Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

It Pays to Be Skeptical

A message pops up on your computer, warning you that malware has been detected.

What do you do?

The answer’s not as clear as you might think.

In fact, no matter what you choose do, it could be the wrong thing, depending on the circumstances.

Become a Patron of Ask Leo! and go ad-free!

Your trust is a commodity

It’s no secret that scammers actively prey on the trusting.

But it’s not just scam artists who abuse our generally good nature and desire to trust. People generally prefer to trust the people they encounter every day.

Hackers, malware authors, over-aggressive salespeople – essentially just about anyone who wants something – know that. They’re often skilled at using your trust against your best interests.

Consider that warning message that popped up…

Warning: malware detected, click to remove…

Malware DetectedA pop-up message telling you there’s malware on your machine is probably no big surprise to most people. With the constant barrage of news reports about hacks and malware and the ongoing emphasis on anti-malware tools (including from sites like Ask Leo!), it’s no surprise that belief might be your first response when such a message appears.

Malware? Well, it happens to so many people, it’s no surprise that it happened to me!”

Except … it might not have.

Not yet, anyway.

That message might be completely fake. It could be counting on you to trust that it’s legitimate, and then click on it to take further action. And that “further action” could actually install malware, or worse.

Or, it could be legitimate.

What do you do?

Unable to deliver package, details attached…

You’ve probably received email – important-looking email – that indicates there’s a package on its way to you, and the details are in an attached file.

Perhaps your online email provider has detected a problem with your account, and you need to check something by clicking on the conveniently provided link.

I’ve even received email from Paypal indicating that access to my account had been “limited” because of suspicious activity. I needed to log in to provide additional information – once again, using the provided link.1

In each case, the sender wants you to trust them and take whatever action they’ve recommended in their message, be it examining the contents of an attached file, clicking a provided link to their web site, or even replying to the email with sensitive information.

Abusing your trust in this manner is currently one of the most effective ways to distribute malware.

And yet, each one of those scenarios could, in some cases, also be legitimate.

What do you do?

I’m from Microsoft, and we’ve detected….

You’re working on your computer one afternoon and you get a phone call from someone who says they work for Microsoft, and they’ve detected that your computer is causing many errors on the internet. They offer to walk you through some steps to show this to you, and indeed, there do seem to be lots of unexplained errors right there on your computer.

Then they offer to fix it for you, if you’ll just go to a site and type in a few numbers that they recite to you.

Those errors are pretty scary looking, and you certainly don’t understand them.

What do you do?

What you do: get skeptical

Skeptic: a person who has or shows doubt about something – Merriam Webster

If there were one skill I could magically impart to my Ask Leo! readers … hell, on the entire technology-using, internet-loving universe – it would be the skill of healthy skepticism.

I don’t mean that you believe nothing and trust no one. I mean simply that you question before you believe, and ask before you trust.

Truly, being skeptical is really the only solution to the scenarios I’ve outlined above.

In each case, it’s critical that you not blindly trust the information presented to you. In each case, you must question whether or not the person or company at the other end of the message actually has your best interests in mind. Is the story they’re telling accurate? Verifiably accurate? Do you know – beyond a doubt – that they are who they say they are?

If the answer to any of those questions is “no”, or even “I’m not sure”, then stop. Stop and take whatever additional steps make sense to confirm that what you’re being told is legitimate.

It might mean some internet research, calling them back, or asking a trusted friend or resource for their opinion.

But if you aren’t sure, question everything.

Be more skeptical: it’s one skill that can help prevent disasters before they happen, and keep you and your technology safe.

Nullius in verba
“Take nobody’s word for it.”2

It’s more than just technology

Naturally, my plea for being skeptical and that you “question everything” is about far more than just the technology you have sitting in front of you.

As I’ve written about before, an amazing amount of information we’re shown each day is completely bogus – or at least nuanced and presented in such a way as to cause you to believe that things are other than they truly are.

Add to that our natural tendency to believe that which supports what we already believe (known as the “echo chamber“), and it’s exceptionally easy to be mislead and misinformed.

The solution remains the same:

Be skeptical.

Question everything…

…even things you already believe are true.

Footnotes & references

1: I’ve actually received this scenario legitimately, which really surprised me. Of course, most are scams of some sort.

2: Nullius in verba, besides being the motto of The President, Council, and Fellows of the Royal Society of London for Improving Natural Knowledge, is also a very fancy way of saying “question everything”. 🙂

42 comments on “It Pays to Be Skeptical”

  1. I have had popups that could not be eliminated by trying to close and re-open my browser. NEVER click on the x in the popup box! When this happens, I open Task Manager and close my browser from there using the End Task button, then re-open my browser. Problem solved. Just remember not to click the restore option when your browser reloads. Then I run MalwareBytes to be on the safe side.

    • It actually boils down to trust. You can safely click on the X to close the newsletter popup box that is on Ask Leo! As Leo says, being skeptical doesn’t mean blindly distrusting everything. It means to think, explore and learn.

      • I disagree Connie. The way the Internet is going, you simply cannot trust any unsolicited email or popup, even if it is from Ask Leo. The growing number of scum that is infesting the Internet can easily use your trust of Leo to fake a popup and do damage. I do the same as Chris D. and believe it is better to be ‘safe than sorry’. If the email or popup is genuine, it is easy enough to check it out. For example, an email supposedly from PayPal saying there is suspicious activity etc. can be checked by using the correct login page, NOT the scam link provided in the email. The truth is, unless you are 100% sceptic, you WILL get caught out one day and it could prove costly (experience talking – not paranoia).

  2. I have recently been receiving a popup on sites that I have reasonable reason to believe are not infected by a virus or malware. These popups don’t have an X to close, and they give instructions to not turn off the computer but to call a telephone number….fat chance I will do that. I have images of my computers that are up to date so their “scary messages” don’t cause me much alarm. I do however investigate and run my anti-virus and anti-malware software just to be on the cautious side.

    Usually there is something that is a give-away that the message is bogus but what I have received is a plain message box without title but well written english instructions that mal-ware has been detected and that turning off my computer or closing the browser would cause damage and loss of data.

    Upon closely examining the parts of the web page that were visible I concluded that the source of these “informative scary messages” was due to sites connected to searches done on a popular search engine or sites related to that search engine. (targeted advertising). I went to that search engine and used their tools and cleared my search history. That immediately cured the problem as I went back to the sites that caused problems and clicked on the advertising and no problems were apparent.

    Further investigation by searching indicated that a possible cause of the message appearing was a malfunctioning of .net framework. I went to the Control Panel, Programs and Features (I’m using Win 7 X64), found .net framework and selected it and clicked on Uninstall/Change. When the dialogue appeared with the choices, I chose to repair. It was evident by the time it was taking that something was amiss with the .net framework and that was repaired. Maybe that was the cause of the pop-ups appearing due to mishandling of the targeted advertising or maybe not. My computer seems to be working better overall with certain applications being “snappier” after the repair.

    Be careful and backup with system images on a frequent basis and be skeptical but not foolish:)

    • I’ve also have received ads that cover the screen with no “X” to remove them. I’ve had some success with just reloading the page to get rid of them.

    • If you found sites that didn’t tend to ‘lock’ the page, you would be lucky.

      Like Ron said above your comment, these attacks can either be seemingly random or they can be related to a particular site and triggered by it, whether that site’s owner knows it or not. Sites can be infected as well, even if the owner or webmaster keeps it up fastidiously.

      Another thing to realize is that you should check the apps/programs you download more closely and not just install them willy-nilly ‘because they are cool’. This is a source of potential malware too and then it’s actually attacking from WITHIN your computer, not from a malicious website.

      No matter which anti-malware program you do use, make certain that it updates automatically (daily is preferred) or that you update and run it manually every day as well. Even if you use the ‘free’ version you are still providing some kind of beneficial protection, and there are a few that have improved dramatically in the last few years.

      You DON’T need several of them, more is NOT better…get as much protection as you can that works together or find one with as much features as you need and learn to clear your cache/temporary internet files regularly. DON’T check the box to preserve favorites when you clear the browsing records and make sure the password box is set to delete all of them. While there are many neat sites on the internet and it’s like a candy store, it is ‘mature’ enough now that a few basic sites can provide you with information you need and then there are forums for your personal hobbies and likes you can add.

      In other words, it’s like having a base subscription to a newspaper and a few magazines. In turn, they may have links for you to get better details about a story. Use them if you trust them, block them if they do not meet your trust in the end or just ignore them and use a trusted search engine and the filtering your malware scanner may provide for web searches. Some search engines will warn you of sites that may harm your computer and you can set your browser to avoid sites that are blacklisted (known to be malicious or perhaps have illegal content even) and block you from going there by default (and you can override that but it’s not recommended).

      You may read that your webmail provider scans your mail with a well-known anti-virus program, or more recently they use internal testing of the information sent with the messages to identify their authenticity as well. None of that will conflict with your malware scanner as it is done before you receive the message to categorize it as okay, malicious or probable spam.

      Whatever you do, do it regularly and do it well.

    • It doesn’t amaze – or even slightly surprise me – at all. In the same way that inexperienced road users/new drivers are statistically more like to crash, inexperienced internet users are also statistically more likely to “crash.”

      Additionally, while many of these scams are so obvious that you may wonder how people ever fall for them, it’s important to remember that *you* are not the type of person the scammers are targeting. They don’t want smart/skeptical people to reply to their emails as, no matter how clever the scam is, the scammer would never be able to convince those people to part with their money. For example, a smart/skeptical person would never send $5,000 to help a Swiss widow cover the cost of shipping/smuggling gold bars into the US: it’d be a complete waste of the scammer’s time. However, by making the scams so obvious they’d never fool a smart/skeptical persons, the scammers ensure that they’ll only get replies from the most vulnerable people – IOW, the people that they’re most likely to be able to scam. It’s a form of intelligence filtering.

  3. Concerning problems on your computer (malware etc…), it is actually easy to know for sure when it is a scam: when it is a browser-related message, or an e-mail related message, for sure it is a scam, as nor your browser, nor anybody sending you an e-mail can verify that you have malware on your machine.
    That doesn’t solve all *other* scam Leo also mentioned, but if you are browsing around and suddenly a scareware window pops up, or when you receive an e-mail saying you have malware, you know at least for sure that this is a scam.
    The only thing that might tell you that you have malware on your machine, is your anti-malware software you’ve installed yourself (or eventually your operating system). This will never inform you through a browser, or even less by e-mail.

    This kind of scam targets people who are absolute computer-illiterates (which is unfortunately a large majority of home computer users).

    As for credible messages about a problem with what you did online (buying something, delivery problem, account, this or that), the golden rule is not to use any link in the message, but rather to log onto the site independently.
    Recently I had a message from Amazon that there was something wrong with my credit card information. This sounded so much like scam that I didn’t even pay attention to it initially. After the third e-mail, I logged on to amazon independently from the message, and indeed, I had made a mistake in the configuration of my credit card information, so the message was valid. But the trick was *not* to use the link in the message but to log on “by hand”.

    • “The golden rule is not to use any link in the message, but rather to log onto the site independently.” – Yeah, this is extremely important. While most phishing/scam emails are easily recognizable, some are very well-executed and not at all easy to spot. Logging in via a bookmark is a much, much safer option.

  4. Kevin Mitnick, probably the most famous hacker that ever hacked, performed most of his hacking exploits through social engineering, for example finding out the name and office number of an employee and then calling up a someone in a company IT department saying he was that person and that he forgot his password. Most hacking and malware is facilited by a PEBCAK (Problem Exists Between Chair And Keyboard) https://glossary.askleo.com/pebcak/
    Don’t be a PEBCAK when it comes to computer security.

    • “Kevin Mitnick, probably the most famous hacker that ever hacked, performed most of his hacking exploits through social engineering.” – Social engineering is a subject I find absolutely fascinating. While we may like that think that we’re far to smart to ever be caught out, none of us really are. We all have buttons that can be pushed – a desire to be liked; the willingness to obey authority figures (the Milgram experiment); or even, perhaps, a sense of disillusionment with our employer – and some people are exceptionally skilled at working out how to push those buttons.

      • Indeed. This is why it is so very important to keep private stuff private, and why I consider people telling all aspects of their life on facebook or similar so irresponsible. The more “innocent” private stuff one knows about you, the easier it is to find the “buttons” you talk about.

        BTW, this is also why it isn’t a real problem for law enforcement that strong cryptography exists: law enforcement can push sufficient buttons to do “social engineering” – which is exactly the art of good detective and intelligence work (the last James Bond movie had that as a theme too, BTW). The problem with private information leaking out on the internet and data mining, other than statistical, is namely exactly that: the fact that “bad guys” (whoever they are) can find your “weak buttons”.

        Let us remember 1984: Winston’s fear for rats was used to make him betray Julia, which was the only thing that was still holding up and true.

        But as you point out, the weak buttons don’t have to be fears. They can be hidden desires or frustrations.

    • They are also either counting on you thinking they are an ID10T and wanting to tell them a thing or two, or they think YOU are the ID10T.

      (That’s computer talk for idiot, if you didn’t catch it).

      We know nobody here is, nor anyone else.

      If it looks so ridiculous that it makes you mad, just ignore it. For that matter, somebody else will probably do it for you. And you may get called a ‘troll’ if your opinions are different but that’s not your problem. It takes one to know one? EHH.

  5. Today I got a phone call AGAIN telling me that our computers are infected and they are Miscrosoft Certified to correct the problem.!!!!
    My answer was repeatedly to him, “We are sorry..We DO NOT REPAIR Computers for others. We are too busy in our computer business and have a waiting list of three or more weeks to look for repairing others computers and he is best to call a computer store for his problem.
    He kind of repeats his message again, not understanding my reply. I fully repeat it and then he hangs up.
    very effective, I guess.

    • Inform them not to call back and/or simply hang up. You have given this person too much information already.

      They have engaged you enough to gather important information, such as confirming what you do. Now they can put 2 and 2 together and they can find your contact information in a search anyway, but they are just confirming you are who you are.

      Identity thieves can use the briefest amount of details to decide if you are a worthwhile target.

      Just hang up and don’t give them information. If you have to use an answering service to filter messages to voicemail boxes where they can be listened to and you will call back those you find to be legitimate customers. While this might be somewhat frustrating to some customers, by being polite and letting them know their business is valued and you will return their call asap (it’s implicit that scammers know you won’t) and simply having them leave their phone number (you can look that up and know your locals and business contacts anyway) and name will keep them happy because they know you are busy, which should be reassuring.

  6. Leo, You say Skeptical, I am Paranoid when I get unexpected Emails or Alerts, etc.
    I was told that I can look at the Source of the web page I am looking at in Mozilla Firefox by holding the CTRL Key and pressing the U Key.
    I do that lots of times just to see how a page is written.
    BTW, I am not skeptical of Your articles.

    73 be a good LID . .

    • View-Source is awesome, if you can understand the source. I use it frequently. The same, in particular, for emails I get to gather more detail about their legitimacy (or not).

  7. A trick I’ve used for years is using multiple email accounts from my ISP. I think they allow 7 or 8 of them. I use each one for an exclusive purpose. For example, my eBay email is exclusive to eBay and different than the address I use exclusively for things like PayPal, banking, online bill pay, credit card contact, and any other financial activities. It’s also the one I use for serious stuff like my Symantec & RoboForm accounts. I use another email exclusively for gaming, forums, and message boards. Yet another is for casual communication with family & friends. My Facebook has its own exclusive email. I also have a ‘professional’ email address.

    besides my ISP emails, I keep a couple free internet email accounts like Hotmail, Yahoo, and Gmail for shopping, political/social activities because eventually SPAM and other unwanted things start creeping in and if things get too crazy, I simply close the account (I only had to do that once many years ago). Like my ISP emails, I almost never cross purpose them.

    I use Outlook as my email client so I can see everything from there which makes it very convenient.

    In practice, if I get a phishing or some scam email I can usually tell right off it’s bogus based on what email it was sent to. If a warning about my credit card or PayPal account sent to my eBay email or forum email, I know right off it’s not real. Since I never use my financial/official email address for anything other than that purpose and 99% of those emails are incoming rather than outgoing, the chances of that address being harvested are minimal. In fact, my eBay email and forum/message board email address is far and away the one used the most to send scams to followed by phony Facebook things.

    I know this isn’t 100% fool proof, but I was a born skeptic and being one of those with an arsenal of various tools including the aforementioned email scheme make me a tough nut to crack. (IMHO!!)

    • I added an ‘alias’ account once and within 10 minutes it was USELESS. I deleted that address shortly thereafter.

      I stick with the webmail that I have been able to trust to work and protect me, but in the case of multiple accounts I didn’t see any benefit.

  8. I love the “I’m from Microsoft” scam. I just waste their time that they could be spending on the next victim. Whether I’m near my computer or not, I’ll let them walk me thru all their steps until the last one (I know what happens when you type/click on what they want, so I don’t need to be by the computer). Then when I think I wasted enough of their time, I usually start yelling at them, cursing at them or just tell them I work for the Internet or sometimes I’ll tell them I’m Bill Gates.

    Once, one stubborn woman, after I cursed her out (including some Hindi phrases), calling out the scam, she actually called me back.

  9. Hi, a good number of years ago I received a call from a “foreign” sounding man who told me that my PC was showing up as having problems and offering to talk me through sorting them out.

    As I was sitting by my PC at the time, I agreed to let him talk me through the problem and proceeded to follow his directions as far as button pressing was concerned for a good few minutes, until he asked me what was showing up on the display. At that point I replied “Nothing – should I switch my pc on?”

    The line quickly went quiet – followed by the buzz of an ended call – well, he ought to have known to ask me to turn the damn thing on!

    • So I get a phone call “Oh goodness gracious me, You computer is sending out virus code and – I’m telling you what you know; we can be fixing this problem for you” So I ask them ” WHAT’S MY URL ?” 🙂 “CLICK”

      BOOM BOOM !!!

  10. When you start getting messages like “your computer is in danger”, “your computer is slow” etc., that´s a sign you have an infection. Run Malwarebytes and some other anti-malware screen as well, and if that does not help, install a backup, which you hopefully have made. That´s a simple strategy for the average user. And of course getting an email with links from the police, bank etc., contact them directly to ask whether they sent the message, not using the number given in the email. Check the sender address too, which already may be revealing. – Also, use add-ons which classify internet sites according to safety, in addition to your constantly running anti-malware.

    • Often those “your computer is in danger” type messages are pop-up ads which appear on a lot of websites. If they pop up any other way, they are often a result of malware already on your computer. Unfortunately, it’s not always easy to tell the difference.

      • Oh yes that´s right, thank you for the clarification, Mark. But if you don´t know where it takes you, better not click anyway.

  11. Thanks for the latest, leo.
    Being sceptical about things that we receive is very good advice indeed, and not just for things on-line. Lots of these scammers rely on people hoping to get something for nothing.
    A good friend of mine, who normally has his head screwed well and truly on, told me that he had won £10,000! “Wow, what did you do to win that?” I asked. “Nothing.” came the reply. It seems that he had just received this letter of ‘congratulations’ – All that he had to do was hand over £300.00 to ‘process’ the paperwork. I broke the sad news to him, that if he hadn’t entered a competition, then it was highly unlikely that he would have won a prize!

    Regards

    • “I broke the sad news to him, that if he hadn’t entered a competition, then it was highly unlikely that he would have won a prize!” – To say it was “highly unlikely” that he would have won is grossly overestimating his chances. The likelihood of him collecting the $10k is about the same as the likelihood of a falling boulder missing Mr. Wile E. Coyote. In other words, zero.

  12. Excellent article as usual, can’t be said often enough. Just last week I got the ‘Microsoft Support’ call saying I had malware on my computer. I thanked the guy for letting me know, and told him that I knew how to fix it myself, and then hung up.

  13. My step-daughter, a Filipina, emailed me about six months ago to say she had had a call from Microsoft (you know the rest) and having given the guy access to her computer she had second thoughts and wanted to know what to do.

    My advice was turn off the computer immediately and then telephone her credit card people. bank and anyone else she could think of and let them know. I explained that the guy had access to everything confidential on her computer and not to use it until she had the problem sorted out. I also advised her to have her telephone providers block unsolicited calls.

    I expected her to get onto a ‘computer guy’ or shop to sort it out, but instead she contacted me very recently to say she had not used the computer since as she was frightened something bad may happen. I will be returning to the U.K. next month so will sort it out for her and put her mind at rest.

    Those scumbags are just ‘computer rapists’ and should be found and hanged, in my opinion of course. But that will never happen as they will still be at it in twenty years from now, simply because there are always innocent, computer illiterate users on the Internet that know no better.

    • “I expected her to get onto a ‘computer guy’ or shop.” – I’d skip that step and just back up the data then and then clean install, which is the exact same advice that any half-decent repair guy/shop should give. There’s simply no way to know what that bad actor did/didn’t do while he had access to the system. He could simply have half-inched her data, or he could have fully rooted the system – meaning, he basically owns the computer and can access *everything* including saved passwords and credentials. Your stepdaughter was absolutely right to not switch the computer on after it had been accessed: it should be considered to be completely compromised and nuked.

  14. When getting those calls, I quickly ask, “How did you get this number? You’ve reached the private line of the Chicago police department.” That usually ends it.

  15. I recently had a message saying malware was found, do not turn of your computer etc., but ring this phone number. I couldn’t get rid of it with Task Manager, so I did a hard shutdown (long press on mains switch), rebooted, and did a virus scan. (Bitdefender, clean) What does worry me is that even if nothing was installed on my computer, when I was on that website malware must have had online access to my computer to interfere with Task Manager? ANY COMMENTS ON THIS POINT, PLEASE LEO?

    • ” I couldn’t get rid of it with Task Manager.” – That happens sometimes. Task Manager isn’t always able to close a program: even legitimate programs sometimes get “stuck.” It’s not an indication that your PC was compromised or infected by malware.

    • Many thanks to the replies to my recent post. To follow up further: I am reasonably canny and have never had my heavily used computer seriously compromised, but maybe I’ve been lucky, too. The message I was referring to was very un-nerving, and my instincts to do an immediate hard shutdown, ignoring the supposed risk I was threatened with, was obviously right, but I was too hasty! What I’ll do next time is a screen grab, then jot down the phone number before pasting it into Photoshop in case I lose it, and report the phone number. The scammers doing this particular trick must be the easiest for the non-expert computer user to help trace!

      • “I am reasonably canny and have never had my heavily used computer seriously compromised, but maybe I’ve been lucky, too.” – I’d say it’s more due to canniness than luck. I’d guess that more than 99% of malware infections are the result of people either doing something that they shouldn’t or not doing something that they should – and, if you know what those things are, it’s relatively easy to stay safe. This is especially true given that Windows is now much more secure out-of-the-box than it used to be with SmartScreen, UAC, Defender, etc. combing to provide a very solid level of security.

        Realistically, if you keep your system up-to-date, stay away from the darker side of the web, exercise caution with email attachments and downloads and stay informed about what threats are out there, there’s a very good chance that your computer will never be compromised.

    • That message could be the result of malware, but I get pop-ups like that occasionally which are simple pop-ups on websites I visit. In other words, in most cases, those are just fraudulent ads, not malware.

  16. Son had a similar problem and Task Manager, along with every other key, did not work. He did a hard reboot to Safemode with modem cable removed. Once there, he made all the scans, then connected cable and rebooted to normal and re-scanned. Never happened again.

  17. I never open unsolicited emails or pop-ups. Pop-ups that want me to get rid of some virus or scan my computer are closed via Task manager. I click on nothing in the pop-up. My rational is that if I was getting along nicely without their “help” before, I’ll get along nicely after if I don’t follow their instructions – legit or not.

  18. I forgot to add. If I can’t bail using Taskmanager than my hackles go up and I’ll pull the plug out of the wall . . . quickly.

  19. Too bad I can’t attach an picture. I’d love to show you an image I took of my home phone’s display from a call I received from a scammer a few years ago. It literally said, “Illegal Scammer,” in the caller I.D. Not sure how AT&T picked up on it, but boy was it fun to be forewarned before answering the phone. I had so much fun giving the foreign sounding “Microsoft” tech a hard time. He had called to try to persuade me that my PC was breaking the internet. While I’m not a tech by training, I do have high IT knowledge. By the end of the call he was swearing at me.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.