This morning I had an unexpected surprise. The phone rang, and the number wasn’t one I recognized, but neither did it say “out of area”. I’d offer some of the caller ID details but I don’t think they’re important to the story; if you get this call it could be from anywhere and say anything. It did not say “Microsoft” or any variation thereof, which for the purposes of this story is the only important thing.
Already this phone call started on an adversarial bent. It interrupted me, and since the call wasn’t local it obviously wasn’t a wrong number. When I get long distance calls it’s pretty much always a telemarketer, more so if I don’t recognize any of the caller ID info. Most often these groups are just calling to solicit for a charity, unaware of my Not One Thin Dime rule when it comes to telemarketers. Heck, just this weekend we got a call from Children’s Wish Foundation International (they’re one of the few who identify themselves) and for the first time ever I had the brains to let it go to the machine without picking up. It’s a good cause but it will never see any of my money because of the way they seek donations; there are similar charities that don’t blast me with phone calls.
I digress. When I answered the call I got a person who I originally thought was a woman but soon decided must be a man with a higher voice than I’m used to. His accent was thickly Indian, but mostly understandable; he lost me when he got a little into gobbledygook, as I’ll explain. The following is heavily paraphrased.
James: Hello. This is Microsoft calling, and my name is James. How are you today, sir?
I was already suspicious at this point. Why would Microsoft be calling me? The number didn’t identify itself as coming from them, and unless they’re aware of my long-term goal of nuking Redmond (after evacuating it of course), I don’t see why they’d want to spark a dialogue. After all, I’m in no position yet to accept supplicants. Also, if this guy’s name is James, mine is Molly.
James: We are calling today because our servers have reported that your computer is freezing and experiencing frequent problems.
The BS alarm, already pulsing red, exploded at this point. Oh, where do I begin? Well, let’s start with what I told him.
Me: (interrupting) I’m sorry, that doesn’t make sense. My computer doesn’t know my phone number.
James: I understand that, sir, but our technical research department has investigated and came up with your number. The frobnicated spin tannicle indicates an infestation of malware, spyware, and impacted iglomitis.
I’m exaggerating a bit. I tuned him out a little at this point, but he did say something about malware. My brain was playing catch-up, still trying to get into the conversation from where it had been before the call. I imagine this is where most gullible people get caught, at least the ones who don’t fall for the initial line right out of the box. I should add that my computer hasn’t been experiencing any more problems than it ever is. If this was intended to induce panic it failed utterly; it reminded me more of those dumb commercials trying to sell me software I don’t need to speed up my PC. In fact, it’s pretty likely that’s what he wanted to sell me, but I never gave him the chance.
Me: How would your company even get that far, seeing as my Windows software isn’t even registered under this phone number?
Fun fact: My computer is kind of old. It predates my marriage, and therefore was purchased and registered with a different address and phone number. Another fun fact: I turned off the error reporting service years ago, and have had to periodically turn it off again (after various updates reinstated it) since. The error reporting service is a disaster, and it also makes programming a million times more difficult. So if Microsoft did get any reports, they didn’t come from me. At this stage of the call it did not occur to me that he could be calling about my wife’s computer, but too many alarm bells were going off already; I didn’t even consider that possibility until after the call, though it wouldn’t have mattered.
James: Sir, I understand, but look, Microsoft is the creator of Windows, correct?
James: Our technical research has definitely determined your computer is dangerously frimsnagulated with malware. I—
Me: Do you even know my name?
The acid test. If there was any truth in what he was saying, he should already have multiple pieces of identifying information with which to confirm the call. At this point he should have either my name or my wife’s, and the version of Windows that supposedly called for help. If Microsoft really did outgoing calls to people in desperate need of computer help, which I never believed for a moment anyway because that’s absurd on its face, then the person making contact should already have a ticket setup with the Windows Genuine Advantage serial number, version number, and other such info. I didn’t ask for all this; the name was enough.
James: Yes, this is Mr. _____, correct?
BOOM. The idiot just maiden-named me. My wife bought the house and setup our phone before we were married, and everything got listed in her maiden name. This is also how I knew, after the call, that “James” was not calling about my wife’s computer either. She didn’t turn off the error reporting service as far as I know, but her computer was purchased under her married name. So James, like all other outbound telemarketers, just has a list of names and phone numbers culled from a public listing. James in fact had no way to know we even had a Windows computer outside of statistical likelihood.
I may have mentioned this on more than one occasion, but I hate spammers. Hate hate hate. When I become a supervillain, it will be legal to hunt them for sport. Phone spammers are worse, and scammers of either variety are worst of all. I don’t really mind people getting honest work in a legitimate outbound call center, with my definition of legitimate being very strict. Call center work is hard, and I have great sympathy for people who do it, having done it myself (inbound) for several years. But James here is participating in a scam, and he’s lying to me outright. So sorry James, when my administration rolls in there’s gonna a wall plaque with your real name on it, and it’s not for employee of the month.
So back to the call. I’m feeling a mix of emotions by now, one of them being satisfaction at having tripped up this doubletalking buttmonkey who thought he could bamboozle me. There’s also a rush of power, knowing I’m the one in charge of this call now. And finally, all the others, which are varying flavors of rage. I’m never rude on the phone, as a rule, so it’s fun when I can completely turn off the filter and let loose. I didn’t swear at him; perhaps I should have, this being one of the times that’s appropriate.
More imaginative paraphrasing here. I’m not sure which of these points I brought up and which I just thought of after the call. I went on for quite a bit, talking over James’ repeated attempts to wrest back control. It’s over, James; as the real company I used to take calls for would say, drop the rope.
Me: No. This is fraud. You don’t have my information. My computer did not call you.
James: But sir—
Me: What you’re telling me is completely false. Microsoft is not calling me because of a freezing computer they couldn’t even know about. They don’t have my current information, so they couldn’t have contacted me even if they wanted to. You are committing fraud. Furthermore, this number is on the Do Not Call list.
This may not strictly be true anymore. I think the number expires after some time, and may need to be reinstated. Still, it’s not like scammers will respect the list to begin with.
James: But the plexinodal—
Me: It’s fraud. You’re just calling people up at random trying to convince them their computer is having problems, and if you continue calling I will report your activity to the FTC.
James: Sir, the methyliso—
Me: I will not be a victim of fraud today. Thank you. (click)
Now I would have gone ahead and reported this to the FTC anyway, but it looks like there’s no need. This scam apparently goes back to 2008, and at the end of 2012 they finally got to doing something about it by suing a number of companies that are using the scam. So they’re actively pursuing these rats, or at least similar rats if not these ones in particular, and since an easy report form didn’t jump out at me from Google I’m comfortable just leaving it at that. Reporting this won’t really add much to the FTC’s investigation anyway. I will, say, though, that their method of using lawsuits rather than the choice I would prefer (a precision commando raid) is disheartening.
Now good people, since you’re reading my blog I trust you have a high degree of common sense. But for those of your associates who are not so blessed, and there are more of them than you think, you should make them review the following clues:
- Microsoft will never contact you. Even if they ever did, it would be with a bevy full of very specific (and not publicly known) information you could verify against your product registration, and if they called the caller ID would clearly identify them—though only an idiot would trust the caller ID alone; it’s only good for proof against, not proof positive. They’re also far more likely to do such a thing via e-mail because call centers cost more money, even the ones in India, and also the e-mail can make them look more professional whereas getting hit by a guy with a thick accent says “No really, we’re cheap and we don’t care about appearances.” Microsoft has said outright that they don’t make unsolicited phone calls anyway, so right there is your answer.
- Your computer isn’t calling for help when malware strikes. A lot of malware would rather do its work in peace, undisturbed by any attempts on your part to remove it. The rest just wants to throw ads at you and be a nuisance. It avoids deliberately crashing your other programs, because such a thing could red-flag any smart antivirus software and make it easier to detect. Even if it did cause a crapload of crashes, this is something you’d notice long before it registered as some kind of statistical anomaly at Microsoft HQ.
- Always press them for information. This applies to every call, every e-mail, every potential scam. If someone claims they’re contacting you over a specific matter, they should have a sea of corroborating details. Microsoft would have had only my name and my old address and phone number, unless they were calling my wife; in neither case did the info match up. Bear in mind a lot of info about you is public. If James had gotten my name or my wife’s right, I would have pushed for info like a serial number, which version of Windows the call was about, etc. Also, I would have flown to Mars for breakfast, because at that point it was obvious he was full of crap. Social engineering scams take advantage of your gullibility: They aren’t prepared for you to ask tough questions.
- Confirm with another source. Assuming they can convince you of their authenticity well enough, it doesn’t hurt to call the actual company later instead of staying on the phone with the person right now. If a company has a legitimate interest in contacting me, there’s no reason I can’t call their known public line and talk to someone about the issue. This should go without saying, but don’t trust the caller to give you the company’s number. This is especially important when dealing with a government agency like the police: You want to call the police department and talk to someone there, rather than assume the caller is on the level. Real police would appreciate that you were smart about this.
I’m sure others have covered scam prevention better than I ever can, so I’ll let them handle it. In the meantime, here’s some info from Snopes about the scam. It’s not specific to India, so don’t let a lack of accent (or a completely different one) throw you off.
Always use common sense. And please consider supporting my world domination fund, for the good of all mankind; I promise I will never call for donations.