A colleague (thanks, Lionel!) has alerted me to a new scam that has already targeted his clients. This scam involves a telephone call to the victim. So, this is a bit different in that the scammer is not using an e-mail blast to initiate the scam. The telephone call supposedly comes from Microsoft, although in doing some research on this there have been reports of the caller identifying themselves as working with Windows. In any case, the caller goes on to explain that the victim’s computer has been identified as being infected with something, which is causing the computer to do something bad on the Internet. Since the scam seems to have morphed a bit since it first appeared, the “something bad” might include sending out error messages to sending out SPAM.
In earlier iterations of the scam, the victims is then instructed to look in the computer’s log, which we tech-types know as the Event Viewer, to see if there are any errors. And, as we tech-types know, there always are. Some of the errors listed are negligible or transient, and do not effect the working of the computer. But the person on the phone will indicate that these are grave errors, and they are being detected by the caller’s company. Later postings show that the caller will direct the victim to a website, which will then run a diagnostic on the system. As you may guess, the “diagnostic” reveals a host of serious errors. But not to worry, the caller assures the victim, these things can be taken care of—for a price.
Some of my SOHOBE clients are very familiar with this type of scam. It resembles the fake virus and malware detectors that have breached more than one of my clients’ systems. What’s notable here is that the telephone is being used to perpetuate the scam. Even in this day and age, there is a sort of trust placed in getting a telephone call and that the call will be legitimate. If the person on the other end of the phone line says they’re from, say, Microsoft then that must be true, right? Well, maybe. But how would you know? How could you check that? You can’t. You would need to take the person’s word for it.
But aware that it’s fairly easy nowadays to get a VoIP phone number. The person who is getting the phone number does not have to be in the state that the phone number is requested. For example, SOHOBE in Rhode Island could obtain a phone number with an area code and exchange that would make it seem like it’s calling from Redmond, Washington. Redmond, by the way, is where Microsoft is based. More capable VoIP systems knows as Virtual PBX would even allow SOHOBE to control or customize the Caller ID data sent to the other person’s telephone. So, just as e-mails can be “forged” to make them seem like they’re coming from someone you know, or a company that you deal with, when in fact they’re not, telephone data can be misrepresented, too. Gone… Let me emphasize that a bit more strongly: long gone are the days when the telephone and its system were rigidly monitored by one company, or policed by one country’s rules. In my example above, SOHOBE could theoretically get a phone number in England, which would make it seem like it placed calls from there.
In past editions of the SOHOBE Newsletter, I’ve often cautioned against being too willing to believe what you read or hear. So, here’s a quick and by no means exhaustive list of things to consider when you encounter something suspicious or unexpected.
- Microsoft does not contact people about potential security breaches on the user’s computer.
- Microsoft will not send you an e-mail advising you to click on a link to download a computer update or what is known as a Service Pack.
- Adobe will not contact you by e-mail about updating any of its products, such as Adobe (Acrobat) Reader, or Flash.
- Adobe will not charge you for a PDF Reader update or upgrade. Adobe Reader, as it is currently known, is free.
- People cannot identify your credit card by the first 4 digits. The first 4 digits only tells the system what kind of credit card is being used. Bogus customer service schemes use this ploy.
- Sudden “newsletters” that show up in your In Box probably contain scam information. Microsoft and Adobe, like so many companies, do send out newsletters. But, in general, they only send out newsletters to customers that they have a working relationship with.
Microsoft probably won’t call you if there’s a problem with your computer, but your ISP (Internet Service Provider) might. It’s the people who provide you with Internet access that can associate a customer with a particular computer’s use of the Internet. Still, be highly skeptical of any telephone message instructing you to return your ISP’s call, or to go to a certain website. Instead, call your ISP (i.e., Cox Cable, Comcast, Verizon FiOS, etc.) directly using the phone number for Tech Support and ask them to help you. Do not trust the telephone number given in the message, since it may be bogus! If the call was legitimate, they’ll have a record of it listed.
What happens if you are talking to the person, and it’s not a VM (Voice Mail) or recorded message that you’re responding to? Be skeptical! Do not give out information. The caller should have all the information about your account in front of them. They should not be leading you on to fill-in-the-gaps. Remember, they called you. Watch out for the First Four Numbers credit card trap. Watch out for the representative getting information wrong, and then telling you that are multiple answers they could provide you. For example, they may tell you that you have multiple credit card numbers or contact addresses on file. Get a name, a company name, and a telephone number from the caller. Then hang up and call the company they represent using a phone number that you were given when you took out the service. Don’t trust the telephone number you are given during the telephone call to be real.
My feeling is that when any company contacts you in whatever fashion, the burden of proof of authenticity is on them. If the Electric Company called you and threatened to shut off your power unless you gave them credit card information, you’d be highly suspicious At least you should be, especially if you had not gotten any information before hand that there was any sort of problem. So, too, be very suspicious of any seemingly random caller. Demand to know exactly who you’re talking to, and the company they represent. Get a telephone number from them. Write down the Caller ID number. For example, the bogus phone number that is currently being used is (510) 374-4990. Then hang up. Don’t feel pressured to continue the conversation. Call the company in question using their main customer service number. Do not use the number your were given by the caller. Don’t feel obligated to call a company that you have no relationship with.
Remember, as high-tech as schemers become or as the methods they use become more sophisticated, they still have to trick you into going along with the scam. It just might be low-tech gut feeling that will help prevent such a breach.