Microsoft warns of telephone phishing scam

Written by Ed Fisher on June 21, 2011

On June 16, 2011, Microsoft released the results of an independent survey conducted by Dynamic Markets, Ltd., commissioned by Microsoft Trustworthy Computing, regarding an increasingly popular phone scam criminals are using to target victims. The report warns that scammers have increased their efforts to fool people into providing access to their computers, or to provide personal information, including credit card data, by calling them and pretending to be Microsoft employees or other security engineers who have detected that the victim’s computer has been compromised or is infected with malware.

Seven thousand users across the United States, Canada, the United Kingdom and Ireland were surveyed. Of the respondents, 22% had received at least one phone call from someone pretending to be a security engineer, while 3% were sufficiently fooled into following the attackers instructions.

After convincing the victim that their machine was at risk, the attacker proceeded to attempt one of several attacks. These included convincing the victim to provide him/her with remote access to their computer so that they “can assist with removing the malware”, leading them to download software which contained malware, or providing credit card information to pay for assistance.

Here are some of the key numbers from the report:

  • 79% of the victims suffered a financial loss
  • The average amount of money stolen was US $875
  • 67% of those who lost money were able to recover some of it
  • 53% said they suffered subsequent computer problems
  • The average cost of repairing damage caused to computers by scammers was US $1,730.
  • In the United States, the cost was much higher; $4,800.
  • 67% of those who lost money were able to recover, on average, only 42% of it
  • 17% experienced some form of identity fraud.

Microsoft included some advice to go along with the report; this included:

  • Be suspicious of unsolicited calls related to a security problem, even if they claim to represent a respected company
  • Never provide personal information, such as credit card or bank details, to an unsolicited caller
  • Do not go to a website, type anything into a computer, install software or follow any other instruction from someone who calls out of the blue
  • Take the caller’s information down and pass it to the authorities
  • Use up-to-date versions of Windows and application software
  • Make sure security updates are installed regularly
  • Use a strong password and change it regularly
  • Make sure the firewall is turned on and that antivirus software is installed and up to date.

Anyone who believes they may have fallen victim to a similar scam is advised to take the following actions:

  • Change their computer’s password, change the password on their main email account and change the password for any financial accounts, especially bank and credit cards
  • Scan their computer with the Microsoft Safety Scanner to find out if they have malware installed on their computer
  • Contact their bank and credit card companies.

As computer professionals, such calls may be obvious to us, but we owe it to our coworkers, our friends, and our families to get the word out on these sorts of attacks. Scammers are going after the weakest link in security - the end user - and it is by raising awareness of these sorts of attacks that we can provide those who are not IT professionals with the best defense we can - knowledge.

Comments

Robin St. Cloud June 22, 2011

Isn’t it strange that as malicious attacks get more technologically advanced, they have regressed to the biggest exploit of them all – human gullibility?

The numbers don’t lie, though, obviously it’s a system that is working for them. The only way to stop it is to catch them or educate the masses further.

Ed Fisher June 27, 2011

The user will ALWAYS be the weakest link in any security process. Attackers know this, but defenders frequently overlook it, or ignore it, usually to their regret. It’s obvious you understand this, as education is our best hope to change that.

@Furius_Geek July 7, 2011

In my opinion, this report is half-baked. For it to be more credible and informative, the report should also include countries with emerging telephone and cellphone penetration. China and India have double digit growth rates.

These countries are also fast becoming a haven of telephone phisings and scams because most of its users are not that techy. The developing economies of Brazil and Russia should also be surveyed.

Ed Fisher July 11, 2011

Good point Furius, I’m sure those countries are just as targetted.

Barbara September 2, 2011

Sept 25/11 Victoria, BC we got caught up with
the E Indian chaps. Took about an hour to get
rid of them as they kept calling back. They said
if we not buy anything they would destroy our
computer. We finally got rid of them & our
computer works!!!

Jan vG August 20, 2012

Just been called. Soest, The Netherlands. Indian bloke trying to do this trick. Don’t let them fool you!!!

ToddO October 2, 2012

Got this call two days ago. The person on the phone had a heavy Indian (I presume) accent. He informed me that my computer was sending virus messages to his company. He asked me to open Computer Management, then view the Application Log and Filter on just Errors and Warnings. He told me these Errors and Warning in the log were because of a virus. I’m educated enough to know this was not true. I told him I was on to the scam and would not hang up the phone because I knew I was costing him money. He threatened to crash my computer if I didn’t follow his instructions. I said bring it on! He starting jabbering at me in a foreign language (I assumed he was swearing at me in his native tounge) and after a couple of minutes of me telling him I was waiting for him to crash my computer, he hung up and did not call back.

Joan Wetherell December 5, 2012

Just got a call like this. Heavy accent, not sure– Indian, Mexican, Filippino???
Advice says to report these calls to “the authorities;” who ARE the authorities?

Terry March 8, 2013

Got a call from 326-172-0000 Very strong accent -stating they were Microsoft Windows – telling me that there have been reports of an attack on my computer & that I had to give her my information – when I refused & asked her for more information – she stated that my windows service would be non operational within 5 hours if I do not cooperate – when I handed the phone to my husband she hung up

Janice June 21, 2013

I’ve received numerous calls from someone with a heavy accent as described above…I told him that I was not confortable giving him access to my computer so I told him to give me his information so I can check him out. He gave me the number 201-616-0007. I knew it was a scam!

Michael October 23, 2013

Just got the call. Heavy mid-East or far-East accent. I asked him to tell me which of my computers’ operating systems was “infected”. He named the one version of Windows that I do not have. Bingo.

I had a little more fun with him then asked him for his name and a return phone number. He gave me “Scott Jones” and 510-960-4561.

Nice accent Scott. You don’t sound like you’re from around here. Buh-bye.

  • (required)
  • (required)