Microsoft released findings of a study on emerging forms of Internet scam that target English-language markets and costs victims on average USD 875.

According to the press release, criminals posing as computer security experts contacted the victims over phone and told them that they were at the risk of a computer security threat. The scammers then persuaded targets to reveal personal data after gaining their trust by claiming to represent legitimate companies (including Microsoft) and using telephone directories to refer to their victims by name. The scammers are believed to run through a range of deception techniques designed to steal money upon successfully leading the victims to trust their authenticity.

To establish the extent of this emerging form of Internet fraud, Microsoft surveyed 7,000 computer users in the U.K., Ireland, U.S. and Canada. The survey showed that across all four countries, 15 percent of people had received a call from scammers. In Ireland this rose to 26 percent.

Of those who received a call, 22 percent were deceived into following the scammers' instructions which ranged from permitting remote access to their computer and downloading software code provided by the criminals to providing credit card information and making a purchase.

The vast majority (79 percent) of people deceived in this way suffered some sort of financial loss. Seventeen percent said they had money taken from their accounts, 19 percent reported compromised passwords and 17 percent were victims of identity fraud. More than half (53 percent) said they suffered subsequent computer problems.

The security of software is improving all the time, but at the same time we are seeing cybercriminals increasingly turn to tactics of deception to trick people in order to steal from them, said Richard Saunders, director of International Public and Analyst Relations at Microsoft. Criminals have proved once again that their ability to innovate new scams is matched by their ruthless pursuit of our money.

A user wrote in response to the Microsoft release on an internet discussion forum: I'm in the UK, and received a call from Thomas who worked for Microsoft, apparently, which had detected a virus emanating from my PC. They knew my name, and clearly had my (ex-directory) phone number. Apart from the incredibly crackly line and Indian accent, they sound /very/ convincing. Their MO. is to start off by offering to work with you to identify the virus. A friend's parents were caught out by this. The 'support engineer', talked the user through navigating to the IE Cookie folder and demonstrated that there was personal information in that folder. He then got them to download a 'cleaner' (i.e. trojan). When he asked for payment of £435, my friend's dad had presence of mind to say Invoice me, to which the 'engineer' hung up.

Microsoft press release advises to:

  • Be suspicious of unsolicited calls related to a security problem, even if they claim to represent a respected company.
  • Never provide personal information, such as credit card or bank details, to an unsolicited caller.
  • Do not go to a website, type anything into a computer, install software or follow any other instruction from someone who calls out of the blue.
  • Take the caller's information down and pass it to the authorities.
  • Use up-to-date versions of Windows and application software.
  • Make sure security updates are installed regularly.
  • Use a strong password and change it regularly.
  • Make sure the firewall is turned on and that antivirus software is installed and up to date.
  • Microsoft Security Essentials is a free antivirus product and is available at http://www.microsoft.com/en-us/security_essentials/default.aspx
United kingdom Canada Microsoft Phone