Microsoft on Thursday provided further evidence that people are the weakest link in the security chain when it published findings of an ongoing Internet theft campaign that might be described as phone phishing.
Phishing is a way to steal personal information by sending email messages that urge recipients to submit personal data to a website that is masquerading as a legitimate business. Phone phishing involves calling computer users and convincing them to take similar action. In less trendy parlance, it's a plain old scam; you could also call it a social engineering attack, if you wanted to make the attacker sound clever. It's easier on the ego to imagine being duped by a criminal mastermind.
Microsoft says that criminals have been posing as computer security engineers and calling people at home to warn them of a computer security threat. The fraudsters claim they're offering free security evaluations on behalf of recognized companies. It's an approach similar to that taken by fake antivirus software, except with a personal touch rather than an on-screen graphic.
Sadly, this approach works. Based on a 7,000-person commissioned survey conducted in April across the U.S., Canada, Ireland, and the U.K., Microsoft says that 15% of respondents in the four countries had received such calls and that 22% of call recipients, or 3% of total respondents, were deceived. That's a better response rate than direct mail, which gets about a 2% response rate, or spamming, which leads to one sale in 12.5 million messages, according to a 2008 research paper.
"The security of software is improving all the time, but at the same time we are seeing cybercriminals increasingly turn to tactics of deception to trick people in order to steal from them," said Richard Saunders, director of international public & analyst affairs at Microsoft's Trustworthy Computing group, in a statement. "Criminals have proven once again that their ability to innovate new scams is matched by their ruthless pursuit of our money."
Among those duped into permitting remote access to their computers or downloading malicious software, 79% said they had suffered financial loss. Seventeen percent of respondents said that money had been taken from their bank accounts, 19% said their passwords had been compromised, and 17% said they had experienced identity fraud. And some 53% reported ongoing computer problems.
The average amount lost was $875 in the U.S. and $1,560 in Canada, but only $82 in Ireland--a Microsoft spokesperson did not immediately respond to a request to explain the luck of the Irish. About two-thirds of the victims were able to recover almost half of the lost funds.
Microsoft also notes that the average cost of repairing the damage caused to computers as a result of the scam was $1,730 among all four countries and reached $4,800 in the U.S.--a curiously high amount that suggests the best repair option might be tossing an infected PC and buying new hardware for significantly less.
Despite the "huge scale" of this phone campaign, Microsoft expects it to grow further, as the scammers branch out from English to other languages.
Microsoft's advice seems as if it should be obvious: "Do not go to a website, type anything into a computer, install software, or follow any other instruction from someone who calls out of the blue."
In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)