#5MinSecurityRead: The scam goes on

• by Ellie Hurst
• Advent IM Blog

Five minutes on the irritant that is vishing.

One of the things I have noticed about being permanently remote is the amount of vishing calls I get to my landline (yes, I still have one). Being out and about at events, meetings, speaking engagements etc, means that I would normally miss these calls and so they had very little impact.  But a few months at home has taught me that the IT Security Support Scam (amongst others, but this is the most frequent on my line) is still hanging around like a bad smell…(cue jokes about opening Windows)

For anyone unfamiliar with the format, you receive a phone-call the caller claims (in a variety of accents) to be from Windows (yes, I have had that), Microsoft, IT Security, some other random tech brand. They tell you they are calling because there is a security problem with your pc and to prove this, get you to open your Event Log on your pc, to try and frighten you with the contents. Most people realise fairly quickly the likelihood of Microsoft making concern calls to individuals, is quite minute. That’s normally the point they hang up, possibly after firmly explaining how they feel about the call. Some people don’t and that is for a variety of reasons. Let’s be honest, if it didn’t work, they wouldn’t continue to do it, so there is no shame in it. The shame lies firmly on the shoulders of the criminals who do this.

Of course, there are a great many topics of vishing calls; banking, insurance, tech companies. I picked on the IT support version because I have received at least one a week since March, but the come in all guises.

This prompted me to drop some advice here for anyone who finds themselves in the same situation.

• Don’t panic. Yeah, easy for me to say that when your bank says they have detected fraudulent activity on your account and you need to give them all your details to prove who you are, so they can sort it…. always count to ten because its rare that good decisions are made when you are mid panic. All sorts of frauds rely on rushing you into acting before thinking, vishing is definitely one of those.
• Ask lots of questions, ask for lots of verification. Authentic people answer questions easily and verify themselves because they are used to doing so and also they do actually care about your security. Criminals don’t like questions because it slows their process and means you may quickly discover they are not who they say they are. They may try to placate you by offering numbers for you to call to verify them or websites to visit to verify them, however…
• Don’t call any number you are given, don’t visit any site you are told to. The criminals can make it seem like you have a dial tone, but you are still connected. They can also give you a number to call which is also just them and they will definitely want you to visit their fraudulent website, designed to look like a bank or credit card company etc. Hang up, use another phone to contact your bank or provider in the way you would do normally and only use the phone number on your card or statement. Of course, if its an IT security scam then you are hardly likely to call Microsoft regularly. To be honest, its pretty certain that you can just ignore those calls anyway. If you are a remote worker then you will already have a security team contact protocol in place, use that.  With the IT security scam you also need to be aware they buy paid advertising on popular search engines to make themselves look legitimate and these will also have the criminals contact details.  So its vital that you only use your normal or prescribed methods of contact.
• Are you using Telephone Preference Service?  Although it won’t screen out all of the foreign calls, there is no harm in at least screening out what you can.
• Block number on mobile devices
• If the worst happens, contact your bank and Action Fraud immediately. Change all your passwords and run your full antivirus software as soon as you can. If this has happened on a corporate machine you should contact your security team by your designated method as son as you can.