How To Spot A Tech Support Scam

When Hackers Trick You By Posing As A Good Human

One of our clients who runs a seasonal business recently got caught in the “perfect storm” of a hacker’s trap.

She was in the middle of one of her busiest times of the year, with everyone overworked and overstressed, when a notice popped up on her browser saying that Microsoft had detected a problem on her computer and she needed to call in immediately to get it resolved or her PC could fail at any time. “I was so busy, and I absolutely could not afford to have my computer out of action. The only thing I wanted was for this distracting problem to go away. In the moment, I felt that the fastest way to do that was to call them and have them deal with whatever was happening.” she said, “I picked up the phone, and this nice guy started verifying all my information to make sure I am who I say I am, and then he says he needs to remote into my PC, and that he’ll also need me to click a few things on the screen to give him the permission that he needs to take care of the issue.” 

This is a textbook case of a modern-day cyberattack. The guy on the other end of the phone did not work for Microsoft, and the clicks that he needed our client to make would allow him to bypass all of the cybersecurity measures in place to keep people like him out. Fortunately, a conversation with a colleague tripped our client’s inner cybersecurity radar, and she realized that she was not talking to Microsoft but to a scammer. With her focus now shifted to keeping her information secure, she made another call to us. 

Hackers who specialize in socially engineered cyberattacks like these spend their days finding new ways to get their message in front of potential victims. The most common approaches are emails and messages on your browser, and they typically pose as some trusted business like a technology company, bank, credit card, insurance agency, or parcel courier. And when the right person sees the right message at the time, it can be very effective. The hackers know that some percentage of their messages will show up in front of a person who is expecting a package from the courier listed, has a bank account with the bank that is mentioned in the email, whatever. I’m sure you’ve seen them. This simple brute force tactic is responsible for untold losses daily, and similar approaches are used to gain access to business databases and workstations.

These attacks are challenging for the IT team to eliminate because the message itself usually does not contain any vicious code that a cybersecurity tool can detect. Instead, the hacker offers a phone number that the unsuspecting person calls and is then duped into allowing the hacker direct access to their computer, which in turn gives them access to the company’s entire IT infrastructure.

While the IT department has primary responsibility for your company’s cybersecurity, the rest of the staff must also be trained to spot threats and know what to do when they see one.

Here are a few practices everyone should keep in mind.

  1. Enable Two-Factor Authentication: This should be on the top of everyone’s to-do list. Enabling Two-Factor Authentication on all of your sensitive online info is one of the best ways to lock down your information. 
  2. Do All The Techie Things: Anti-virus software and offsite data backups should be a given that your IT department takes care of. If you don’t have an IT department, do your research or get some help so that you can get the right cybersecurity tools in place.
  3. Be a Phishing-Savvy Skeptic: Cybercriminals are very good at emails and phone calls that impersonate business partners like banks, insurance companies, and couriers. If you get an unsolicited email or phone call that looks like it might be from a trusted business partner, make sure all the contact information lines up and reach out directly to that partner. Preferably to someone you know personally.
  4. Know Who You Are Talking To: When you get an email or browser message that looks legit, but you don’t know the person you are corresponding with personally, it’s a good idea to verify their identity before giving away any critical information.
  5. Leverage Your IT Team: When in doubt, ask for help! IT professionals are trained to spot phishy emails or calls and should be able to help you ensure that you are not divulging sensitive information to the wrong person.

No cybersecurity system can guarantee that hackers will not find a way to get into your system. While the IT team is responsible for protecting your business from most attacks, everyone in your organization has a role to play. If you need help ensuring the safety of your office IT system, feel free to schedule a free consultation with me, and I’ll be happy to see what I can do to help.