A recent social engineering scam uses real people in a call center to trick you into downloading malware onto your computer. Here’s how the scam works:
You receive an email claiming that your trial subscription to a publishing company will expire soon. The email states that you will be charged if the subscription is not canceled, and it directs you to call a phone number for assistance. If you call this number a representative happily walks you through how to unsubscribe.
The representative directs you to a generic-sounding web address, asks you to enter the account number provided in the original email, and tells you to click a button labeled “Unsubscribe.” If you click, an Excel file is downloaded onto your computer. The representative tells you to open that file and enable macros so you can read a confirmation number to them. If you enable macros, a malicious file is installed that allows cybercriminals backdoor access to your system. The bad guys can use this access to install more dangerous malware, such as ransomware.
Follow these tips to stay safe from this social engineering attack:
Your membership makes our reporting possible.
• This attack tries to spark feelings of alarm and frustration by claiming that you will be charged for something you didn’t sign up for. Don’t let the bad guys toy with your emotions.
• Remember that cyber-attacks come from real people and real people can lie over the phone, just as they do in phishing emails.
• If you’re concerned that a warning could be legitimate, look up the company and try contacting them another way—not by using the phone number that they provided in an email.
Stop, Look, and Think. Do not be fooled.