The purpose of this article is to discuss what is a Microsoft phishing scam. I have a family member who just got hit with this scam and was fooled by it. My goal here is to make you aware of this so you do not fall victim to this scam or other types of scams yourself.
What is Social Engineering?
Social Engineering is the art of manipulation by attackers to get you to divulge personally identifiable information that they use for nefarious purposes. The user is the weakest link in the cybersecurity chain. For attackers, it is still the easiest way for them to get sensitive information they can use for fraudulent purposes such as financial account information, log-in information, and other kinds of information they can use for destructive purposes. There are different ways that social engineering can happen such as over the phone, email, or text messaging are the most common. Social engineering works because they are so good at earning your trust and then extracting information from you that is helpful to them.
There are four steps to a social engineering attack:
- Gather information on the target. The target is a person they are trying to get information from.
- Establish rapport with the target by earning their trust using the information they gathered on them
- Exploit the target to retrieve accounts information, computers logins, and other valuable pieces of data to assist them in achieving their goals
- Execute the attack to steal money or destroy a system, and then disappear without a trace
Phishing is an attack that an attacker poses as a trustworthy person to extract valuable personally identifiable information which could include financial account information, log-in information, and other pieces of data the attackers need to accomplish their goals. There are three types of phishing such as email phishing, smishing (text messaging), and vishing (phone). Let\’s discuss how phishing works.
- The attacker imitates someone trustworthy that the user might know such as tech support of a known organization such as Microsoft.
- The attacker drafts an urgent message that require immediate action by the user or something bad may happen.
- The victim takes the bait and does what the email asks them to do. The email may ask them to call a phone number, click on an attachment that launches malware, or clicks on a link where they provide user credentials. These are just a couple of examples.
There are other types of phishing such as spear phishing which someone is targeted by an attacker. Whale phishing is targeting a high-profile person in an organization. Most phishing attacks are mass emails and the attackers hope someone will take the bait.
Protecting yourself from Phishing
So, how do you protect yourself from Phishing attacks?
- Don\’t open emails from unknown people. You have to really look at the email header and see if the person is the person who they say they are. In a lot of phishing emails, the spelling of the sender is off by a character or two so it is very hard to spot.
- Don\’t click on links in an email unless you know where you are being transferred to. Again, you have to look closely at the link and see if it makes sense from whom it is being sent from. Don\’t click the link if you are not sure about it.
- Don\’t download and open unknown attachments
Attackers are very clever on how they craft phishing emails that it is very difficult to spot a fake from a real email. You have to do due diligence on all emails today so you don\’t become a victim.
Overview of the scam
Beware of the technical support scams. My family member was hit a couple of weeks ago with an email from the Microsoft Service center that they had an issue with their computer. My family member happened to just upgrade to Windows 11 and this email coincidentally appeared in their inbox shortly after. They would not normally fall for these but this time they did. There was a phone number to call and they called it. The attacker was able to get their personal information including their licenses, machine credentials, and bank information. They were cleaned out.
On top of it, they were covered by LifeLock which did not flag the problem. Normally, LifeLock would have flagged an issue like this. My family member told me on several occasions LifeLock alerted them to potential issues to review. My family member reported the issue to LifeLock who was researching the issue.
They reported the scam to the local Sheriff\’s office which did an investigation. They came back to my family member and told them there is nothing they could do. My family member had names, phone numbers, email addresses, etc on the attackers but we all know that information was probably faked.
Results of Investigation
The Sheriff\’s office told them that they used moonpay.com which is a cryptocurrency payment processor and Gemini which is a cryptocurrency exchange. They were unable to trace the transactions. They have kept their file open in case anything changes in the case.
The good news is my family the issue to their bank which was able to refund the funds lost back in a couple of days. The bank at first fought them but they gave them their money back.
So, the bank told them to change their account numbers. I told them to freeze their credit with the different credit bureaus. Also, ask the IRS for a special code so the attackers don\’t try to submit taxes on their behalf. That happened to me a few years ago. They did that through LifeLock.
I also told them to get a clean wipe of the computer in case the attackers put malware on their machine. They are afraid so they are using a VPN now to help protect themselves even further. They asked me why their antivirus did not pick up the problem. I told them antivirus scanners work on viruses and malware they are aware of. But, does not work on attackers posing as legitimate users on their computers.
Reporting the scam
Microsoft is aware of these tech support scams and wants you to report them here.
Attackers are very intelligent people and are very clever in their tactics to get you to fall for the bait. You have to question everything and think before you act. If it is too good to be true, it probably is. Double and triple-check all emails and make sure they are from who they say they are from. Make sure the links in the email make sense and are in the context of the sender of the email. The email will look legitimate and look almost exactly how the true vendor would send their messages. But, there is always something that tips the emails off to being fake and you have to get good at spotting those fakes from the real emails. Also, if you are on the phone with someone, make sure they are who they say they are before you give them any personal information. I am very hesitant about giving information over the phone or email anymore. Email is not 100% safe from snooping and your phone calls could be recorded. Read and think before you act. That is the best advice I can give to you.
If you have any questions or comments, please leave them below. I appreciate your time to read this article.