In a blog on the Microsoft website, Courtney Gregoire, Assistant General Counsel, Microsoft Digital Crimes Unit has written about the vendors fight against tech support scams. Gregoire is joining other vendors, the AARP, FTC and a number of other organisations at events to educate consumers in Washington state. The programme is called “Unmasking the Imposters”. The question is how effective will it be in solving this problem.
How does the scam work?
The phone rings and the person on the other end says that they are calling on behalf of Microsoft. They claim to have spotted problems with your computer and you have to let them help you fix it. They ask you to download a piece of software to your computer so that they can identify the problem and immediately you do that they ask for money to fix the problem. It’s a scam and a very common one.
It is not just Microsoft whose name and customers are being targeted. Internet Service Providers (ISPs) know that after a breach, some of their customers are easy prey to this scam. After all the scammers have the customer name and often all their account details. They no longer need to ask for security questions. Instead they will offer to walk you through security. They will ask for how you pay, the last four digits of your credit card if you use one, the address at which the card is registered – in short all details they have stolen or bought. Customers fall for this quickly as it seem legit.
What is Microsoft doing?
In addition to events to help educate people Microsoft has its own Digital Crimes Unit (DCU). This unit targets fraudsters and tech support scams. It gathers data from customers and combines this with other data it receives It also uses its own Artificial Intelligence and Research (AI&R) to provide as much detail as possible about the fraudsters and their methods. That data is then passed to law enforcement for action. Anyone who thinks they have been a victim can contact Microsoft via the company’s website at www.microsoft.com/reportascam.
Gregoire also says that the company is also strengthening its technology to help reduce these types of scams. Some of this is being deployed as part of Microsoft’s free anti-virus and malware tools that are build into its operating systems. It is also looking at other ways to harden the operating system and its other products. The problem is that the same technology that the scammers use is also some of the same technology that the company’s customers use.
This unit has had a number of high-profile successes lately. On May 12th US law enforcement agencies including the FTC took actions against a number of fraudsters. A number of these had been identified by the Microsoft DCU. As part of the 12th May actions, seven people in Florida have been indicted for their part in a Tech Support scam.
Working outside the USA
To address the international scale of the problem Gregoire says that Microsoft is talking to governments in other countries. One country where a lot of scam calls originate from is India. To deal with the threat Microsoft has supported cyber training for police officers and prosecutors. Gregoire says that this is having an effect as call centres are being closed down.
The challenge will be keeping the call centres closed down and tracking new ones as they appear. Modern unified communications systems mean that virtual call centres can pop up in any country at any time. The USA if often high on the list of countries where servers hosting scams are located.
What is disappointing about this announcement is support for Microsoft subsidiaries in building their own events. The UK website lists no events under cybersecurity nor do the websites in Germany, France, Italy, Spain, Australia and New Zealand. If events like the ones Gregoire is participating are taking place in those countries they appear to be taking place in secret.
It would be good for Microsoft to do more when it comes to educating its customers. It has done a lot to establish support for schools around the world. Those programmes are about software sales not about cyber security education around things like the tech support scams. Microsoft is not alone in this regard. Technology vendors and ISPs are woefully under resourced when it comes to protecting customers. A cynic might suggest this is due to such operations being cost not profit centres. Perhaps it is time for a wider industry rethink of reputation and customer support.