Over the last few years, cybercriminals have spent a great deal of time and energy developing and evolving new technologies to exploit the smallest flaw and break through the toughest network security. Some, however, choose to stick to the basics and exploit the most glaring vulnerability in the network infrastructure: people.
In a post on the Microsoft Secure blog, Windows Defender Research Project Manager Erik Wahlstrom suggests that picking up a phone can be more cost-effective than directly attacking a target network. He says that at times, it can “be easier to convince users to willingly share their passwords, account info, or to install hazardous apps onto their device than to develop malware and steal info unnoticed.”
Social Engineering Remains a Growing Problem
Cybercriminals return to social engineering attacks for one reason: They are effective. Incidents reported to Microsoft in January and February 2018 range between 13–14,000 per month. This does not account for unreported incidents, so it’s likely the problem is much larger.
These attacks can also take many forms, and if a threat actor’s campaign targets enough people within an organization, one of these methods is likely to be effective. The most common methods, according to Wahlstrom, include:
- Getting victims to fake websites by means of fake antivirus detection notices, malicious ads, altered search results, and typosquatting;
- E-mail campaigns like phishing or spear-phishing that trick a victim into opening a malicious Uniform Resource Locator (URL) link or downloading a file with hidden macros;
- Installing malware on an endpoint that generates fake error messages, which conveniently provide a number to call; or
- Simply picking up the phone and cold-calling victims pretending to be tech support.
Regardless of the initial attack method, Wahlstrom notes that the end game is to get the victim to contact a call center. Once on the line, the criminals will create a sense of urgency to trick victims into purchasing support that they don’t need. When the victim agrees, they’ll send an e-mail containing a link to install a remote administration tool (RAT), which gives the cybercriminals direct access to and complete control over the device.
Once they have that level of access to a computer, the criminals have extensive leverage to pressure victims for payment.
Spotting and Avoiding the Scam
Like with most social engineering scams, Wahlstrom states that “customer education is key” to prevention. There are several things to keep in mind when confronted with unsolicited requests from someone posing as tech support. Wahlstrom says that Microsoft will never:
- Send unsolicited e-mails or otherwise try to initiate contact with users to request personal information or request to fix your computer;
- Reach out to provide unsolicited technical support; or
- Include a phone number within an error message.
These types of unsolicited support attempts should be reported to the company’s IT security team directly.