Why Security is About Humans, Not Technology

This warning and advice was posted this week by our local police department.  While this scam is targeting people at home, this type of scam could easily impact employees with laptops and could target workers at the office.  The scam depends on anticipated human behaviors; education and training of your team is the best defense.

The Westborough Police Department has received complaints by residents who received calls from someone claiming to be with Microsoft tech support and that the company detected a virus on the victim’s computer. The caller indicated he could help the resident remove the virus if he was allowed remote access to the computer. To ensure that no one falls prey to this scam, we would like to provide the following information from the Center for Internet Security at www.CISecurity.org.

The Threat: An individual, claiming to work for a well-known software, technology, or research company cold calls victims at random in an attempt to convince them that their computer is at risk of attack or infected with viruses, and that only the caller can remediate the problem. Victims who comply with the caller’s requests are highly likely to compromise their computer systems, as well as experience monetary loss. Victims may receive the calls at work or home, and on mobile telephones or landlines.

While there are variations of the scam, most follow a similar script.

  • Introduction: A caller claims to work on behalf of a well-known software, technology, or research company and informs the victim that their computer is sending out error messages, attacking another computer, or exhibiting behaviors indicative of viruses. The caller claims that only they can repair the problem for the victim or that the problem can be fixed with a software upgrade.
  • Gaining Trust: The caller will attempt to gain the victim’s trust. The caller may do so by instructing the victim to access the Windows Event Viewer, which displays standard messages about the computer’s operations, including general warning and error messages that are normal for the computer. The caller states these warnings and error messages are proof of malicious activity. The caller may use technical terms to confuse the victim or gain credibility. Callers are often forceful and attempt to create a sense of fear or urgency.
  • “Fixing” the Problem: The caller will offer to fix the problem by installing an update, or requesting remote access to the victim’s computer. The “updates” and remote access programs are actually malware.
  • Charging for Services: The caller may request the victim’s credit card information, or direct the victim to a website to enter their credit card number and personal information, in order to charge the victim for services rendered or for the software package provided.

In most cases, the main motive for conducting this scam is monetary gain, which could be achieved through two possible means:

  • Financial fraud: The caller may request monetary reimbursement for services rendered or for the software installation. If the victim provides credit card or financial information, the caller can charge the incorrect amount or make additional unauthorized charges.
  • Malware: It is highly likely malware will be installed if the victim provides the caller with remote access to the computer or installs unknown programs. Malware can be used to collect sensitive information such as usernames and passwords, which could lead to compromised financial institution accounts or additional malware being installed.

Individuals receiving a call that matches the description of any of these tech support scam calls, or those who previously participated in a similar call, should be aware of several security guidelines.

If you receive a call:

  • Do not rely on caller identification (Caller ID) to authenticate a caller. Criminals can spoof phone numbers so they appear to be coming from another location or entity.
  • Never provide passwords or bank account information over the phone; legitimate organizations will never call and ask for a password.
  • Be aware that software updates do not require the computer monitor to be off; legitimate organizations will never request the computer monitor be turned off during an update and will not call home users to notify them about an update.

If you receive an unsolicited phone call from a technology company, hang up and report the incident to either your local police department and/or Information Technology (IT) team.

If you previously received a call:

  • If you provided password information, change the password for that account. Never use the same password for multiple accounts.
  • Use a credible antivirus program, and enable automatic installation of software patches. If malware may have been downloaded, run an anti-virus scan on the computer.
  • If you provided credit card information and the caller charged the account, call the credit card provider and request to reverse those charges. Check financial statements for other unauthorized charges.

Courtesy of the Grafton, MA and Westborough, MA Police Departments