I got a call from 020 0982 3420 this evening from someone "authorised by Microsoft" offering to scan my PC for all manner of unnamed things that apparently make it run badly. I kept "Paul McKenzie" (with an Indian Accent) talking for about 25 minutes with the lure of 6 or 7 PC's to fix, knowing full well this was a scam.
I know it's a scam because a family member fell prey to it in 2010. And by how my call ended.
It is a well executed scam, very well executed actually; these folks have all the answers and play out a very convincing story. But, in the final analysis, when you consider that someone is prepared to stay on the phone for 25 minutes to make a sale of "PC healthcheck", something smells fishy - around about the 3 minute mark actually.
I stuck it out with this guy for a couple of reasons. One - just to save someone else being caught - my 25 minutes on the phone might have used up time scamming 3 or 4 other people, so it was part community service. Two - I also wanted to get a full sense of how they operate. I certainly got that.
Here are the tell-tale signs I noticed:
- A call from a London number; when answered 3 or 4 seconds of silence before speaking = classic power-dialling = wanting to sell something
- The chap then started referring generically to my PC. Rather than ask how he knew I had one (he, doesn't by the way, he's guessing; and if you ask the question he'll say it's the error reports you get from crashed programs), I asked which one. Pause.
- The one with windows on. Yeah, doesn't really narrow it down does it? Which windows?
- Err.. either windows XP or Vista. So immediately I know he's fishing, I own neither. This is almost like getting a psychic reading.
- He proceeds to ramble on about windows auto updates and how it downloads junk and my computer is full of it and do I want a healthcheck. I play along.
- I say I am recording the call. He says he doesn't mind, which proves he is reputable - a scammer would hang up, he says.
- I say I know what's going to happen - he'll get me to download something and access my PC. Evasion.
- I question his identity - he says he is a partner of microsoft, sort of implies doing it on their behalf.
- I push the whole identity thing and he takes me to microsoft's website and claims to be SB3 INC. Would microsoft allow a disreputable company on their website?
- When I question that I have no proof he is SB3 INC he says surely I trust microsoft. That an intelligent person would realise that a company associated with microsoft would not be disreptuable. I don't disagree, but my question is about proof he is SB3. And he insulted my intelligence; that raised the stakes.
- He says he is my system admin and he is just trying to help. I say what? Do you access my PC without my permission? No, he just wants to help. Just a check, like going to the doctor, then you buy the medicine. (Good of him to spell that out for me).
- He just wants to check my PC for bad things, what would a reputable company do that's bad? I say, you could install a keylogger and get my bank details. He repeats, why would a reputable company associated with microsoft do that?
- I push the "prove you are SB3" line and he suggests I look at the SB3 INC website. I say this is not proof. I say I could tell him I'm from HP and show him an HP webpage - what does it prove?
- Backed into a corner he asks what proof I want? I say it can't be given - what I'll do is call the SB3 number. He says Ok, he'll give me the number so I can call back and speak to him. I say no, I'll call the number on the microsoft site that I DO trust. He insults my intelligence again and asks why I don't trust microsoft. Calmy, I again explain to him that I do, but I don't trust him.
- In the end I force this point and he says "you have no guts, man; you have no guts" and disconnects.
- I guess mr unintelligent here outsmarted him.
Let me tell you - his persistence was wearing and convincing. I can see how it would be ever-so-easy for someone to be socially engineered into following his instructions. When you step back and analyse it, however, the whole scam revolves around the association with microsoft as a claim to be reputable (I hear all the Apple fanboi's - and a few others - sneer in the background!). The point is, at no time is there any proof of his identity, no proof of that association. This is where they trick people - they labour that point, state it as if it is fact. That's what convinced my family member.
How do you protect yourself?
Well, if you know nothing about technology, it doesn't matter; just follow this simple rule:
NEVER, EVER, EVER buy something if you are approached by someone you cannot verify - this applies as much to the doorstep as it does to the phone. If you get an incoming sales call, leave the decision to later. Make it your policy. Tell doorstep sellers "I never buy on the doorstep; leave me your details and I'll get back in touch". NEVER! NEVER! NEVER!
The second thing is to realise something about microsoft: this is not how they operate or authorise anyone else to operate using their brand. Furthermore, this is not the market that microsoft partners are in. MS partners are business solutions partners - they create systems and integrations for business, using email, instant messaging, sharepoint, communications, and all sorts of stuff that if you haven't worked in a big IT department will probably have never heard of. Microsoft retails through the usual channels to consumers, but it does not sit behind this kind of consumer support.
Finally, make sure your computers are up-tp-date with virus checkers, windows/operating system updates, and run regular scans for malware. This is just as good as what these scammers can do - and the truth is, they don't even do that properly - it's a subterfuge to get you to pay for their services. It's all about impression. Be warned.