A family member got scammed by a telephone call from someone saying that they were from Microsoft, calling because of PC error reports. Unfortunately, remote access was given. What should be done to prevent further compromise of the PC data? Help!
Note: MS scanner and a Norton scan were done and showed no problems. Remote access software files were removed manually from PC. Could the scammer again access the PC data? Data is backed up to the external drive (not plugged in at the time of the scam). Can the same files/data be safely loaded on to a new HD/computer?
As you point out, it’s a scam. Microsoft doesn’t call people because of errors on their computers. Neither do ISPs, security companies, or pretty much anyone else who might have some role of internet authority.
To quote Admiral Akbar: “It’s a trap!”
In recent years (yes, years) I’ve been getting lots of reports of this scam and its variants. Fortunately, many people are rightfully suspicious and cut it off before it goes too far.
Unfortunately, your family member having fallen for the scam puts you in a difficult and dangerous position.
To start with, let’s not hook up that external hard drive just yet.
The scam is very simple: someone calls you claiming to be from Microsoft or your ISP or your anti-malware provider, or some other authoritative company. Of course, they are not. Microsoft, your ISP or any of the other companies these scammers claim to be from are not involved in any way.
They claim that they’ve detected that your computer is causing many errors on the internet or that there are “problems with your account”. To prove that there’s something wrong, they ask if your computer has been crashing recently. Or they have you open up the event viewer and point out the many, many errors listed there.
And, of course, they can fix it for you.
The scammer asks you to allow them to access your computer. Typically that means they have you connect to a remote access site, such as logmein.com so you can give them access to your computer. Important: Sites like logmein.com and other remote-access services are not involved in the scam. They’re just web services that the scammer uses as a vehicle for accessing your machine.
This then leads to the scam’s hook. While accessing your machine several things may happen:
- The scammer installs malware.
- The scammer “discovers” that in order to fix your (non existent) problem you’ll need to purchase something and at this point, they ask for your payment information.
- You’re quoted a high price for this “service”.
- Your payment information may be used not only for that quoted fee, but for other purchases you haven’t authorized.
In the end you’re either left with a malware-laden machine (that won’t be “fixed”, by the way), bogus charges on your credit card, or both.
It’s a classic scam.
What about those EventViewer messages?
EventViewer is a mess. Or, rather, the information that is logged by applications in the system and displayed by EventViewer is a mess.
It’s highly technical, often incomprehensible, and honestly really only useful to experienced technicians and software developers.
And here’s the kicker: errors and warnings are expected in EventViewer. It’s completely normal to have lots of red stop signs and yellow warning signs in the list of events displayed by EventViewer.
Put another way, seeing errors and warnings in EventViewer does not mean that there is anything wrong with your system.
Don’t believe anyone who calls you up and tells you different. They’re wrong; and using EventViewer to misguide you is a classic sign that someone is trying to scam you.
Avoiding the scam
Classic scam-avoidance 101: never completely trust someone who you don’t know who calls you.
Listen to them, if you like. Ask questions, if you feel so motivated, but never ever give them access to your PC and never ever give them your payment information.
Let them know that you’ll have your local tech look into it (even if you don’t have one).
Once it becomes clear that you’re not going to fall for the trap, it’s very likely that you’ll get hung up on, or that the caller may even become abusive. At that point, you can hang up on them.
If you’re concerned that there is a real problem, do the research yourself, or contact the technical resources that you trust and ask them about it.
Chances are there’s nothing to see here.
Recovering from the scam
If you handed over payment information, you’ve just given that information to a complete stranger. Immediately contact your credit card issuer or other payment provider and put them on fraud alert.
If you allowed the scammer access to your machine … well, things get ugly.
The short answer is that you have no idea what they did. If you saw them install software in the guise of tools to help repair your system, it’s very possible that software’s really a bundle of malware that’s now residing on your machine.
Even if you didn’t see them download something, they still could have placed malware on your machine.
You just don’t know.
And there’s no way to prove that they didn’t.
There are two approaches at this point:
- Assume the worst. Revert to a system image backup taken before the access was granted. If you don’t have such a backup, then backup your data, reformat, and reinstall Windows. This is the only way to know that whatever the scammer might have left on your machine is truly gone.
- Hope for the best. Run up-to-date anti-virus and anti-spyware tools, making sure that each is running with an up-to-date database. I’d be tempted to scan with an additional tool or two; I would specifically recommend a scan with MalwareBytes Anti-Malware, which seems to catch a lot of the more aggressive malware. I’d be tempted also to try the process outlined here, as well as Windows Defender Offline. And then I’d hope that whatever may have been left was caught.
It’s a scam
This appears to be a common scam right now and the best defense, as you can guess, is to not fall for it in the first place.
If you do, then the next best thing is to make sure that you have regular system backups that you can revert to.
And if you walk away remembering just one thing, remember this:
They won’t call you.
If “they” do, be very, very suspicious.