I am very excited, almost giddy! I got phished - and it was not just any old phish, but a telephone phish - very old school! I haven't received a telephone phishing attack since 2003. It brought back memories of the good old days; days before ubiquitous tablet devices, days before Ant and Dec were constantly on our TV sets, days before Amazon turned a profit and days when social networking meant going to a cocktail party.
It was a Sunday morning, cold but sunny and my family had just finished breakfast. The phone started to ring, no caller displayed, but the phone indicated that it was an international number. I didn't see this as unusual since I have relatives living abroad and Sunday would be a day that they would call.
"Hello Sir, I am calling from the World Wide Web Server to inform you that your computer has been infected by the Trojan virus!" said a male voice in a distinctly foreign accent.
"Oh my goodness!" I thought "I can't believe my luck; I have been looking for something that will get me out of clearing up the dishes, let's see how long I can keep this guy on the phone."
Apparently, the caller represented a company called the World Wide Web Server, the people that run the Internet and my computer had been reported to them as being infected by the ‘Trojan Horse virus'. Now I'm not normally one to quibble but a few things that he said in his first sentence did draw my attention.
1 – “A company called the World Wide Web Server that runs the Internet”, why had I, as a senior member of staff in one or the world's largest domain name registrars, never heard of this phenomenal company? I wish I had known about them before so that I could have asked them to fix everything that’s wrong with the Internet; making my job ten times easier.
2 – “My computer is infected!” According to Cisco, by 2015 the average American will own seven internet connected devices. I am not American, nor do I like to think of myself as average, but there are at least 21 internet ready devices including computers, tablets, mobile phones, games consoles, televisions and even Blue-ray players in my home. As I have at least five PCs at home, I wondered which one was infected?
3 – “My computer (which one?) had been infected by The Trojan horse virus!” . Now it's been while since I worked in Internet Security but I'm pretty sure that there are at least two errors here. 1) a Trojan Horse program is NOT a virus. A virus attaches itself to other programs and replicates itself wildly on as many files and PCs as possible (that's why it's called a virus), whereas a Trojan Horse is a small hidden program that is usually downloaded as part of another 'legitimate download' (that's why its called a Trojan Horse). This program sits on your computer and creates invisible actions such as logging keystrokes and sending them to someone, or accessing your mail box and sending emails from it. 2) There is not just one Trojan Horse program that would make the job of an IT security specialists rather straightforward, in fact, there are estimated to be well over 100,000 Trojan Horse programs in the wild.
I acted interested and concerned whilst I probed the caller gently for more information about the World Wide Web server company, getting rather dubious and superficial information in return. For example, the caller couldn't tell me if it was an American, UK or even a Guatemalan company; he couldn't tell me how large the company was, how many people it employed or what the address of its headquarters were. What he could tell me and did, over and over again, was that my computer (he couldn't tell me which one) was infected with the Trojan Horse virus and that I absolutely had to download some of his software to sort out the problem. There would, unfortunately, be a small charge of £99 for the software but “it is a small price to pay for piece of mind that my computer is free from harmful viruses.”
By this time, the dishes had been cleared in my absence. So I decided to wrap things up. I brought the Telephone Preference Service (TPS) into the conversation. For those of you who do not know, the TPS (www.tpsonline.org.uk) is the free register of UK domestic telephone numbers whose owners have decided that they do not wish to receive telemarketing calls. In the UK the Information Commissioner can impose fines of up to £500,000 for those organizations that flout these rules. Similar schemes are run in other countries, and I would recommend anyone who doesn't want to receive telemarketing calls to subscribe to the TPS or equivalent. It should be noted that, in the UK, there is a similar scheme for corporations which do not wish to receive telemarketing calls.
After I dropped the TPS bomb, the increasingly desperate caller tried to assure me that this wasn't a telemarketing call it was a 'service', provided by the World Wide Web server company to warn people that had viruses on their computers. When I enquired, quite robustly how, on a call which wasn't trying to ‘sell’ me anything, had just asked me to pay £99 to solve a problem I didn't even know I had, the line suddenly went dead. Shame, I was just beginning to enjoy myself.
Unfortunately, there is a serious side to this tale of the inept tele-phisher. Phishing, in all of its forms, only exists because enough people fall for these scams. While my conversation stopped a criminal from trying to defraud others for 20 minutes, I know that as soon as the caller put the phone down on me he would have picked it up again to dial the number of another - maybe a more less IT literate potential victim.
Here are some rules to survive phishing:
- If there is even the slightest doubt in your mind that a call might be dubious, stop the call and ask for a number on which you can call them back after you have done some research on the caller's company. If they are legitimate, they will be happy to comply.
- If there is even the slightest doubt in your mind that an email might be bogus, delete it, never click on any links.
- Never provide personal information over the phone, via email or on any websites to anyone that cannot prove their identity to your satisfaction.
4. Subscribe to the Telephone Preference Service (TPS) in the UK, or your local equivalent to obtain a measure of protection from telemarketing calls.
Written by Andy Churley, Group Marketing Director, NetNames
28 November 2012