Readers of this blog probably know that I teach security topics. Since I recently experienced a rash of phone calls, I thought I would share my story with others. I do not recommend toying with the sorts of people who make these calls. I was just doing a bit of academic research to see how far this would go. I decided to include a bit of commentary throughout to help you understand the process such individuals go through to make you perform actions you really shouldn’t do. Here is what transpired over the course of a few days.
First call, my wife answers the phone because I am teaching. Caller asks for me by my first name and tells her there is something amiss with my computer. Wife notes caller id is blocked and hangs up on them.
Commentary: just like any cold sales call, it is best to be rude and simply hang up. Don’t waste your time.
Second, third, and fourth calls – happen while I am in the middle of something. I let these go to voice mail. No message is left.
Commentary: I plainly see that the caller id is bogus (a random 4 digit number appears in each case). Frankly, if it really were that important, don’t you think a message would be appropriate to leave on voice mail.
Fifth call – ok, I have a little time this morning. Let’s play along (really not a good idea unless you can say no to very strong social engineering). Let’s see how this transpires. I have changed the wording a bit, but you will get the gist. Again, my recommendation is to simply hang up on these fools.
Voice (with thick Indian accent): Hello. May I please speak with Mark.
Voice: This is Alex. We have noticed a large amount of suspicious activity coming from your computer. It is urgent you take care of this matter immediately.
Me: Ok, who did you say you represent?
Voice: This is Alex with ITIL. Are you presently using your computer?
Me: No. I am very busy today. Can you call me back at 3 pm?
Voice: This can’t wait until then. You must go to your computer now.
Me: I don’t have the time. By the way, what is the IP address that you are seeing this malicious activity coming from?
Voice: We don’t keep IP addresses, all I have is your network CDS record. You must go to your computer now.
Me: I am busy at the moment. Please call me back at 3 pm my time.
Commentary: When ever someone calls and conveys a strong sense of urgency, it is best to not do anything. In this case, I asked them to call me back at a specific time. Never, ever do what someone who just made a cold call to you is asking. Tell them the cat is vomiting on the rug or anything to postpone what they want you to do. Again, simply hanging up is the best course of action anytime you get a cold call. If something really were amiss, don’t you think your Internet Service Provider would be in contact with you? Note that I also asked for confirmation by way of my IP address. Obviously the caller didn’t know and mentioned something about a bogus CDS record [what the heck is that?]. Well, it sounds official.
Phone rings again an hour earlier than 3 pm my time. Clearly called didn’t know what time zone I was in. They really didn’t do much research on their target (me).
Voice: Hello Mark, This is Alex calling you back at 3 your time. Are you at your computer now? It is important we get this malicious activity resolved as quickly as possible.
Me [sitting in a comfortable chair well removed from any computer]: Yep, right here. What do you need me to do?
Voice: First we need to look at some event logs to confirm it is your computer.
Me: Before we go much further, I would like to know your last name. What is your last name?
Voice: White, Alex White. [Note this is a very thick Indian accent – Alex White is his name as clearly as Poojah is my middle name].
Me: Ok, Alex. Thanks. Now, in case we get disconnected, do you have a phone number that I can call you back?
Voice: Certainly, it is 888.57777.4003.
Me: That seemed like too many digits, did you mean 888.577.4003? [I know I shouldn’t have corrected him, but I was getting a bit weary of the conversation already.]
More nattering conversation ensues for a couple of minutes. Essentially [Alex] wants me to check various event logs. I make up some answers and he eventually “confirms” that my computer is responsible for a lot of malicious activity. I complain that my anti-virus is up to date but he tells me that he has a much better solution. He encourages me to visit a website to download and install some software that will “fix” my problem.
At this point, I tire of toying with this fool.
Me: Alex, I did mention to you earlier that I have been recording this conversation, didn’t I? Did I also mention that I have been running a packet trace on your call? It appears you are routing through Chennai, India. I am almost at your exact location. By the way, you do realize that what you have just done is considered a felony in this country? As soon as I conclude this call, I will be contacting the appropriate authorities with the information I have collected.
Voice: complete silence.
Me: Goodbye Alex, don’t ever try this again. [Click]
Where upon, I immediately contacted the appropriate authorities (including filing a formal complaint with the appropriate Federal Agency – FTC.Gov). BTW, was I playing with “Alex” by telling him I was recording the conversation and running a packet trace? I guess he will never know. He should know that I would be glad to testify in court should this ever proceed to an actual case.
Commentary: Note that I got him to reveal more information (although it was all bogus). He clearly didn’t know how phone numbers are structured in this country. I did call my phone provider and also had them include this information in their records. I shared bits of my conversation with their security personnel and we both had a good chuckle. Overall, I gave him a grade of C+ as initial attempt at creating a sense of urgency was good, but overall follow through was severely lacking. “Alex” should have done a lot more research (but they aim for as many as possible in the event someone bites).
- When someone calls you and informs you there are problems with your computer. Hang up. It is a scam. I guarantee this. I do not believe any reputable computer or service provider will ever call you. Typically, they wait for you to call them.
- Just because someone calls you and asks for you by name doesn’t mean anything these days. That information is very easy to obtain and means nothing.
- If you do think the call is legit (and if you do, I strongly recommend consulting a neurosurgeon quickly as you must have some sort of tumor affecting your reasoning), ask clarifying questions. If they can’t provide the basic information (such as the offending IP address), they really are on a fishing expedition.
- Never, ever, never visit a website that someone tells you to do over the phone. Never click on any links and never provide additional personal information to the caller.
- The best approach is simply to hang up on any cold calls. And that includes Rachel and Bridget from CardHolder Services. And I don’t even have a credit card from them. But that would be the subject for another weblog post.
Thanks for reading. What did you think of this? As always, I look forward to your comments.