In Part One, I talk about a phone call scam I received and how I had been passed by the “caller” to a “supervisor”, and then to a “technician”, and how the story just got better and more believable along the way. When it was the technician’s turn, he told me that I had over 10,000 errors on my PC, my quick retort being that I knew perfectly well it was a scam. With that I closed the chat session.

That was not the end of it. These ‘persistent’ scammers had more dramatis personae to bring into their elaborate production.

Enter the general manager…

Five minutes later I received another call. This time it was the “general manager”. He endeavored to explain to me that the call I had received was no scam at all, but rather a completely legitimate service.

I then informed the caller that as a security researcher I was perfectly capable of distinguishing a scam from the real deal. He continued to insist that the service was legitimate, at which point I explained to him exactly what they were doing and what the ‘error’ files were actually used for.

Did he say what I think he said?

At this point the general manager changed tack. He stopped trying to convince me of the legitimacy of his operation, but he had the audacity to ask me how much I would pay him to stop scamming me. Seriously, he really tried that! His logic was that, since I worked in IT security, it was my job to stop people like him. Thus, the question ‘how much was I willing to pay him to put an end to his schemes’.

When he realized I would never agree with him he hung up.

What can we learn from these scams?

What’s interesting about this story is that at no point did the scammers attempt to install any malware on my computer. The software they asked me to download was a remote desktop client – no malicious activity there.

Everything they did was with my consent. In fact, I suspect these scammers were attempting to sell services that people do not really need. Yet, by giving my consent at each stage, I wonder if they were actually on the right side of the law, albeit, I would add, a shadowy grey part. Then again, as they are misleading people by saying s/he has (non-existent) errors on their computer, I would imagine that this is classified as fraud.

Another interesting aspect to this tale is their high level of social engineering skills and power they can wield over most people. Different people are involved at each stage and they show you clearly what is wrong (they claim) with your computer. It doesn’t surprise me that many people easily fall for these scams. That they have asked for the head of the household by name (from the telephone directory) makes the call even more credible.

They are also very clever and shrewd. They do not install any malicious software – that would ring alarms bells if antivirus software is installed and what most people would expect. If they haven’t, then they must be genuine. And there you have victims with a huge false sense of security. You may have doubts during the call, particularly so when asked to download software, but if your anti-virus software gives you the all-clear for that downloaded file,  it’s more likely that you will believe the caller.

Education is the best defense

So what are the options? Education is the best defense. In an office environment, it is important that these attempts are not ignored and that the security team is informed. What do you do if you receive a call at work? If this were to happen to me, I plan to tell the caller I am at work and I will forward the call to IT department. It would be interesting to see whether the scammers would try their social engineering skills on me to gain access to our systems and, if they did try, would they use the same routine or something more subtle and dangerous. Corporate machines could be a more lucrative option for the scammers.

These scams are a serious threat to both individual users and business; and they definitely should be investigated thoroughly. A successful attack could, at the very least, leave you with a compromised credit card, or worse.

 

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!