Last week I was the target of the infamous ‘Windows tech support’ scam. It wasn’t the first time.
If you’re not familiar with this hustle, it typically starts with a call on your landline from an Indian call centre. The person at the other end tells you they are from Microsoft and that they have been monitoring your PC, and that it is infected with a virus of some description. In order to convince you they then walk you through opening up the Event Viewer, an administration tool, in order to show you a series of errors and warnings.
In reality these errors and warnings are completely harmless, but many people are convinced and subsequently talked into installing a remote access tool which then provides the scammers with access to their PC for real, ostensibly so that they can ‘fix’ the problem.
From there it’s all down hill: charges, extortion, malware etc.
Now I knew it was a scam from the start. Even if I’d never read about the scam before I got the first call, I would have known it for what it was.
You could say it’s just down to experience. That technology has been a major part of my career and even before that I was mucking around with machines from a very early age. I understood what I was being shown and what it meant.
But actually the understanding that this was a scam came much earlier in the call than the point at which the caller directed me to the event log. I knew the moment they said they were from Microsoft and that they had been monitoring my machine.
A few things gave it away. The terrible quality of the phone line for one. But even more than that, I knew Microsoft would not be monitoring my machine in this way. I knew they couldn’t staff a call centre with people to remotely monitor and manage users problems without some explicit contract. Both to address the cost of doing so, and the privacy issues it would raise.
None of this was particularly conscious. It was just that my sceptical spider-sense started buzzing.
I don’t think this instinctive scepticism is solely the domain of the geeky. I believe it can probably be taught. And doing so is one of the key parts of solving some of technology’s major security challenges.
Most of the security threats that we face, at home or at work, still require some form of human co-operation, willing or unwilling. Clicking on a dodgy email or link. Installing an insufficiently-checked app.
A healthier level of trained scepticism would prevent much of this behaviour.
How do we teach scepticism like this? I’ll cover that in my next post.