services, or due to the outcome of the class-action lawsuit. The fake employees told customers they’ll use the remote access feature to transfer the money back to the customer, but were instead trying to uncover stored sensitive information from the computer.

Making this story even more interesting is a warning that was posted on the ATS website, informing customers of the breach. It went on to state that the guilty party had been terminated, and that no credit card numbers had been accessed. However, this warning was removed after one news source contacted ATS directly to ask about the data breach.

While law enforcement can sort out the details of what has actually happened, there are some important things to remember about protecting yourself from this kind of scam:

  1. You will never be called out of the blue and sent an instant electronic funds transfer as part of a lawsuit settlement. These issues are handled via the postal system.
  2. Of course, electronic funds transfers also don’t require someone to access your computer.
  3. If you receive an unsolicited call from someone who wants remote access to your computer, hang up and call the company using a phone number that you’ve verified yourself—not a number the caller provided you with or one that was on your caller ID.
  4. If you’re ever in doubt about the veracity of the caller’s story, hang up. Even if the person states that an error has occurred—such as the overpayment ploy the scammers used in this case—you’re not required to respond or take action based on a phone call or email. Any legitimate correspondence will come through the mail so that you have a paper trail on the case.

Part of what made this breach work is the scammers were contacting people who already know very little about their computers… that’s why they had signed up for tech support packages with remote access in the first place. It didn’t take much to convince the victims to let them have access to the computer. It’s very important that you know how these issues really get resolved, and to listen to the little voice in your head telling you something might not be right.