Despite having the most sophisticated technology at their disposal, cybercriminals often resort to the most technically archaic methods, such as phone calls. A user receives a call from a suspected Microsoft technician warning him that his computer has a virus and that he must follow his recommendations in order to solve it. The alleged specialist tells him that he must download a remote control application so that he can manage the incident himself. And so, starting from a more or less common and undoubtedly alarming problem, such as a malware on the personal computer – the fear of any user – cybercriminals manage to gain unlimited access to the victim’s computer and, with it, to all the information stored on it.
An assumption like this could open the door to another series of crimes, such as the theft of documentation and personal information, bank credentials and even the purchase of cryptocurrencies. “If you have the typical folder with the scanned ID or other important documentation, they could charge you, sign you up for services… You could be the victim of more fraud in your name or even extortion,” warns Ruth García, a cybersecurity technician at the National Institute of Cybersecurity (INCIBE), which adds: “Although it is true that along the way many users begin to notice strange things, rule out continuing and do not follow the instructions, many others end up being victims because, believing that it really is of a technician, they agree to their requests”. In these cases, it is essential to take action as soon as possible.
“I have just been the victim of a call from vishing and I have sent money to a scammer. I have already filed a complaint with the police. Do you have any kind of insurance against this? Can I do something else?” This is the query made by a Twitter user to Bizum’s official account last December, just after being the victim of vishing. He is not the only one to share the trance on this network. Another user who warned her followers of the scam tells this newspaper that, although she did not bite, she received a call in which they asked her for a code that had supposedly reached her mobile phone to access her bank account . ”The caller ID was listed as Banco Santander,” she explains.
According to García, it is not uncommon for cybercriminals to falsify or supplant the numbers so that the company’s client and potential victim appears as their company. ”Although the number appears to be correct, they have been able to falsify it or divert it. The same happens with emails and text messages,” insists the technician. This makes it difficult for the user to know at first that it is a hoax.
Most of the time, the payments that are requested are very small, since, if you are the victim of a charge of three euros, for example, it is more difficult for you to report it. They do it precisely “so as not to arouse suspicion,” according to the technique. “It is easier for a user to fall for a scam like this than for a large one, when the alarms go off more easily. It is more profitable to deceive, for example, a million users who pay two euros, than a few for more money ”, he insists.
If you do fall into the trap, it is important to do egosurfing and searching oneself on the internet to check if personal data is on websites where it shouldn’t be. In the event that the user has managed to install remote control tools that allow the cybercriminal to access their computer, the first thing they should do is uninstall it, disconnect the device from the network as soon as possible and carry out an antivirus check in case others have been downloaded. files that could continue to send information to attackers.
The impersonation of trusted companies or entities to obtain personal data through a simple call is still a very common scam attempt in Spain. One of the most common strategies is to impersonate a technical support member of a technology company and Microsoft is precisely the company that has suffered the most in recent years: 36% of the times this type of company is impersonated, they pose as it, according to a study commissioned in 2021 by YouGov, a data and market analysis entity.
Every month, the multinational founded by Bill Gates receives some 6,500 incidents globally, although in previous years it could reach 13,000. INCIBE’s cybersecurity technician explains that this is due to the fact that “the potential victims are many more than those that can be found among Linux or iOS users.” According to the Statista portal, almost 89% of PC users in the world have this operating system installed, compared to 8.5% with iOS and less than 2% with Linux.
Ruth García assures that INCIBE has identified an upturn in cases of vishing during the last few weeks. According to Commander Alberto Redondo, head of the Criminal Cyber Intelligence Group of the Judicial Police Technical Unit of the Civil Guard, “these are fairly active campaigns, although they experience temporary peaks. There are more cases for a few months and then there is a quieter period. But unfortunately, they are quite frequent. Among the companies most prone to being impersonated, in addition to technology companies such as Microsoft, are electricity entities and banks.
Most of the time, these scams are hatched through organized crime. ”These are bands that have telemarketers who open the first door. The vast majority of cases do not go ahead, so they do a first filtering and, once they see that they can hook the victim, they transfer calls to higher quality scammers, who have technical knowledge and invite them to install the software of remote control for example. Another part of the criminal organization is in charge of managing the data that is stolen or the payments. There are many people behind it who are organized in different branches,” explains Commander Redondo.
Although it is not the most common, cybercriminals can search for information about the victim on the Internet to better orchestrate the scam. “This is very useful if, for example, you want to commit fraud on behalf of an electricity company and the user has contracted a service with that company because, if you are not a customer or user, it is more complicated for you to end up being a victim of the cheated. If they seek information, there will be more victims than if they call users indiscriminately,” explains the INCIBE technician. However, “in general, they don’t look for specific people, but they take a bag of data and start calling,” insists the commander.
The thing to keep in mind when receiving a call from a supposed company, especially if you happen to be a customer of theirs, is to determine if you were expecting a call. “If you don’t expect it, be suspicious,” Garcia warns.
The assumptions that should generate suspicion are: “If you are a client of the alleged company, but they sell you information that is strange to you or you do not understand well, it is best to cut off communication and go directly to the official contacts of the entity. If you cannot hear well, there is a lot of background noise or it seems that the other person is not understanding you, if the communication is cut off or they do not know how to answer the questions you ask, be suspicious. Sometimes they don’t answer or just hang up. If you are asked to provide any personal information that a company of which you are a customer should know, same thing. And we can also be suspicious if they send you to install something, no matter what the pretext is,” explains García. But above all, common sense should be used. Although, sometimes, the trick may be that the interlocutor spits out a string of technical concepts to confuse the victim.
Interestingly, according to Microsoft, it is Millennials (ages 24-37) and Gen Z (ages 18-23) “who are the most exposed to tech support scams, because they overestimate their skills regarding to the use of computers and the Internet. The company calculates that 65% of adults in Spain have been exposed to a scam of this type in the past year, compared to 59% of the global average.
You can follow THE COUNTRY TECHNOLOGY on Facebook and Twitter or sign up here to receive our weekly newsletter.