Your friendly support technician

Monday, Sep 18, 2017
security

Preface

Once in a while you might get a call from a support technician telling you’re at risk. Or at least your PC is. But fear not, he is there to help … not.

That is because he is the security threat. Usually you are loosing your data and/or some amount of money if you accept the kind offer. Let think through this kind of scam by picking Microsoft as a vendor those guys often pick and the psychology behind those attacks.

Psychology

Let’s face it. We all store data on our computer that is valuable to us. Pictures of our beloved family, maybe your personal finance. This assumption is a save bet. So when you get told your PC is at risk you actually do not think about the software or hardware but about the nice picture you took last weekend. And that you should not have that backup postponed forever. Gotcha, you’re frightened, your brain is not in an analytical state, your emotions take over.

Now you got someone on the phone claiming he is there to help, you just need to assist him to access your computer. The guy is kind and your feelings just want to preserve that memories. The fist thing that guy does is to show you some kind of a profile ( LinkedIn, XING ) that makes him look legit. He might even show you some letters with correct addresses to convince you. At that time, he already has access to your computer.

At some point he will ask you for your credit card to pay for the service. As he worked already for a fair amount of money and you are feeling thankfully for the help, you probably will not decline his request. Maybe he will even ask you for some kind of gift cards, maybe iTunes as the credit card has not worked. You want to help him, because he would be in trouble otherwise. And he was so kind to warn you and to help you.

Basically the scam is a playbook in three steps:

In behind sight all those steps and actions will look like being obvious, but you where tricked into a mental state where your analytical brain is turned off.

If this happened to you, please do not think you are dumb. You were fooled by a professional. Someone actively leveraging the fact you are a human with feelings. Someone with an intact psychology which appreciates kindliness and wants to help. Luckily the human nature learns. The next time someone calls you on phone to help you with your computer, you will just drop the call.

Rationale

This is going to use Microsoft Windows 10 as an example, but similar scams exist for other software, too.

According to data from March 2017 Windows 10 is installed on 500 million computers.

Microsoft’s statement

We do not call an end user. Period.

You probably do not have a direct association with Microsoft. You got your license with your computer or bought it from a local retailer. So you do not have Microsoft paid for service other than the updates they provide everyone.

Let’s do some math

To do this we make the following assumptions:

Microsoft would make this service for 250 million installs. Each device would take half an hour, service counting up for 125 million hours per month. Assuming that a support engineer can work six hours a day this accounts for 20833333 days or 130208 months ( generously rounded down ) of work. In other words: Microsoft would have to pay that number of employees just for that. According to Microsoft they have 124293 Employees.

Other signs

If you ever experienced a scam like this, you probably have seen only information that is publicly available. Such as a LinkedIn profile ( that can easily be a fake profile ) or a letter looks like Microsoft - either self designed ( did you got any paper mail by Microsoft lately other than perhaps marketing material to distinguish between a legit paper or not ? ) or copied from a letter they got from Microsoft’s legal department.

Next time

Drop the call. Ask a friend or a local company to help you if you need help.