Last night, I answered a phone call on my home phone line around 9:30 pm. The caller claimed to be from Microsoft and said there was a problem with my PC. Mind you, I manage the Infrastructure Services division of an IT advisory services firm. My firm is a Microsoft partner and I work with actual Microsoft employees on a regular basis, which just a few of the many reasons I knew this person did not work there.
I decided to have a little bit of fun with my new hacker friend to see what they were going to have me do – before I told them what I do for a living. While I didn’t allow the caller to progress entirely through his script, had I fallen for this scam he would have requested access to my computer, led me to normal system programs that many people aren’t familiar with (i.e. command prompt, Windows event manager and task manager) and told me that there were signs in these programs that my computer was infected with a virus. Best of all, he would have tried to get me to send him $250 via PayPal for “licensing compliance.” Eventually I got bored with my game and told the caller what I do. At that point, he suddenly ran out of things to say.
As amusing as the experience was for me, the lesson I’m sharing today is a serious one. After I hung up the phone, I couldn’t help to think of what would have happened if my mother (or any other family member for that matter) received this phone call. While this scam is relatively new, it is just the latest example of what’s called “social engineering”. With social engineering, the bad people try to convince you to do something – whether it be clicking on a linking, installing software or in this case sending them money via PayPal. The challenge is always to try and determine what’s real and what’s not, and sometimes it can be very hard to distinguish.
For those of you who don’t work in the IT industry, Microsoft will NEVER call you to tell you that there is a problem with your PC. In this scenario the caller will identify themselves as an employee of Microsoft and tell you that they have gained information that your computer has been affected by a virus. They may try to say that your Internet Provider has shared this information with them – another scenario which would never occur. They’ll offer to “fix the problem” for free, and in doing so will gain access to your computer and all of your sensitive information through a piece of malware they are going to install right in front of you. They will tell you things that sound just technical enough to be believable, and will lead you to any website they can get you to browse to that will show them personal information about you. Depending on how long you spend on the phone with them, the caller will gain access to your computer, your identity, your credit card number and a lot of other things you shouldn’t be sharing with people.
This scam has happened to several well-known people in the IT security industry who have allowed the callers to go through the scam with them – in a professionally secured and controlled IT environment – in order to document what actually happens. The bottom line is, kids, do not try this at home. If you receive a call from someone claiming to be from Microsoft, hang up. Share this story with your parents, your friends and anyone in your network that you think could be especially vulnerable to this type of scam. These hackers know all the right things to say, and they get unsuspecting people to wire them money all the time. It’s up to us to protect our information and to educate others – that’s the best way to beat these guys.