I was sitting in my home office when my home phone line rang. It was late. 10:30 p.m. to be exact, but I often use this quiet time after my kids have gone to bed to catch up on email. Despite my home telephone number being unlisted and registered with the US National Do Not Call Registry, sadly it still gets its fair share of telemarketers, but never this late. So when the phone rang it startled me. I looked up and checked the caller ID display. It was showing a 408 area code. Knowing that caller ID phone numbers are easily spoofed, I was reasonably sure it was a telemarketer, but being so late I also had a nagging doubt. Who calls this late? Perhaps it was something important. So I answered.
“Hello?”
A man quickly responded.
“Hello, may I please speak with Gary Egg-an?”
That pronunciation of my name is usually a good tipoff that the call is a telemarketer.
“Who’s speaking?”
The caller responded.
“I am calling from the Windows Service Center. We have been getting reports here for the last few days from your computer, telling us that it’s infected. I’m calling as a courtesy to help you fix the problem.”
Already this had all the hallmarks of a scam: there was much background noise, the caller had a gruff demeanor, but perhaps most significant was the fact that I don’t actually own a Windows computer at home. My wife and family have been exclusive Apple customers for many years. As usual though, I played along, after all “enquiring minds want to know,” but I didn’t make it too easy for him.
“Oh? I don’t think there is anything wrong with my computer, it’s working just fine.”
“Well we’ve been getting hourly reports from your computer about an error condition. If you give me the license number from your computer I can corroborate it with the one I have on file. Here, let me show you how to get it and confirm the error conditions.”
“Oh really? I don’t actually think there is anything wrong with it.”
“I’m telling you, we’ve been getting these reports in to our center in Florida every 5 minutes. If you follow my instructions I can show you. I’m from the Windows Service Center. This is a courtesy call.”
“Hmm… okay.”
He proceeded to give me instructions.
“Please hold down the key with the little window. You’ll find it at the bottom of your keyboard. Then also hold down the letter ‘R.’ Do you see it? It’s got a picture of a little window.”
I played dumb.
“I don’t think I see a key like that”
So for the next few minutes he patiently tried to explain to me where I could find the key. He seemed very used to dealing with non-technical folks, of which I can do a very good impression. Starting to get a little frustrated, at one point he asked me to name all the keys on the lower left corner of the keyboard. I feigned ignorance. At one stage he asked me if I was running a Mac, which of course I was, but I didn’t tell him that or the game might have been over. He kept his cool and “like the Energizer Bunny,” he kept “going, and going and going.”
After a few more back and forth interactions I was now starting to get tired. It was now 10:45 p.m.
“Are you from Microsoft?” I said.
“Yes, I’m from the Windows service center in Florida.”
“Well it’s starting to get late here in California, so maybe if you can give me your number I can call back tomorrow?”
I could tell he was now starting to get anxious. He’d invested at least ten minutes of his time in me so far and I could sense he was now nervous he mightn’t get to “close the sale.”
He let his guard drop for a moment.
“You know this isn’t some sort of scam, I can show you the data. Would you like to talk to my supervisor? Hey, have you got a Google, maybe I can show you with that?”
Hmm, “Who said anything about a scam?” I thought to myself. I continued.
“Oh? Yes, I have a Google.”
“Ok, so please type ‘w’ ‘w’ ‘w’ ‘dot’ ‘t’ ‘e’ "
At this point the Google search box in my browser was displaying a search suggestion of ‘www.teamviewer.com’ and so I knew where we were headed. For those of you that don’t know, Teamviewer is a remote access tool just like Logmein, the purpose of which is to establish a remote control session between two computers via a middle man website. In this case the caller clearly wanted to try and establish a remote session to my computer. This of course this is the last possible thing anyone should ever agree to. If I gave him that connection, then for all intents and purposes the game would be over. I would be “owned!” with my machine now completely in his hands.
At this point I could no longer contain my chuckles at his antics and unfortunately once he picked up on that, he quickly hung up. In the end I’d kept him on the line for 20 minutes as I tried to learn more about his tactics.
The likely playbook play that would have panned next would have seen him set up a fake ‘infection’ or ‘error condition’ on my machine and then try to charge me a fee to remove it. Think of it as a sort of manual FakeAV. Along the way he would likely have blamed Norton, or perhaps even morphed his identity to claim to be from Norton Support (depending on what he found on my machine), and then gone on to use his persuasive powers to coerce me into authorizing $100 or more from my credit card account.
So what do you think? Would you have fallen for a scam like this? Hopefully not!
Our business was built on protecting our customers' machines from attack, but as computers and other devices in our homes become more resilient to traditional attack (in part I like to think because of the presence of Norton on many of these devices), I believe we, and our customers will see more attackers turning their attention to the type of old fashioned ‘social engineering’ attack described above. The virtually free cost of long distance calls, together with Internet tools that can so easily connect two computers make such scams so easy and so viable. My caller last night clearly had a script he was following. He wasn’t phased by my responses to his questions, and he doggedly kept going (remember that Energizer Bunny). I have no doubt that many people fall for this trap and that the company behind this scam likely makes millions of dollars from such a simple social engineering attack.
For us as a company, I think interactions like this have a few lessons.
I think it’s becoming harder to differentiate real from scam. When someone calls you on the phone, how do you really know they are who they say they are? Should you trust them? Even if they give you information to ‘prove’ their identity, how do you know they got it from a legitimate source?
Hint: “You don’t!” As a general rule, I say never trust an inbound caller. Call them back, but not using the number they give you when they call. Find their website and use the contact details there.
I’d love to know your thoughts. Have you ever received a call like this? Have you ever played along? How do you think we can help our customers learn to detect and defend themselves from such scams? How do you think we can improve our experience to help customers recognize fake from authentic?