Welcome to another edition of our Breaking Down the Breach series. In this case study, we explore how a remote employee—by simply trying to fix a home printer—twice exposed their company’s network to serious cyber risk through a Remote Access Scam. It’s a reminder that even small actions can have big consequences when the right tools and training aren’t in place.
This incident involved a fake tech support website, a phone call to a scammer, and the unintentional installation of remote-control software. The second time it happened, the attacker had four full days of access before anyone even knew. We’ll explain what went wrong, how it could have been prevented, and what you can do to stay protected.
IN THIS ARTICLE
What happened
An employee working from home ran into a problem with their personal printer. Instead of contacting the company’s IT help desk, they searched online for printer support and clicked the first link that popped up. Unfortunately, it was a paid ad created by scammers pretending to be real tech support.
After calling the number on the fake site, the employee was told to install remote control software. Once installed, the attacker could see and control everything on the computer. They ran background scripts (using PowerShell) and eventually asked the employee to pay a fee. That’s when the user realized something was off, disconnected the remote session, ended the call, and reached out to the organization’s IT helpdesk.
Our team quickly isolated the affected computer and brought in the incident response team. Advanced security tools were deployed and promptly detected malicious software, including remote access programs that allowed the attacker to stay connected. The computer was quickly isolated to prevent any further spread. The incident investigation revealed that this computer may have been connected to the company’s internal systems through a VPN (virtual private network) at the time of the attack, meaning the attacker might have been able to pivot to other production systems including servers. Due to the absence of a central event log aggregation repository, relevant VPN logs had already been purged/rotated. Unable to confirm whether the user was actively connected through VPN at the time of the event, the incident response team quickly expanded the focus from the single computer to a broader set of systems, deploying advanced security toolsets to all servers. No signs of malicious activity were found on the servers.
After the threat was eradicated from the initial computer, the device was returned into production functionality. After a period of monitoring, no malicious activity was detected on any of the additional systems, suggesting that the threat actor did not successfully pivot to any servers.
A month later, the exact same thing happened again. This time the user didn’t report it for four days, giving this attacker extended access and more time to install backdoor tools. The team engaged in incident response protocol in the same fashion, eradicating the threat from the computer in question and reviewing the servers for any signs of compromise. Once again, the attacker had not successfully pivoted across the VPN connection from the computer to the servers.
Why it happened
NO ADVANCED SECURITY MONITORING
The company wasn’t using modern cybersecurity tools like EDR (Endpoint Detection and Response), which watch for unusual behavior and can automatically isolate infected devices.
NO USER TRAINING
The employee didn’t know that paid ads in search results are a common trap used by scammers. They also weren’t aware of the proper way to request technical assistance by engaging with the organization’s helpdesk.
LIMITED VISIBILITY
Without log-tracking tools in place such as SIEM (Security Information and Event Management), the company couldn’t easily tell if the attacker had moved from the laptop into internal systems through the VPN, extending the timeline of the incident response effort and removing the ability to obtain critical evidence
DELAYED REPORTING
During the second incident, the employee waited four days to report the issue—giving the attacker far more time to explore and possibly damage company systems.
How It Could Have Been Prevented
USE EDR FOR REAL-TIME PROTECTION
EDR (Endpoint Detection and Response) tools don’t just look for viruses—they watch how programs behave. If something suspicious happens, like an unauthorized remote control, they shut it down immediately and notify a security team.
TRAIN EMPLOYEES TO SPOT SCAMS
With regular security training, users learn to avoid sponsored ads, verify support contacts, and recognize red flags like unexpected payment requests or background windows flashing open.
SET CLEAR SUPPORT GUIDELINES
Companies should have simple, well-communicated instructions for how employees—especially remote ones—should get tech help. “Always call IT first” needs to be crystal clear.
ACT FAST
Time matters. In the first case, fast reporting and response were likely to save the company from further harm. In the second, the four-day delay could have been devastating if the attacker had moved deeper into the network.
Key Insights
- Even one user can expose an entire system. Remote workers must be trained and protected.
- Scammers love sponsored ads. Teach employees not to trust the top search results without verification.
- Antivirus isn’t enough anymore. Tools like EDR offer advanced protection by spotting unusual behavior in real time.
- Fast response = lower risk. Immediate isolation can stop a breach before it spreads.
Have questions about cybersecurity? Reach out to the WingSwept security team at Team_WingSwept@wingswept.com.