Criminals are increasingly using phone social engineering tactics. They attempt to impersonate some official sounding company, tell you your system is doing something suspicious, and then lead you through the process of “fixing” it. However, the fix is the installation of malware so that they can control your computer remotely.
Last June, I was called by a criminal trying to get me to install malware on my system. I blogged about it here.
The same thing happened again today though the call was a little different.
First, I received a call from “Out of Area.”
When I answered a woman with an India accent stated “I am from the Windows department and I am calling about your Windows computer.”
However, her accent was so thick, I had to ask her to repeat it a couple of times before I understood.
Finally, I exclaimed “My Windows computer.”
Click. We were disconnected. That’s odd.
In a moment, another call identified as “Private Caller” came in
When I answered, it was the same woman and she apologized saying we were disconnected on their end. I could hear a lot of voices in the background. They sounded quite busy as though dozens of phone operators were going through a script with others.
She then went into a spiel, though it was difficult to understand everything she was saying.
Finally, I understood some phrases like “infected” and my “computer was sending out messages.” I responded with “Wow!”
My plan was to play along like I did last June. Back then, a guy had me look around my system and find a bunch of logged errors. The errors were legitimate but he implied it meant my system was heavily infected. Thankfully, it was my lucky day. He could help me fix it.
He guided me to open a Run window and type in a website address. I have no doubt the address was malicious. It might include a malicious download similar to what criminals tried to trick users with in a phishing email about a bogus funeral.
I stopped before going to the website, but that guy was pretty skilled and might have tricked someone else.
Today’s criminal didn’t have the quite the same skill set. Apparently, I stumped her with “Wow!” She asked me several times what I said.
Finally, I slowed it down and said “I….. Said….. Wow! …. I am surprised you’re telling me my system is sending out messages.”
Too many words I guess. She hung up.
Criminal Social Engineering Phone Tactics
Assuming other criminals are using the same script as her, they might succeed. I think speaking and understanding English should be a prerequisite for this job but perhaps they’re having problems in their HR department.
From a psychology perspective, these criminal use several common ploys.
- Built credibility. She tried to show credibility as she mentioned the Windows department.
- They have you find the errors. If we continued, she would more than likely have me find and view the errors. She wouldn’t just ask me to believe her. Instead, she would have me type in the commands and seethe errors.
- Good acting skills. She would sound genuinely surprised when I describe the errors I see. She might have changed her tone, brought warmth into her voice, and offered to help.
- Used unfamiliar tasks. She might have me type in the web address in the Run window instead of in a web browser. Some users might be suspicious if they were asked to go to a web site. However, opening the web site from the Run window might seem less dangerous. It is a little more technical so it could easily distract an uneducated user.
The only thing that stops these criminals is educated users.
Educated users thwart many of these phone social engineering tactics. This is one of the reasons why more and more companies value employees with basic security skills and the Security+ exam helps validate these skills.
However, you don’t need to be Security+ certified to be suspicious of criminals trying to rip you off. It’s unfortunate, but due to the number of criminals trying to steal to get ahead, we all need to be vigilant and suspicious of emails and phone calls from strangers.
Hopefully, you’re know about some of these tactics and you know to be suspicious.
Would your family members recognize them? Would your friends?
If not, let them know.