In this article we're going to talk about some of the most common cyberattacks and scams that we see, and give you a few things you can do to protect yourself.
One of the most common attacks we see are what we call “phishing” attacks (pronounced like fishing). This is when an attacker contacts you pretending to be somebody you know or an organization you trust, and tries to get you to give them personal information or open a malicious website or file.
Most phishing attempts arrive via email, but they can also come via text messages, direct messages on social media, or even phone calls (what we call "Vishing"). What they all have in common are:
A trusted sender
The message or call will appear to come from a person or organization you trust. Could be your bank, the government, a service like Netflix or Spotify, a tech company like Microsoft, Amazon, or Apple, or some other service you recognize. The truly daring scammers may try to impersonate your boss or a family member.
An urgent request
The messages usually have a sense of urgency to them. Something is going to be canceled, you’re going to have to pay some kind of penalty, or you’re going to miss out on some kind of special deal, and you have to act NOW.
The urgency is to get you to take the message seriously and also to get you to act on the message without thinking about it too much, consulting a trusted advisor, or looking into whether the message might be a fake.
A link or attachment
The message will include something you need to click on – a link to a website, or an attached file most commonly. The website will likely be a fake version of a legitimate website, designed to fool you into entering your username and password, or other personal information, so they can steal that information to use themselves. Any attached file is almost certainly malware.
What can you do about phishing?
Look carefully at any messages you get that want you to take urgent action. Pay particular attention to the email address of the sender. If the message claims to be from your bank but the sender’s address is not your bank’s domain name that should be a loud warning.
Never open any links or attachments you weren’t expecting; even if they appear to come from somebody you trust.
If you get a link that appears to be from your bank or other trusted organization, open a new tab in your web browser and go directly to the organization’s website from your own saved favorite, from a web search, or by typing in the organization’s domain name yourself. A link from a phishing email will take you to a site that looks very genuine but is designed to trick you into entering your personal information.
If you get an attachment you weren’t expecting, don’t open it. Instead reach out to the sender, preferably via a different method like text message or phone call, and confirm that the attachment is genuine before you open it.
Use SmartScreen for Microsoft Edge which can help to block known phishing websites.
To learn more about how to spot and defeat phishing attacks see Protect yourself from phishing schemes and other forms of online fraud
Malware is malicious software and is sometimes referred to as a "virus". It can be designed to do many different things including stealing your personal data, identity theft, using your device to quietly attack other machines, using your computer’s resources to mine cryptocurrency, or any number of other malicious tasks.
There are a few ways your machine can get infected with malware but the most common ways are by opening a malicious file attachment, or downloading and opening a file from an unsafe website.
You can also get infected with malware by opening a file or installing an app that appears to be useful but is actually malicious. That sort of attack is referred to as a “Trojan Horse”. One version of this that attackers are using is to disguise the malware as a browser update. If you get an unusual notice that your browser needs to be updated, close the suspicious update message and go to the settings menu for your browser. Look for a Help > About page; on all major browsers going to that page will cause the browser to check for legitimate updates.
One type of malware that is common today is called “Ransomware.” This is a particular kind of malware that encrypts your files then demands you pay the attackers to unlock the files so that you can access them. Increasingly ransomware also tries to steal your data so that the attackers can also threaten to release your files publicly if you don’t pay them the ransom.
If you get infected with ransomware, the FBI recommends that you do not pay the ransom. There's no guarantee that even if you pay the ransom that you'll get your data back, and by paying the ransom you may make yourself a target for additional ransomware attacks in the future.
Tip: Microsoft OneDrive has built in tools to help protect you from, and recover from, ransomware. For more information see Ransomware detection and recovering your files.
What can you do about malware?
Be careful. Don’t open attachments or links you weren’t expecting. Be extremely thoughtful about what apps you choose to install and only install reputable apps from reputable providers. Be especially careful about downloading files or applications from torrent or file sharing sites.
Be current. Make sure that your operating system and applications are updated with the latest patches and fixes. On PCs, Windows Update can help.
Be defended. Have an active, current, antimalware program running on your computer. Windows 10 includes Microsoft Defender Antivirus and it’s turned on by default. There are also a number of 3rd party antivirus applications you can choose from.
To learn more about malware see How malware can infect your PC.
Tech support scams
Another attack that we see often is the technical support scam. In this attack the scammer contacts you and tries to convince you that there is something wrong with your computer and that you should let them “fix” it for you.
The two most common ways they contact you are via fake error messages on your computer, or by calling you on the phone.
The fake error messages are usually generated by a malicious or compromised website. You’re just using your web browser, perhaps you click on a link in a web search or on social media, and suddenly your screen fills with scary looking messages telling you that your machine has a problem or a virus and that you need to call the provided phone number right away. These pop-ups may appear to block access to your machine so that you can’t close them and may even use alarming sounds or recorded voices to make them seem even scarier.
Tip: Sound familiar? Urgent messages, threatening bad things, if you don’t act right now? This is a recurring theme with attacks and scams.
The phone calls usually take the form of a “tech support agent” calling you and pretending to be from a trusted company like Microsoft or Amazon. These scammers are professionals and will often sound quite convincing.
Regardless of whether you call them from a pop-up or other error message, or they call you posing as a tech support agent, the story is always the same. They tell you that they’ve spotted something wrong with your machine or your account and they want you to let them fix it.
There are a few things that typically happen at that point:
They’ll want you to let them access your computer remotely so they can "fix" it. While they pretend to fix your computer they’ll actually be stealing your information or installing malware.
They may ask you for personal information so they can help “fix” your account. This information will probably include things like your name, address, username, passwords, social security number, birthday, and just about any other kind of personal or financial data they think they can trick you into revealing.
They will often try to charge you a small fee for their services to “fix” the non-existent problem. If you give them your credit card information, they may pretend the card didn’t go through and ask if you have a different card. They do that to see if they can get you to give them multiple credit cards.
What can you do about tech support scams?
Remember that real error messages from Microsoft, or other big tech companies, never include phone numbers for you to call them.
Microsoft and other legitimate tech companies will never cold call you to tell you that there’s a problem with your device. Unless you contact us first, we won’t call you to offer tech support. Tech support agents will never need to ask you for your social security number or other unrelated personal information. If you get a call from someone offering unsolicited tech support, hang up on them.
If your screen suddenly fills with scary pop-ups you should immediately close your browser (try pressing ALT+F4 if you can't do it with your mouse). If you can’t close your browser try restarting your computer.
Call a trusted advisor or family member if you’re worried that your device may actually have a problem.
Tip: Click here for a free information sheet with tips on avoiding tech support scams. You can print the sheet and share it with friends and family.
Also, speak up! Report the attempted scam at https://microsoft.com/reportascam and don't be afraid to warn friends and family so they can be on the lookout for the scammers as well.
To learn more about defeating tech support scams see Protect yourself from tech support scams.