(Reading Time: Approximately 5 minutes)
I commonly get the question “How do I keep my computer secure? I have anti-virus software. That’s all I need right?” In short the answer is – “NO”. Anti-malware software (a catch-all term for programs that attempt to stop viruses, spyware and other computer nasties) only helps catch malicious computer code. It won’t stop a user from infecting themselves if they really want to, knowingly or not. However, one of the more insidious methods of compromising your computer has nothing to do with software at all. It is called social engineering. These days a primary vehicle for this type of attack comes through one of the oldest pieces of technology in your house: the telephone.
Social engineering is a method in which a person tricks you into giving up information that you would otherwise guard with sword in hand. You can not combat social engineering with software. It relies solely on basic knowledge and your own common sense. Here is an example of how a social engineering scenario plays out in a typical telephone scam. Note the red flags as we will look at those after.
Phone rings and you answer:
CALLER: Hi, this is Bob Smith from Microsoft Security Services. We have reason to believe that your computer is infected with a virus and I am calling to help you get rid of it (Red Flag #1).
YOU: Oh, great Bob. How can I help?
CALLER: Please go to you computer and visit the following website – “www.fake_microsoft_site.com” and download the virus removal software. If you receive any warnings from your anti-virus software go ahead and ignore those (Red Flag #2).
In your enthusiasm to rid yourself of the hated virus you faithfully install the software as directed.
CALLER: OK, great. I have cleared out the virus. That will be $50 please. You can pay with MasterCard, Visa or AMEX. No Discover please (Red Flag #3).
YOU: Great, thanks for your help Bob. Here is my credit card info.
Obviously this example is a little oversimplified but it happens a lot more than you think to a lot of smart people. Lets look at the red flags a little more.
- Red Flag #1 - The call was unsolicited. This should be your biggest tip off right from the start. Most legitimate companies will never cold call you about a computer issue. Microsoft has a good page on how to avoid these scams and their own policy regarding cold calls. Take a couple minutes and check it out.
- Red Flag #2 – The caller is directing you to install something or make changes to your computer. This could also involve sharing your passwords with the caller. At this point you have just given the bad guys the keys to the kingdom. That “anti-malware" software you just installed was actually real malware and it is going to sit in the background and send all your info back to the bad guys without your knowing.
- Red Flag #3 – Asking for credit card information. I don’t really need to go into why this is a bad idea. Never provide credit card info to someone that cold calls you – for any reason – computer related or not – EVER.
So what is the take away from all this? If the call was unsolicited then you don’t want it. Just thank them politely and hang up. If you think there is even a remote possibility that you have some sort of malware on your computer talk to a trusted person such as your family geek (which is probably your kid if you are over 30!) or your local computer technician.
As always I would love to hear from you. You can leave a comment here on the blog or email me directly at email@example.com