Microsoft warns of telephone phishing scam

(Note: While this article is dated June 2011 there is currently a huge resurgence of telephone phishing)

On June 16, 2011, Microsoft released the results of an independent survey conducted by Dynamic Markets, Ltd., commissioned by Microsoft Trustworthy Computing, regarding an increasingly popular phone scam criminals are using to target victims. The report warns that scammers have increased their efforts to fool people into providing access to their computers, or to provide personal information, including credit card data, by calling them and pretending to be Microsoft employees or other security engineers who have detected that the victim’s computer has been compromised or is infected with malware.

Seven thousand users across the United States, Canada, the United Kingdom and Ireland were surveyed. Of the respondents, 22% had received at least one phone call from someone pretending to be a security engineer, while 3% were sufficiently fooled into following the attackers instructions.

After convincing the victim that their machine was at risk, the attacker proceeded to attempt one of several attacks. These included convincing the victim to provide him/her with remote access to their computer so that they “can assist with removing the malware”, leading them to download software which contained malware, or providing credit card information to pay for assistance.

Here are some of the key numbers from the report:

• 79% of the victims suffered a financial loss
• the average amount of money stolen was US $875
• 67% of those who lost money were able to recover some of it
• 53% said they suffered subsequent computer problems
• The average cost of repairing damage caused to computers by scammers was US $1,730.
• In the United States, the cost was much higher; $4,800.
• 67% of those who lost money were able to recover, on average, only 42% of it
• 17% experienced some form of identity fraud.

Microsoft included some advice to go along with the report; this included:

• Be suspicious of unsolicited calls related to a security problem, even if they claim to represent a respected company
• Never provide personal information, such as credit card or bank details, to an unsolicited caller
• Do not go to a website, type anything into a computer, install software or follow any other instruction from someone who calls out of the blue
• Take the caller’s information down and pass it to the authorities
• Use up-to-date versions of Windows and application software
• Make sure security updates are installed regularly
• Use a strong password and change it regularly
• Make sure the firewall is turned on and that antivirus software is installed and up to date.

Anyone who believes they may have fallen victim to a similar scam is advised to take the following actions:

• Change their computer’s password, change the password on their main email account and change the password for any financial accounts, especially bank and credit cards
• Scan their computer with the Microsoft Safety Scanner to find out if they have malware installed on their computer
• Contact their bank and credit card companies.

As computer professionals, such calls may be obvious to us, but we owe it to our coworkers, our friends, and our families to get the word out on these sorts of attacks. Scammers are going after the weakest link in security - the end user - and it is by raising awareness of these sorts of attacks that we can provide those who are not IT professionals with the best defense we can - knowledge.

Written by Ed Fisher on June 21, 2011