Spot Fake Support Calls / Social Engineering Attacks
DAY 25: Spot Fake Support Calls / Social Engineering Attacks
Welcome to Day 25 of my 30 day security challenge, the month long challenge I created to help you gain control of your privacy and security online. You can follow along with the whole series at snubsie.com where you can also download a checklist, and subscribe to youtube.com/tekthing for the entire video playlist.
Today we'll discuss how to spot fake tech support calls, scammers and social engineering attacks. Unfortunately, this is a thing, and you may have experienced this and not even known it was happening. Scammers can come out in a variety of ways trying to steal your data, but today I'll focus on tech-centric ones. Have you ever received an unsolicited call about fixing your Windows PC? That was probably a fake tech support call, made to steal your credit card or password information by forcing you into a sense of urgency and fear. I got to experience one of these about a year ago, when a "windows tech" called my coworker. We decided to have some fun with the call and ended up sending him to a goatse page (DO NOT GOOGLE THAT) and we recorded the whole thing for my vlog (at youtube.com/shannonmorse). Of course, that is not the recommended course of action. But if you've ever fallen prey to one of these, it's good to know what the red flags are.
So how do you tell it's a fake? #1: It's unsolicited. You didn't fill out a tech support contact request, but you receive a phone call from "Windows Tech Support". Microsoft, the makers of Windows, don't call out of the blue. It's fake.
#2: The Caller ID info looks real. Chances are it's not. Even if it looks like an area code from Redmond, Washington, where Microsoft is located, that information can be spoofed using online voice over IP, which allows people to make phone calls over the internet.
#3: They don't supply a call back number or reference number, or the number doesn't match Microsoft's tech support number. Microsoft's Windows tech support number is 1 (800) 642-7676. They also have several online help guides for Microsoft products, and none of which will match up to the call back number a scammer will give you.
#4: They are rude, talk over you, and the audio is not clear. If you ask a question, they ignore it. You have to ask them repeatedly what they said, because it sounds like a thousand things are happening behind them. They don't pay attention to what you are saying. They're trying to make you follow the steps in their call and will not get off track. Real customer service should not act like that, and that's a crystal clear sign that somethin is up.
#5: They say your computer is sending errors or that it's already infected and they need to clean it up. Again, this is using a fear tactic and a sense of urgency. Don't fall for it.
#6: They want you to install some kind of tool so they can remotely work on your computer. This is also a red flag.
#7: They ask for payment.
What should you do? Write down whatever information you can from the call and hang up. Report them to Microsoft, just in case the company does have the ability to track them down, and if you fall for any of these and you do give out your credit card information, work with your bank to remove the charge and minimize risk. I've put that link in the shownotes to Microsofts reporting survey, along with the real link to support from the company.
Now, outside of Microsoft Windows, there are also scams that use social engineering tactics to make you give out sensitive information willingly.
Social Engineering attacks can happen to anyone and are used to create an emotional appeal for help or to create a human bond with you. The tech support calls are one form of these. Social engineering can also come at you in various other ways.
#1: Surprise inspections or visits from authority figures. These unknown people could wear legitimate looking uniforms, badges, or carry clipboards. They're hoping to get into a place where they shouldn't be. When I worked at a bank, we were told that if someone came in with an FDIC ID, that we should immediately call our FDIC direct line and ask if there was a deposit scheduled, and who the driver would be.
#2: Using fear or urgency in their requests. If someone spoofs your grandmothers facebook account then messages you saying that they need a hundred bucks wired to their account for a last minute bill... call your grandma to confirm it was her. This can also go for "URGENT - UNPAID BILL" emails that have links in the body of text. Go directly to the website instead to pay that bill.
#3: They need confirmation on sensitive information. Websites that you work with do not need to confirm your details, especially if it's unsolicited information.
#4: They befriend you and ask for commonly used security questions. Did you just make a new friend who starts asking about things like "your first pet?" or "what street did you grow up on" or "your mothers maiden name"? They might be trying to social engineer you.
Your best bet with any of these tactics is to remain skeptical of your surroundings and the requests that you receive. If anything feels fishy to you, try to find the source (a company phone number, a direct contact, etc) that can verify whether or not you can trust the message you receive. By following these tactics, you may come off as somewhat abrasive in some circumstances, but if someone is honest with you, they'll understand.
Day 25 is now complete! Tomorrow is all about spotting ATM skimmers and freezing your credit history. But first, make sure to subscribe on youtube.com/tekthing and hit up snubsie.com for the downloadable checklist. Again, I'm Shannon Morse and I'll see you tomorrow for day 26!