Your phone rings. As soon as you say “Hello”, the caller identifies himself as a tech support staff member from a well-known tech company. He tells you that he has detected a serious problem on your computer, which you need to fix immediately.
Sound familiar? Most likely it does, as tech support scams have been around for many years. However, some scammers are now borrowing a technique used by hackers. In addition to calling, tech support scammers are sending phishing emails, according to Microsoft security researchers. By adding phishing emails to their tackle box, tech support scammers can reel in more victims.
How the Scams Work
Unlike the phone calls, the phishing emails do not mention that you have a computer problem. In true phishing fashion, the emails use spoofing and other techniques to get you to click a link. For example, the researchers found that some emails were made to look like notifications from online retailers (e.g., Amazon) and professional social-networking sites (e.g., LinkedIn).
If you click the link, you are sent to a malicious website that mimics the legitimate one that supposedly sent you the email. The site will then deploy various scare tactics to trick you into calling a fake customer service hotline. For instance, the site might display a pop-up message that says you have a malware infection, an expired software license, or some other problem.
If you call the hotline, the scammers will try to con you into some action, such as paying for unnecessary tech support services or allowing them access to your computer. If you do the latter, they could potentially install malware on your computer or change settings that will allow them access to your machine at a later time.
How to Protect Your Business
Like other phishing emails, the tech support phishing emails are being sent to the masses, including employees at companies worldwide. Therefore, you need to protect your business from this threat. A three-pronged strategy works well:
- Try to snag phishing emails before they reach your employees. Keeping email filtering tools up-to-date will help weed out phishing emails and other types of spam. Most email applications include filtering tools, but you can also purchase advanced filtering solutions.
- Educate employees. You should educate employees about phishing emails, as some will likely reach their inboxes. For example, teach them about the elements commonly found in these emails, such as generic greetings and requests to update or verify passwords and other types of information. In addition, show them how to check for deceptive links in the main body of an email and for a spoofed email address or name in the “From” field. Do not forget to let employees know what to do if they receive a suspicious email or see a questionable tech-related message pop up on their computers.
- Implement safeguards in case an employee falls for a tech support scam. Despite your best efforts, an employee might fall for a tech support scam, so you need to take certain precautions. For example, you should use security software in case the scammer installed malware on the employee’s computer and keep applications up-to-date so known security vulnerabilities are patched. It is also important to regularly perform backups and make sure they can be successfully restored.
The Specific Steps
The specific steps needed to implement this three-pronged strategy will vary, depending on your business’ needs. We can help you decide on the best course of action as well as provide more recommendations on how to protect your business from tech support phishing emails and other types of phishing attacks.