After a decade, why can't we finally be rid of the Microsoft scam?

Oren Kedem asks if we're using the right methods to teach victims about scams or are some other forces preventing the warning messages from being effective?

Oren Kedem, VP product ,anagement at BioCatch
Oren Kedem, VP product ,anagement at BioCatch

Phony link scams, spear-phishing, malware-loaded attachments – the variety and scope of today's cyber-attacks are dizzying. But many hackers eschew the modern takes on stealing data and ripping off people – preferring to go with the classics.

The question is, why do victims still fall for cyber-scams that have been around for more than a decade? Cyber-victims become victims when they click on suspicious links, open attachments they're not supposed to, or tell complete strangers on the phone important information that compromises their bank accounts or personal data. 

Yet despite endless warnings, horror stories, and remediation programmes – especially in businesses and enterprises – warning them not to fall for these scams, a growing number of people still do. Does it mean that we just aren't using the right methods to teach people – or that some other forces are at work that are preventing the warning messages from being effective?

While excuses could (possibly) be made for those who fall for some of the newer scams, the older tricks should no longer be an issue, given the publicity about them in the media, and in company education programmes. In the world of cyber-scams, there's nothing more tried and true than the Microsoft Scam, where a cyber-crook calls up pretending to be an IT rep, sent by “the office” to help out with a serious computer problem that, without immediate attention, will destroy the victim's data, family – and maybe the world.

It's a scam that's been around since at least 2009 in one form or another. A cyber-crook, intent on extracting useful data from a victim (login credentials, credit card information, Social Security numbers, etc.) calls up and pretends to be a Microsoft techie who wants to help you with a technical problem. In order to fix the problem, however, he/she needs access to your computer, and asks you to download a common remote access programme (like TeamViewer) that will let them “guide” you to fix the problem. The “techie” then opens up a browser and instructs you to enter personal information to make a PayPal payment for the required Microsoft updates - and there you have it, a successful attack. 

Over the years, fraudsters have refined this scam, and now use social engineering tactics to psychologically manipulate victims to click on a link or surrender information. In the phone scam, fraudsters no longer ‘ask' for personal details to gain access to your computer; rather they scare users into providing access to their online banking accounts to “make sure no security damage has been done,” because cyber-thieves are so sophisticated these days that they can invade a bank account at will. 

In the end, it's difficult to resist such hounding, especially for those who are not knowledgeable about the most sophisticated cyber-scams – I'd venture to say that even after reading this article, most of us would still open an attachment that looks like a Word document sent from our boss's email account without a second thought. The document itself could look legitimate, and even be “legitimate” - except that the hacker managed to attach a macro that, once loaded, releases malware that records keystrokes and sends login or account information back to the command and control server.

Perhaps one of the problems has been that the recommendations by cyber-security experts are based on teaching potential victims the facts – what the scams are, what to do to avoid them, etc. But social engineering attacks appeal not to the brain, but to the heart. While the brain can be argued with, the heart is a different story. The usual advice to avoid scams – don't click on suspicious links, don't open attachments, don't answer questions from “the bank” unless you can check that the person on the phone is legitimate – often goes out the window when people get scared, tempted, angry, etc. 

There are, in my opinion, only two ways to deal with this: Either develop training programmes that will help people understand and control the emotional buttons cyber-criminals press (very difficult, it seems to me), or come up with external mechanisms that will shield potential victims from scammers. 

The key to controlling the Microsoft Scam and other such exploits is to recognise that cyber-criminals have changed their tactics, while in many cases, education efforts have remained the same. Awareness of today's emotional component in cyber-scams will help us develop new and more effective tactics to keep potential victims safe.

Contributed by Oren Kedem, VP product management, BioCatch