We let them in: Malware scams

How many times have you received a phone call from some random number that is actually a computerized voice on the other end of the line? "Hello. This is Visa." That's normally when I just hang up.

I get them often enough that now I tend not to even answer the landline during my workday. I just let it go through to the answering machine… and the scammer always hangs up before it gets to the recording part of the message.

But on the odd occasion when I have picked up the phone, there have been times when I have gotten a real person on the other end of the line. Normally, they start by saying that they're from Microsoft and that they've detected a problem with my computer.

And this is when I tend to have a little fun.

"Well, that's interesting. Why would Microsoft be calling me when I have a Mac?" I don't have a Mac, but the person on the other end of the line doesn't know that.

"Oh, I'm sorry. I'm from Mac." And yes, I really did have some scammer try to tell me this at one point. It was beyond laughable.

"Oh… Then you might be able to help me with my Linux machine." And I was having so much fun sending that scammer around in circles.

But in the end, I got bored. "Look, dude, I know you're some asshole trying to get into my system. You can try all you'd like. It's not going to happen." Then I hung up.

The persistent bugger kept trying to call back. I'd pick up the phone and instantly hang up. But after the sixth call within a span of 15 minutes (not an exaggeration… I was counting, because I was getting ready to put in a formal complaint with my phone company and have the number blocked), I decided to let it go through to the answering machine. While my voice was giving the instructions about leaving a message, the prick on the other end of the line was shouting in his thick foreign accent: "Ma'am, you need to listen to me. There really is something wrong with your computer." And he hung up as soon as the beep indicated that the answering machine was recording the message.

The gull of some people. Yet, there are enough people who fall for the scam to make it worth their while.

Today, I want to talk about the malware scams, because all of these phone calls are about trying to deposit some malware onto your machine, so they can do damage later.

I need to apologize for the length of this post, but this one is an important topic that can't be skimped on.

What is malware?

According to Wikipedia, "malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy."

Malware is not a virus, which becomes a cancer growing through your systems and corrupting files, often beyond repair. But malware can be just as harmful, if not more so, because malware can be used to gain access to your systems and accounts that are not located on your computer. Through malware, hackers are able to gain access to your bank accounts, your taxes, and any other part of your life that happens to be online. Through malware, hackers can steal your identity.

In the past, malware (and viruses) were transmitted by passing files from one computer to another via an email or from a portable hard drive. But today, malware finds your computer by way of websites.

Internet websites employ a technology known as cookies. To put it simply, cookies are little packets of information, sometimes a specialized script, that feedback information to the website from your computer.

Most of the time, the cookies are a must. If you disable them (which you can do via certain settings within your web browser), the website might not function properly. Sites like Facebook use cookies to remember the logged in user as you navigate from page to page. Google uses cookies to help you sync your bookmarks between multiple computers. And sites that you happen to purchase things from, like Amazon, will use cookies to help remember your last set of purchase commands. But here in lies the danger.

Let's say that you've gone to a website that has deposited a malware cookie that records your keystrokes. This means if you were to go to a secure site, say your bank, then your keystrokes would be recorded, giving the spy your username and password.

And this is how the malware scams work.

Protecting yourself from malware phone scams

There are a few things that you can do to protect yourself from the malware phone scams. Some start with the phone call, but others are by way of your standard internet security practices.

1) Confirm the identity of the person on the other end of the line before giving remote access to your computer or personal information.

These scams all work because people are trusting. We want to believe in the good in people, so it's not our instinct to believe that people are trying to scam us. But it's this trusting nature that these scams prey on.

The first thing you need to understand is that Microsoft is never going to call an individual about issues that they may have detected on your computer. They don't care. Microsoft is too big of a company to care about just one little person that brings them maybe $100 per annum of business.

And Mac isn't a company. The company is Apple (which that idiot scammer should have known). And Apple is also too big of a company to care about the little guy.

But let's say that you get a phone call from someone that is not claiming to be from Microsoft, Apple, or some other company like that. Let's say that they are from a company that you actually trust. Or let's say that they're claiming to be from a government agency.

I mention that last one specifically, because I recently got a phone call from a man who was from the government, calling about a specific security issue that I had been having. I was recently forced to factory reset my phone to factory defaults, and I was locked out of my government-issued business accounts because of it. I couldn't get a 6-digit authentication code because I no longer had access to the authenticator app that was connected to my account, and there was no way to bypass this. I had to put in a help request to regain access to my accounts. But when I got that phone call, I bloody well made sure that I was talking to a legit person before I provided any personal information. It helped that the guy was able to talk directly about the issue that I had sent the help request on. "I understand that you recently had to reset your phone and are now unable to access your account."

Years ago, I also had a phone call from the sales/technical support team that handles my virus checker. I was having issues with the latest program update and the system kept crashing as a result, locking my system. I had to disable it just so I could put in the help request. It was a long conversation, with multiple checks to ensure that I was talking to a legit person, before I granted that technician remote access to my machine. He needed specific log files that were embedded in a part of the system that I didn't have access to, and the remote access allowed him to use the retrieval tools on his system to get the information the developers needed to fix the issue. And when that conversation was finished, the tech support person talked me through the steps needed to ensure that my system was secure again and that the portal created had been closed.

But in both of these cases, I didn't just open the door without ensuring that I was talking to a legit person. I didn't just trust that they were who they said they were. They had to prove it to me.

I got them to provide me with information that only a legit person would know if they had direct access to my accounts.

2) Get a name and keep a record. And if in doubt, get a phone number too.

With any of these phone calls, if they are legit, the person on the other end of the line should give you a name. If you ever have an issue with a company, you should be able to call the complaints office and give that name, and the legit person would have recorded everything in your account notes for future reference.

But if for whatever reason you can't confirm the legitimacy of the person on the other end of the line, get a phone number that you can call them back on. If they are legit, they will give you a legit number.

3) Use anti-virus and malware detection programs on your systems.

It's not always easy to completely avoid malware, even if you are diligent. Even without having been prompted by a scam call or email, you could inadvertently visit a website that deposits a virus or malware cookie onto your device.

The best defense that you can employ is to use a reputable anti-virus and malware detection program on your devices.

Most new laptops will come with an anti-virus program installed. And this also tends to be one of the first programs that I uninstall, so I can install a different one—one I trust and already have a subscription to.

I don't use the "free" systems, because they often use a limited database of viruses and malware. And the free systems have been known to slow my systems down after a few database updates. Instead, I pay for a subscription license to a reputable system that also acts as a home network firewall.

I won't make any recommendations as to which one you should use. Instead, I encourage you to look at the anti-virus software reviews on sites like PCMag, MacWorld, or any other software review site. These sites (particular PCMag) often run performance reviews, so you can see which software program would be the best bang for your buck. Don't look at the reviews that are listed directly on the software's site; those reviews will be biased to showcase only the positive.

And once you have whatever anti-virus and malware detection program installed… USE IT! Actually have the program actively running in the background, always checking your files for any suspicious behavior. And if you are using a firewall (which you should be if you are surfing the internet), use it too.

My system has caught a few suspicious cookies over the years that were trying to take control. And zap. Trouble, be gone!

But dare I say it… Sometimes, even with the firewalls and the anti-virus and malware scanners, those pesky buggers still get in. When that happens, unfortunately, there is really only way to deal with them: factory reset and change the passwords to all of your accounts. It's a pain in the ass, but sometimes (as a close friend found out the hard way in 2021), it just has to be done.

4) Use two-factor authentication

I know I've talked about two-factor authentication on this blog multiple times now, but please, I beg you, for the sake of your personal internet security, USE IT!

For every system possible, especially your banking system or anything else that is connected to your money, use two-factor authentication.

Two-factor authentication comes in a variety of different forms, ranging from sending you txt messages with codes, emails with code (or special login links, as is the case with Medium), or the codes generated by authenticator apps on your phone. But the essence of how all the various two-factor authentication systems work is all the same: you log in to the site and you'll be asked to take an additional login step.

It's surprising the number of hackers that could have been stopped in their tracks if people would just use two-factor authentication.

And where possible, turn on the notifications that tell you when someone has logged in to your account. Yeah, those notifications can be annoying if you log in and log out of your account a lot, but if you get that notification and you know that you didn't log in to your account…

Hello, hacker, whatever it is you're trying to do is not going to work—not today.

Final thoughts

I know that I tend to have a skeptical negative view when it comes to scammers. I am not a trusting person of those on the internet. But I share my knowledge and experiences on this blog because I don't want to see people making mistakes that could have been easily avoided if they had taken a few simple steps.

It's heartbreaking to me to know that my close family and friends have fallen prey to the scammers because of their trusting nature, but I am pleased that they felt confident enough to tell me what happened. I might not be able to do anything about the mess that was left in the wake of the scammers, but I can warn others of the dangers in the hopes that others can avoid those hidden traps.

Do you have any additional tips for avoiding the scams?

Copyright © 2023 Judy L Mohr. All rights reserved.

This article first appeared on judylmohr.com

Posted in We Let Them In and tagged , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.