New Social Engineering Attack
I had read about this a couple of times, but since the defense is the same as for previous versions, I hadn’t yet written about it. I’ve now had a call in which I had to deal with it.
For some time, scam emails have been informing you that some amount of money had been charged to your account for a subscription or other product you did not order. There’s a phone number provided for you to call if you didn’t authorize this charge. Since you didn’t authorize it, you call back angrily, at which point they ask you for a great deal of information so they can properly refund you your money. This is one of the ways they collect information. They might, for example, ask you to fill out a “secure” form to provide the credit card number, only to credit it to you, for example.
There is an additional step, however, in which they get you to download something. This is often the form they use for you to “request your refund.” This is used to introduce malware onto your computer. Your security software is likely to fail to stop this because you are saying “yes” or “OK’ to everything as you are intending to install the software.
At this point, they can get remote control of your computer and will use various means to keep you from shutting down or calling someone else.
And this is where the new twist comes in. These same malware players, instead of claiming they can get your money back, will tell you the email is a scam (which it is) and then offer to help you secure your computer. The purpose is the same. Get remote control and then suck up your information.
How do you defend against this? It’s simple. Assume that any incoming email is a scam until proven otherwise. If an email tells you that your software has expired and needs to be renewed, and it’s a company you deal with, the safe approach is to not use any link or phone number in the email and go to a secure source for the information, such as the help option on the program’s menu.
The vast majority of computer attacks use some form of human (or social) engineering. The key is to deceive you.
Note: If you are one of my clients, please call me at any time regarding any questionable email or phone contact that relates to your electronic devices. I can help.