Security software helps protect your computer against an ever-growing range of security threats and Internet nasties. But not all threats come via email or on the web: PC security scams can start with a phone call.
Picture by Jonathan Cohen
My best mate rang me earlier this week to tell me about an amusing but disturbing experience. The home phone rang and the caller said he was "ringing from Windows" about a security issue that had been detected on my mate's PC and which urgently needed fixing.
Smelling a rat (and a poorly-trained rat who didn't even know the word "Microsoft"), my friend said that the line was poor and could he have a number to ring back on. The caller said no, but he could ring back in a couple of minutes. My mate said he didn't think that would work. Then the caller hung up.
My mate was cluey enough to realise that the call was totally suspect, but wanted to know how the scam would have worked if he had stayed on the line. Having encountered variants of this scheme quite a few times over my career as a journalist, I was able to explain the probable plot.
Having persuaded their victim that there was a legitimate issue to be fixed, the most likely approach the caller would have taken would be to direct the user to a fake diagnostic site which auto-installed malicious software. A less subtle variation would be to direct the computer owner to a fake fix site and ask them to download the malware directly, pretending it was a security patch. Another possible approach would be to guide the user through how to enable remote access on their machine, "to install the fix for them".
Whichever route was used, the end result would be that the caller could install pretty much anything they wanted. The most likely candidates would be botnet software that would make the PC part of a global network used to send spam mail and other nasties, and keyloggers that could track activity on the PC, sending details such as credit card numbers or passwords to remote locations. In the cheekiest versions of the scam, the phony caller might ask for credit card details to charge for the service provided. My mate wasn't duped, but lots of people are. Don't be among them. You should not be fooled by a persuasive manner on the phone, or the fact a caller knows your name. Software companies do not carry out support in this fashion.
Nothing installed on your system via such a call will do your PC any good, and what gets added could make you vulnerable to identity theft, huge broadband bills and machine performance problems.
What should I do?
Here's the simple reality: Microsoft is not going to ring to tell you about a potential security issue and help you fix it. Neither is Apple. It's a scam, pure and simple. If you get a call that starts along those lines, I'd take the blunt and direct approach and hang up without any further discussion. Forget being nice: you are talking to a criminal.
If that's really not your style, then ask the caller for a contact name and phone number (which is what you should do every time you receive an unexpected phone call anyway). Chances are they won't give you one and the call will end quite abruptly.
They might offer to call you back, but that proves nothing. If they insist the issue is urgent, tell them you're not responsible for family PC maintenance and can't make any changes. Then hang up. (You can see why I think hanging up straight away is simpler on the whole.)
If you're the informal tech support for family and friends, as many Lifehacker readers are, make them aware of this rule as well. While you possibly don't want to encourage people to lean on you when tech problems arise, ensuring a relative doesn't let someone infest their machine with botnet agents and keyloggers is a lot less trouble than trying to remove them afterwards.
It's a simple rule: when someone offers a PC fix over the phone, hang up. Remember it.
Lifehacker 101 is a weekly feature covering fundamental techniques that Lifehacker constantly refers to, explaining them step-by-step. Hey, we were all newbies once, right?