facebook twitter instagram linkedin google youtube vimeo tumblr yelp rss email podcast phone blog search brokercheck brokercheck Play Pause
Remote Access Tool (RAT) Scams: How Criminals Turn Legitimate Software into a Powerful Weapon Thumbnail

Remote Access Tool (RAT) Scams: How Criminals Turn Legitimate Software into a Powerful Weapon

By Kevin Becknell - Chief Information & Compliance Officer, PTM Wealth Management

Critical Alert: Remote Access Tool (RAT) fraud represents one of the fastest-growing cybersecurity threats facing businesses today. Over 75% of remote access incidents in 2024 utilized RATs, with losses exceeding $800 million in the United States alone.

Cybercriminals are increasingly turning legitimate technology into tools of fraud. One growing scheme involves the misuse of legitimate Remote Access Tool (RAT) software — programs originally designed to help IT professionals provide technical support. When combined with phishing emails and social engineering tactics, these tools allow criminals to take full control of victims’ computers, often without their immediate knowledge.

How a RAT-Based Attack Works

A RAT-based attack typically begins with deception rather than malware exploitation. Victims may receive an email, text message, or phone call claiming to be from a trusted organization such as a bank, software company, or government agency. The message urges immediate action, warning of suspicious activity, account problems, or security threats. Once trust is established, the attacker convinces the victim to install legitimate remote access software such as AnyDesk, TeamViewer, or similar tools. After installation, the fraudster gains direct access to the device, allowing them to view screens, capture keystrokes, move files, and even initiate financial transactions. Because the software itself is legitimate, traditional antivirus tools may not detect the activity as malicious.

Red Flags for Staff and Clients

For individuals and businesses alike, recognizing warning signs is critical. Common red flags include unsolicited contact requesting urgent action, pressure to install software quickly, or instructions to keep the interaction confidential. Requests to bypass normal security procedures or provide one-time passcodes are also strong indicators of fraud.

For employees, unexpected IT support requests, unusual login activity, or sudden changes to system settings can signal a RAT-based compromise. Clients should be wary of any message claiming immediate financial or security consequences without independent verification.

Real-World Scenarios

In one common scenario, a retiree receives a pop-up warning claiming their computer is infected. A phone number connects them to a “support technician” who instructs them to install remote access software. Within minutes, the criminal accesses banking information and initiates wire transfers. Businesses face similar threats. An employee may receive an email appearing to come from internal IT, directing them to install a tool to resolve a system issue. Once installed, attackers can access sensitive data, payroll systems, or client records.

The Social Security Scam

In 2024, ConnectWise ScreenConnect was exploited in a widespread campaign targeting Americans. Victims received emails claiming to be from the Social Security Administration, offering updated benefit statements. Links led to remote access software downloads disguised as PDF viewers, resulting in thousands of compromised accounts and significant financial losses.

The Brazilian Legal Notice Campaign

Between October 2024 and early 2025, Portuguese-speaking victims received emails impersonating Brazilian Labor Court officials. The messages contained urgent legal notices requiring immediate attention. Clicking the embedded links deployed Atera agents and Splashtop software, granting attackers complete system control. This campaign demonstrated how localized, culturally relevant tactics increase success rates.

The Middle East Government Impersonation

Sophisticated scammers posed as government officials offering refunds to citizens who had previously filed complaints with government service portals. After convincing victims to install AnyDesk or TeamViewer under the guise of processing refunds, criminals captured credit card details and one-time passwords, leading to average losses of $1,300 per victim, with some losing up to $5,000.

The Corporate Finance Scam

Between September and October 2024, the threat actor UAC-0050 launched at least 30 attacks against Ukrainian enterprises and private businesses. Accountants were tricked into installing Remcos RAT and other remote-control tools, allowing criminals to steal funds directly from business accounts through unauthorized access.

Estimated Losses in 2025

According to U.S. law enforcement and industry trend analysis, remote-access and tech support scams continue to rise. Based on FBI Internet Crime Complaint Center reporting and expert extrapolation, conservative estimates suggest RAT-enabled scams contributed to approximately $800 million to $1.2 billion in reported U.S. financial losses during 2025. These figures likely understate the true impact due to underreporting.

What to Do If You Think You’ve Been Infected

If you suspect a RAT-based attack, immediately disconnect the device from the internet. Contact your bank or financial institutions to secure accounts, and change passwords from a separate, clean device. Businesses should notify internal IT or cybersecurity teams right away. You should also report the incident to the FBI’s Internet Crime Complaint Center (IC3) and monitor financial and credit accounts for suspicious activity.

Steps to Reduce the Risk of Attack

Preventing RAT-based scams starts with education and awareness. Never install software at the request of unsolicited contacts. Verify communications through official channels before acting. Keep operating systems and security software updated, and limit administrative privileges on devices. For businesses, regular security training, multi-factor authentication, and clear incident-response procedures can significantly reduce risk. Clients and employees alike should feel empowered to pause, question, and verify before taking action.

Sources and Related Reading

FBI Internet Crime Complaint Center (IC3) Annual Report https://www.ic3.gov

Federal Trade Commission – Tech Support Scams https://consumer.ftc.gov

Microsoft Security Blog – Social Engineering and Remote Access Abuse https://www.microsoft.com/security/blog

Wired – How Hackers Abuse Remote Access Software https://www.wired.com

Cofense Intelligence report

https://cofense.com/blog/hackers-spoof-social-security-administration-to-deliver-screenconnect-remote-access-tool


Cyble Research investigation

https://cyble.com/blog/scammers-use-screenconnect-to-defraud-ssa-beneficiaries/


Hackread.com reporting on fake SSA emails

https://hackread.com/fake-ssa-emails-trick-users-installing-screenconnect-rat/