By now you should already be aware of phony calls from "Windows Support". Because of such calls I have a strict “if I don’t recognize the number, I don’t pick up” policy. Unfortunately, that policy doesn’t fly for calls coming to my office phone.
Hackers know that you’re more likely to answer a call from a strange number on your office phone than you are on your cell phone. However, hackers also know that most people are now educated enough to call their bluff. A tech support call originating in a state you’ve never even flown over might arise suspicion, but what about a tech support call from a number you do recognize?
I was recently told a story about a young woman at a credit union who received such a call. She recognized the number as being the credit union’s own number, so she answered. The caller said that he was from the credit union’s I.T. department and that he needed her to allow him access to her computer. He then told her to open a browser and go to a particular IP address. She did what he asked, but got an error saying that the page was blocked by the firewall. He politely said he would call her back and they ended the call. A few minutes later, she received an internal email warning the credit union employees that they had been hacked and that the calls from I.T. were fake. Queue the Twilight Zone music.
That’s pretty scary. Nowadays, attacks seem to be coming from every angle. Hackers have been spoofing email accounts for some time, but now they’re spoofing phone numbers and masquerading as your company’s own I.T. department. Calls from numbers you recognize raise few, if any, flags. And in large companies, it is highly unlikely that all the employees know each other. You might not know Joe from I.T., but if he’s calling from a trusted number, you’ll do what he says.
Fortunately, if you work for a small business, either the I.T. guy is a coffee mug’s throw away or you have a known external source (such as DeckerWright) handling your I.T. needs. Large companies are more susceptible to this scam but, as with anything internet-related, no one is safe. What can you do to protect yourself?
The main thing is to be aware of any computer-related issues in your office. If neither you nor anyone else in the office knows of an issue, or if you’re not expecting a service call, don’t let support onto your computer. Most of the time, when we call, you’re expecting it. Either you reached out first or we detected an issue and we’re following up. Software vendors (e.g., QuickBooks, Sage, ADS) rarely call out of the blue regarding a problem. When they call, it’s only because you called them first. They’re not monitoring your software, so they’re not aware of a problem until you tell them there’s a problem.
As the old saying goes: if it ain’t broke, don’t fix it.