Got a strong password? Check. Utilizing a firewall? Check. Anti-Virus software up to date? Check. Familiar with social engineering tactics? Wait…what?
Social engineering can employ a lot of tactics. They can include somebody digging through your trash to find your bank statement and get your account number. Here I’m primarily discussing running a con. Somebody calls you on the phone and identifies himself as a technical support agent from Microsoft or an anti-virus company, hoping you’ll give him remote access to your computer. This allows him to get around your password, and suddenly he has control of your PC. He can log your keystrokes to get your passwords, install malicious software and sometimes talk you into paying to remove said software.
I personally know people who have been victimized by callers impersonating representatives from Microsoft or contractors for Microsoft. Each time, the caller has used a combination of publicly available personal data, technical jargon and high-pressure sales tactics (aggression, fear, urgency) to convince people that their computers are already infected with malware. These victims were then convinced that the callers would help remove these non-existent threats by remotely accessing the victims’ computers. Upon accessing the PC, the caller installed fake anti-virus software that “found” malware. The fake anti-virus program allowed the caller to hijack the victim’s computer and demand payment to release it. In one case I know of, the victim tried to shutdown his PC but found moving his mouse had no effect. Before he could power off the PC, the caller initiated a process that wiped his hard drive.
These types of attacks are becoming more common and sophisticated. It’s especially easy for an unsuspecting person, who is also unfamiliar with these threats, to be fooled. That’s how social engineering is best employed. Preying upon those who are less technically savvy is even easier. Where someone bothered by a telemarketer might just hang up the phone, combining fear of computer viruses with sales tactics seems to convince people to remain on the line and even give up control of their computers. It’s diabolically evil, in my opinion. What’s worse? There’s not really anything technical companies can do about it to protect people. This type of attack relies upon people conning other people.
Microsoft will NEVER call you and offer you free technical support. They aren’t alerted when there’s a problem with your PC or a virus detection made by your anti-virus software. I can’t remember the last time Microsoft offered me anything for free, and they’re certainly not psychic. Listen to your instincts. Don’t trust the sales pitch. Don’t give them access. Hang up the phone. You can’t put them out of business, but you can protect yourself by cutting off the call. You can also protect other people by spreading the word about these attacks. Let’s help each other fight the bad guys.