Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

It Pays to Be Skeptical

There are people trying to fool you.

If we would all be a little more skeptical, we'd be safer and the internet would be a more trustworthy place.
The Best of Ask Leo!

Malware Detected

A message pops up warning you that malware has been detected on your computer.

What do you do?

The answer’s not as clear as you might think.

Become a Patron of Ask Leo! and go ad-free!


Be skeptical

Scammers are constantly trying to fool you into trusting them. Your first reaction to any notification — be it of malware found, a package delivered, or that your computer is supposedly “causing problems on the internet”– should a skeptical one. Don’t blindly trust. Take the time to consider the source and make an informed decision rather than a knee-jerk reaction.

Your trust is a commodity

It’s no secret that scammers actively prey on the trusting.

But it’s not just con artists who abuse our good nature and desire to trust. Hackers, malware authors, overly aggressive salespeople — essentially anyone who wants something from us — are skilled at using your trust against your better interests.

Warning: malware detected, click to remove…

A pop-up message telling you there’s malware on your machine and directing you to “click here to fix it” is probably no big surprise to most people. With the constant barrage of news reports about hacks and malware and the ongoing emphasis on anti-malware tools, your first response to such a message may be to believe it.

“Malware? Well, it happens to so many people, it’s no surprise it happened to me!”

Except that it might not have.

That message might be completely fake. It may be trying to get you to trust it and click to take further action. “Further action” could install malware, or worse.

Or it could be legitimate.

What do you do?

Unable to deliver package, details attached…

You’ve probably received an important-looking email telling you there’s a package on its way and the details are in an attached file.

Or maybe a message says that your online email provider has detected a problem with your account, and you need to check something by clicking on a conveniently provided link.

I’ve even received email from “PayPal” telling me access to my account had been “limited” because of suspicious activity. I needed to log in to provide additional information — once again, using the provided link.1

In each case, the sender wants you to trust them and take whatever action they’ve recommended in their message, be it examining the contents of an attached file, clicking a provided link to their website, or replying to the email with sensitive information.

Abusing your trust in this manner is currently one of the most effective ways to distribute malware or hack your online accounts.

And yet, each one of those scenarios could be legitimate at times.

What do you do?

I’m from Microsoft, and we’ve detected…

You’re working on your computer one afternoon and get a phone call from someone who says they work for Microsoft, and your computer is causing many errors on the internet. They offer to walk you through some steps to show this to you, and indeed, there do seem to be lots of unexplained errors right there on your computer.

Then they offer to fix it for you if you just go to a site and type in a few numbers they recite to you.

Those errors are pretty scary looking, and you certainly don’t understand them.

What do you do?

What you do: get skeptical

Skeptic: a person who has or shows doubt about something. – Merriam Webster

If there were one skill I could magically impart to my readers — hell, on the entire technology-using, internet-loving universe — it would be healthy skepticism.

I’m not suggesting you believe nothing and trust no one. I mean that before you believe, you question, and before you trust, you learn.

Being skeptical is the only solution to the scenarios I’ve outlined above.

In each case, it’s critical that you not blindly trust the information presented to you. In each case, you must question whether or not the person or company at the other end of the message has your best interests in mind. Is the story they’re telling accurate? Verifiably accurate? Do you know beyond a doubt that they are who they say they are?

If the answer to any of those questions is “no”, or even “I’m not sure”, then stop. Stop and take additional steps to confirm what you’re being told is legitimate.

It might mean some internet research, calling them back, or asking a trusted friend or resource for their opinion.

But question everything.

Be more skeptical: it’s a skill that helps prevent disasters before they happen and keeps you and your technology safe.

Nullius in verba.
“Take nobody’s word for it.”2

Do this

It’s more than just technology. My plea to be skeptical and question everything is about far more than the technology you have sitting in front of you.

As I’ve written about before, an amazing amount of the information we’re shown each day is completely bullsh*t — or at least nuanced and presented in such a way as to cause you to believe that things are other than they truly are.

Add our natural tendency to believe that which supports what we already believe (known as the “echo chamber” or “confirmation bias”), and it’s easy to be mislead and misinformed.

The solution remains the same:

Be skeptical.

Question everything…

…even things you already believe are true.

Podcast audio


Footnotes & References

1: I’ve actually received this scenario legitimately, which really surprised me. Of course, most are scams of some sort.

2: Nullius in verba, besides being the motto of The President, Council, and Fellows of the Royal Society of London for Improving Natural Knowledge, is a very fancy way of saying “question everything”. Smile

69 comments on “It Pays to Be Skeptical”

  1. I have had popups that could not be eliminated by trying to close and re-open my browser. NEVER click on the x in the popup box! When this happens, I open Task Manager and close my browser from there using the End Task button, then re-open my browser. Problem solved. Just remember not to click the restore option when your browser reloads. Then I run MalwareBytes to be on the safe side.

    • It actually boils down to trust. You can safely click on the X to close the newsletter popup box that is on Ask Leo! As Leo says, being skeptical doesn’t mean blindly distrusting everything. It means to think, explore and learn.

      • I disagree Connie. The way the Internet is going, you simply cannot trust any unsolicited email or popup, even if it is from Ask Leo. The growing number of scum that is infesting the Internet can easily use your trust of Leo to fake a popup and do damage. I do the same as Chris D. and believe it is better to be ‘safe than sorry’. If the email or popup is genuine, it is easy enough to check it out. For example, an email supposedly from PayPal saying there is suspicious activity etc. can be checked by using the correct login page, NOT the scam link provided in the email. The truth is, unless you are 100% sceptic, you WILL get caught out one day and it could prove costly (experience talking – not paranoia).

        • I agree with Robert. While I never assume anything, I also never believe something to be true, until I can verify the facts for myself. Rather than clicking the ‘convenient link’ provided, I go to the purported source of the pop-up myself, then (for example) I run a scan, or use the contact us link on the purported source’s Web site to confirm. If the message (or phone call) purports to be from Microsoft, I already know that Microsoft will NOT call me because I do not pay for technical support, so I ignore the call, or delete the message (email, pop-up, etc.). On one occasion, I did answer the call, and when the caller identified herself as being a Microsoft rep, I asked “Why are you calling me? I am a Linux user”. The caller hung up :)

    • I have used Task Manager several times in the past just as you did to solve this problem. But yesterday I had another occasion to use it and it wouldn’t work. I brought up Task Manager, used the End Task button to close the browser, then restarted the browser. The situation hadn’t changed. I tried a hard reset, but that didn’t fix it either. Eventually I solved the problem by going into the Settings for the Edge browser and tried the Repair button, but that didn’t work. Then I used the Reset option which finally solved the problem. The next option would have been to uninstall and reinstall the Edge browser, which fortunately I didn’t need to do.

  2. I have recently been receiving a popup on sites that I have reasonable reason to believe are not infected by a virus or malware. These popups don’t have an X to close, and they give instructions to not turn off the computer but to call a telephone number….fat chance I will do that. I have images of my computers that are up to date so their “scary messages” don’t cause me much alarm. I do however investigate and run my anti-virus and anti-malware software just to be on the cautious side.

    Usually there is something that is a give-away that the message is bogus but what I have received is a plain message box without title but well written english instructions that mal-ware has been detected and that turning off my computer or closing the browser would cause damage and loss of data.

    Upon closely examining the parts of the web page that were visible I concluded that the source of these “informative scary messages” was due to sites connected to searches done on a popular search engine or sites related to that search engine. (targeted advertising). I went to that search engine and used their tools and cleared my search history. That immediately cured the problem as I went back to the sites that caused problems and clicked on the advertising and no problems were apparent.

    Further investigation by searching indicated that a possible cause of the message appearing was a malfunctioning of .net framework. I went to the Control Panel, Programs and Features (I’m using Win 7 X64), found .net framework and selected it and clicked on Uninstall/Change. When the dialogue appeared with the choices, I chose to repair. It was evident by the time it was taking that something was amiss with the .net framework and that was repaired. Maybe that was the cause of the pop-ups appearing due to mishandling of the targeted advertising or maybe not. My computer seems to be working better overall with certain applications being “snappier” after the repair.

    Be careful and backup with system images on a frequent basis and be skeptical but not foolish:)

    • If you found sites that didn’t tend to ‘lock’ the page, you would be lucky.

      Like Ron said above your comment, these attacks can either be seemingly random or they can be related to a particular site and triggered by it, whether that site’s owner knows it or not. Sites can be infected as well, even if the owner or webmaster keeps it up fastidiously.

      Another thing to realize is that you should check the apps/programs you download more closely and not just install them willy-nilly ‘because they are cool’. This is a source of potential malware too and then it’s actually attacking from WITHIN your computer, not from a malicious website.

      No matter which anti-malware program you do use, make certain that it updates automatically (daily is preferred) or that you update and run it manually every day as well. Even if you use the ‘free’ version you are still providing some kind of beneficial protection, and there are a few that have improved dramatically in the last few years.

      You DON’T need several of them, more is NOT better…get as much protection as you can that works together or find one with as much features as you need and learn to clear your cache/temporary internet files regularly. DON’T check the box to preserve favorites when you clear the browsing records and make sure the password box is set to delete all of them. While there are many neat sites on the internet and it’s like a candy store, it is ‘mature’ enough now that a few basic sites can provide you with information you need and then there are forums for your personal hobbies and likes you can add.

      In other words, it’s like having a base subscription to a newspaper and a few magazines. In turn, they may have links for you to get better details about a story. Use them if you trust them, block them if they do not meet your trust in the end or just ignore them and use a trusted search engine and the filtering your malware scanner may provide for web searches. Some search engines will warn you of sites that may harm your computer and you can set your browser to avoid sites that are blacklisted (known to be malicious or perhaps have illegal content even) and block you from going there by default (and you can override that but it’s not recommended).

      You may read that your webmail provider scans your mail with a well-known anti-virus program, or more recently they use internal testing of the information sent with the messages to identify their authenticity as well. None of that will conflict with your malware scanner as it is done before you receive the message to categorize it as okay, malicious or probable spam.

      Whatever you do, do it regularly and do it well.

  3. Concerning problems on your computer (malware etc…), it is actually easy to know for sure when it is a scam: when it is a browser-related message, or an e-mail related message, for sure it is a scam, as nor your browser, nor anybody sending you an e-mail can verify that you have malware on your machine.
    That doesn’t solve all *other* scam Leo also mentioned, but if you are browsing around and suddenly a scareware window pops up, or when you receive an e-mail saying you have malware, you know at least for sure that this is a scam.
    The only thing that might tell you that you have malware on your machine, is your anti-malware software you’ve installed yourself (or eventually your operating system). This will never inform you through a browser, or even less by e-mail.

    This kind of scam targets people who are absolute computer-illiterates (which is unfortunately a large majority of home computer users).

    As for credible messages about a problem with what you did online (buying something, delivery problem, account, this or that), the golden rule is not to use any link in the message, but rather to log onto the site independently.
    Recently I had a message from Amazon that there was something wrong with my credit card information. This sounded so much like scam that I didn’t even pay attention to it initially. After the third e-mail, I logged on to amazon independently from the message, and indeed, I had made a mistake in the configuration of my credit card information, so the message was valid. But the trick was *not* to use the link in the message but to log on “by hand”.

    • “The golden rule is not to use any link in the message, but rather to log onto the site independently.” – Yeah, this is extremely important. While most phishing/scam emails are easily recognizable, some are very well-executed and not at all easy to spot. Logging in via a bookmark is a much, much safer option.

  4. Kevin Mitnick, probably the most famous hacker that ever hacked, performed most of his hacking exploits through social engineering, for example finding out the name and office number of an employee and then calling up a someone in a company IT department saying he was that person and that he forgot his password. Most hacking and malware is facilited by a PEBCAK (Problem Exists Between Chair And Keyboard)
    Don’t be a PEBCAK when it comes to computer security.

    • “Kevin Mitnick, probably the most famous hacker that ever hacked, performed most of his hacking exploits through social engineering.” – Social engineering is a subject I find absolutely fascinating. While we may like that think that we’re far to smart to ever be caught out, none of us really are. We all have buttons that can be pushed – a desire to be liked; the willingness to obey authority figures (the Milgram experiment); or even, perhaps, a sense of disillusionment with our employer – and some people are exceptionally skilled at working out how to push those buttons.

      • Indeed. This is why it is so very important to keep private stuff private, and why I consider people telling all aspects of their life on facebook or similar so irresponsible. The more “innocent” private stuff one knows about you, the easier it is to find the “buttons” you talk about.

        BTW, this is also why it isn’t a real problem for law enforcement that strong cryptography exists: law enforcement can push sufficient buttons to do “social engineering” – which is exactly the art of good detective and intelligence work (the last James Bond movie had that as a theme too, BTW). The problem with private information leaking out on the internet and data mining, other than statistical, is namely exactly that: the fact that “bad guys” (whoever they are) can find your “weak buttons”.

        Let us remember 1984: Winston’s fear for rats was used to make him betray Julia, which was the only thing that was still holding up and true.

        But as you point out, the weak buttons don’t have to be fears. They can be hidden desires or frustrations.

    • They are also either counting on you thinking they are an ID10T and wanting to tell them a thing or two, or they think YOU are the ID10T.

      (That’s computer talk for idiot, if you didn’t catch it).

      We know nobody here is, nor anyone else.

      If it looks so ridiculous that it makes you mad, just ignore it. For that matter, somebody else will probably do it for you. And you may get called a ‘troll’ if your opinions are different but that’s not your problem. It takes one to know one? EHH.

    • Just as an aside, I’ve never liked the term “social engineering;” that just makes it sound far too respectable!

      Try using the terms trickery or lying instead; much more accurate!

  5. It doesn’t amaze – or even slightly surprise me – at all. In the same way that inexperienced road users/new drivers are statistically more like to crash, inexperienced internet users are also statistically more likely to “crash.”

    Additionally, while many of these scams are so obvious that you may wonder how people ever fall for them, it’s important to remember that *you* are not the type of person the scammers are targeting. They don’t want smart/skeptical people to reply to their emails as, no matter how clever the scam is, the scammer would never be able to convince those people to part with their money. For example, a smart/skeptical person would never send $5,000 to help a Swiss widow cover the cost of shipping/smuggling gold bars into the US: it’d be a complete waste of the scammer’s time. However, by making the scams so obvious they’d never fool a smart/skeptical persons, the scammers ensure that they’ll only get replies from the most vulnerable people – IOW, the people that they’re most likely to be able to scam. It’s a form of intelligence filtering.

  6. Today I got a phone call AGAIN telling me that our computers are infected and they are Miscrosoft Certified to correct the problem.!!!!
    My answer was repeatedly to him, “We are sorry..We DO NOT REPAIR Computers for others. We are too busy in our computer business and have a waiting list of three or more weeks to look for repairing others computers and he is best to call a computer store for his problem.
    He kind of repeats his message again, not understanding my reply. I fully repeat it and then he hangs up.
    very effective, I guess.

    • Inform them not to call back and/or simply hang up. You have given this person too much information already.

      They have engaged you enough to gather important information, such as confirming what you do. Now they can put 2 and 2 together and they can find your contact information in a search anyway, but they are just confirming you are who you are.

      Identity thieves can use the briefest amount of details to decide if you are a worthwhile target.

      Just hang up and don’t give them information. If you have to use an answering service to filter messages to voicemail boxes where they can be listened to and you will call back those you find to be legitimate customers. While this might be somewhat frustrating to some customers, by being polite and letting them know their business is valued and you will return their call asap (it’s implicit that scammers know you won’t) and simply having them leave their phone number (you can look that up and know your locals and business contacts anyway) and name will keep them happy because they know you are busy, which should be reassuring.

  7. Leo, You say Skeptical, I am Paranoid when I get unexpected Emails or Alerts, etc.
    I was told that I can look at the Source of the web page I am looking at in Mozilla Firefox by holding the CTRL Key and pressing the U Key.
    I do that lots of times just to see how a page is written.
    BTW, I am not skeptical of Your articles.

    73 be a good LID . .

    • View-Source is awesome, if you can understand the source. I use it frequently. The same, in particular, for emails I get to gather more detail about their legitimacy (or not).

      • A closely-related topic is viewing full E-Mail headers.

        I cannot count the number of times I’ve gotten an ostensibly kosher E-Mail from (say) Amazon, but when I view the full headers, it’s clear that it was sent from a service totally unrelated to Amazon!

        I smile indulgently, then click delete. :)

  8. A trick I’ve used for years is using multiple email accounts from my ISP. I think they allow 7 or 8 of them. I use each one for an exclusive purpose. For example, my eBay email is exclusive to eBay and different than the address I use exclusively for things like PayPal, banking, online bill pay, credit card contact, and any other financial activities. It’s also the one I use for serious stuff like my Symantec & RoboForm accounts. I use another email exclusively for gaming, forums, and message boards. Yet another is for casual communication with family & friends. My Facebook has its own exclusive email. I also have a ‘professional’ email address.

    besides my ISP emails, I keep a couple free internet email accounts like Hotmail, Yahoo, and Gmail for shopping, political/social activities because eventually SPAM and other unwanted things start creeping in and if things get too crazy, I simply close the account (I only had to do that once many years ago). Like my ISP emails, I almost never cross purpose them.

    I use Outlook as my email client so I can see everything from there which makes it very convenient.

    In practice, if I get a phishing or some scam email I can usually tell right off it’s bogus based on what email it was sent to. If a warning about my credit card or PayPal account sent to my eBay email or forum email, I know right off it’s not real. Since I never use my financial/official email address for anything other than that purpose and 99% of those emails are incoming rather than outgoing, the chances of that address being harvested are minimal. In fact, my eBay email and forum/message board email address is far and away the one used the most to send scams to followed by phony Facebook things.

    I know this isn’t 100% fool proof, but I was a born skeptic and being one of those with an arsenal of various tools including the aforementioned email scheme make me a tough nut to crack. (IMHO!!)

    • I added an ‘alias’ account once and within 10 minutes it was USELESS. I deleted that address shortly thereafter.

      I stick with the webmail that I have been able to trust to work and protect me, but in the case of multiple accounts I didn’t see any benefit.

  9. I love the “I’m from Microsoft” scam. I just waste their time that they could be spending on the next victim. Whether I’m near my computer or not, I’ll let them walk me thru all their steps until the last one (I know what happens when you type/click on what they want, so I don’t need to be by the computer). Then when I think I wasted enough of their time, I usually start yelling at them, cursing at them or just tell them I work for the Internet or sometimes I’ll tell them I’m Bill Gates.

    Once, one stubborn woman, after I cursed her out (including some Hindi phrases), calling out the scam, she actually called me back.

    • When I get the “I’m from Microsoft” phone calls, I just ask them why they are calling – I let them reply (usually at length) – then I tell them “I do NOT use Windows”. I do not tell them anything more – let them guess which OS I may be using. After that, they usually end the call. By doing this, I accomplish a few objectives:
      1. I do not tell them anything about myself – when asked a specific question about me, I answer “It is none of your business!”
      2. I take up time when they could be scamming someone else (often a considerable amount of time) by remaining pleasant, and appearing to be co-operative, even though I am concentrating on providing absolutely NO information about me or my OS.
      3. I have not received any such calls (the “I’m from Microsoft” variety) recently – either they have given up on my, or they have been caught (my most fervent wish).
      4. Sometimes, I get a call-back phone number (if I can), and forward it to local authorities. If there is nothing they can do, they often give me a better agency to contact with my report, on which I follow up.


  10. Hi, a good number of years ago I received a call from a “foreign” sounding man who told me that my PC was showing up as having problems and offering to talk me through sorting them out.

    As I was sitting by my PC at the time, I agreed to let him talk me through the problem and proceeded to follow his directions as far as button pressing was concerned for a good few minutes, until he asked me what was showing up on the display. At that point I replied “Nothing – should I switch my pc on?”

    The line quickly went quiet – followed by the buzz of an ended call – well, he ought to have known to ask me to turn the damn thing on!

    • So I get a phone call “Oh goodness gracious me, You computer is sending out virus code and – I’m telling you what you know; we can be fixing this problem for you” So I ask them ” WHAT’S MY URL ?” :) “CLICK”

      BOOM BOOM !!!

  11. When you start getting messages like “your computer is in danger”, “your computer is slow” etc., that´s a sign you have an infection. Run Malwarebytes and some other anti-malware screen as well, and if that does not help, install a backup, which you hopefully have made. That´s a simple strategy for the average user. And of course getting an email with links from the police, bank etc., contact them directly to ask whether they sent the message, not using the number given in the email. Check the sender address too, which already may be revealing. – Also, use add-ons which classify internet sites according to safety, in addition to your constantly running anti-malware.

    • Often those “your computer is in danger” type messages are pop-up ads which appear on a lot of websites. If they pop up any other way, they are often a result of malware already on your computer. Unfortunately, it’s not always easy to tell the difference.

      • Oh yes that´s right, thank you for the clarification, Mark. But if you don´t know where it takes you, better not click anyway.

      • I actually have a similar message — Your computer is dangerously unstable and needs to be restored to its original factory condition — set up to appear on my 91-year-old Mom’s desktop every April 1st. :o

        After she shrieks for me, :). I tell her to click, and the next pop-up says April Fool’s!

        It does help her to be wary of strange pop-ups… well, at least for awhile!

  12. Thanks for the latest, leo.
    Being sceptical about things that we receive is very good advice indeed, and not just for things on-line. Lots of these scammers rely on people hoping to get something for nothing.
    A good friend of mine, who normally has his head screwed well and truly on, told me that he had won £10,000! “Wow, what did you do to win that?” I asked. “Nothing.” came the reply. It seems that he had just received this letter of ‘congratulations’ – All that he had to do was hand over £300.00 to ‘process’ the paperwork. I broke the sad news to him, that if he hadn’t entered a competition, then it was highly unlikely that he would have won a prize!


    • “I broke the sad news to him, that if he hadn’t entered a competition, then it was highly unlikely that he would have won a prize!” – To say it was “highly unlikely” that he would have won is grossly overestimating his chances. The likelihood of him collecting the $10k is about the same as the likelihood of a falling boulder missing Mr. Wile E. Coyote. In other words, zero.

  13. Excellent article as usual, can’t be said often enough. Just last week I got the ‘Microsoft Support’ call saying I had malware on my computer. I thanked the guy for letting me know, and told him that I knew how to fix it myself, and then hung up.

  14. My step-daughter, a Filipina, emailed me about six months ago to say she had had a call from Microsoft (you know the rest) and having given the guy access to her computer she had second thoughts and wanted to know what to do.

    My advice was turn off the computer immediately and then telephone her credit card people. bank and anyone else she could think of and let them know. I explained that the guy had access to everything confidential on her computer and not to use it until she had the problem sorted out. I also advised her to have her telephone providers block unsolicited calls.

    I expected her to get onto a ‘computer guy’ or shop to sort it out, but instead she contacted me very recently to say she had not used the computer since as she was frightened something bad may happen. I will be returning to the U.K. next month so will sort it out for her and put her mind at rest.

    Those scumbags are just ‘computer rapists’ and should be found and hanged, in my opinion of course. But that will never happen as they will still be at it in twenty years from now, simply because there are always innocent, computer illiterate users on the Internet that know no better.

    • “I expected her to get onto a ‘computer guy’ or shop.” – I’d skip that step and just back up the data then and then clean install, which is the exact same advice that any half-decent repair guy/shop should give. There’s simply no way to know what that bad actor did/didn’t do while he had access to the system. He could simply have half-inched her data, or he could have fully rooted the system – meaning, he basically owns the computer and can access *everything* including saved passwords and credentials. Your stepdaughter was absolutely right to not switch the computer on after it had been accessed: it should be considered to be completely compromised and nuked.

  15. When getting those calls, I quickly ask, “How did you get this number? You’ve reached the private line of the Chicago police department.” That usually ends it.

  16. I recently had a message saying malware was found, do not turn of your computer etc., but ring this phone number. I couldn’t get rid of it with Task Manager, so I did a hard shutdown (long press on mains switch), rebooted, and did a virus scan. (Bitdefender, clean) What does worry me is that even if nothing was installed on my computer, when I was on that website malware must have had online access to my computer to interfere with Task Manager? ANY COMMENTS ON THIS POINT, PLEASE LEO?

    • ” I couldn’t get rid of it with Task Manager.” – That happens sometimes. Task Manager isn’t always able to close a program: even legitimate programs sometimes get “stuck.” It’s not an indication that your PC was compromised or infected by malware.

    • Many thanks to the replies to my recent post. To follow up further: I am reasonably canny and have never had my heavily used computer seriously compromised, but maybe I’ve been lucky, too. The message I was referring to was very un-nerving, and my instincts to do an immediate hard shutdown, ignoring the supposed risk I was threatened with, was obviously right, but I was too hasty! What I’ll do next time is a screen grab, then jot down the phone number before pasting it into Photoshop in case I lose it, and report the phone number. The scammers doing this particular trick must be the easiest for the non-expert computer user to help trace!

      • “I am reasonably canny and have never had my heavily used computer seriously compromised, but maybe I’ve been lucky, too.” – I’d say it’s more due to canniness than luck. I’d guess that more than 99% of malware infections are the result of people either doing something that they shouldn’t or not doing something that they should – and, if you know what those things are, it’s relatively easy to stay safe. This is especially true given that Windows is now much more secure out-of-the-box than it used to be with SmartScreen, UAC, Defender, etc. combing to provide a very solid level of security.

        Realistically, if you keep your system up-to-date, stay away from the darker side of the web, exercise caution with email attachments and downloads and stay informed about what threats are out there, there’s a very good chance that your computer will never be compromised.

    • That message could be the result of malware, but I get pop-ups like that occasionally which are simply pop-ups on websites I visit. In other words, in most cases, those are just fraudulent ads, not malware. The malware can come from clicking those ads and installing their software.

  17. Son had a similar problem and Task Manager, along with every other key, did not work. He did a hard reboot to Safemode with modem cable removed. Once there, he made all the scans, then connected cable and rebooted to normal and re-scanned. Never happened again.

  18. I never open unsolicited emails or pop-ups. Pop-ups that want me to get rid of some virus or scan my computer are closed via Task manager. I click on nothing in the pop-up. My rational is that if I was getting along nicely without their “help” before, I’ll get along nicely after if I don’t follow their instructions – legit or not.

  19. I forgot to add. If I can’t bail using Taskmanager than my hackles go up and I’ll pull the plug out of the wall . . . quickly.

  20. Too bad I can’t attach an picture. I’d love to show you an image I took of my home phone’s display from a call I received from a scammer a few years ago. It literally said, “Illegal Scammer,” in the caller I.D. Not sure how AT&T picked up on it, but boy was it fun to be forewarned before answering the phone. I had so much fun giving the foreign sounding “Microsoft” tech a hard time. He had called to try to persuade me that my PC was breaking the internet. While I’m not a tech by training, I do have high IT knowledge. By the end of the call he was swearing at me.

  21. “You’re working on your computer one afternoon and get a phone call from someone who says they work for Microsoft, and your computer is causing many errors on the Internet…

    “What do you do?”

    Well, that at least is an easy one: hang up! Microsoft doesn’t do that. LOL! :)

    • Better yet, try to keep them on the phone. Try to get a call back phone number, perhaps by saying you must get your boss’s permission to continue . . .
      If nothing else (even if you are not at work), you take up a bit of the time the caller could otherwise be using to scam someone else who may not be as computer-literate as you are. If you get the call back number, you at least have something to pass along to the proper authorities. If you do not know who to contact, go the USCert or the DOJ website. IIRC, both sites provide appropriate links.

  22. Years ago, I almost fell for an “I’m Microsoft” scam. The scammer said he was from the company that makes my screen reader (I’m totally blind), and he said to go into the Event Viewer and I had viruses. I was going to do what he said. Until I got a twisty feeling in my stomach. I asked the scammer how he knew I had viruses because I had had them before, and at the point of the scammer’s call, the computer was having no problems. The scammer didn’t know what to say! So in the end, I saved my bacon…

  23. Have any of you been getting a “Flash Player out of date” popup? I don’t know the right visual term for it, but the popup comes up on top of the site you’re on, or it opens as its own page. And it says to download “Flash Player” [actually, a fake one], and all your system files will be deleted. I still have to pause before I close it because the popup sounds so believable…

    Thanks for this article, Leo!

  24. “Question everything …
    … even things you already believe are true.”
    Could be the most important takeaway from this, especially with politics. We build up a mindset and we believe anything that supports it and build from there. Confirmation bias is part of human nature. It happens all over the human spectrum. You can’t even always trust yourself.

  25. On a side note to these, I enjoy watching scambaiters on youtube handling these scammers. I’m not sure if this acceptable on this forum, but one thing I’ve been doing lately is saying that there will probably be a flood of “snakeoil” scams preying upon the fear of Covid-19 promising “cures” or “sure-fire prevention”, and to be aware of such.

  26. Connie’s (Team Leo) March 2, 2016 comment,
    “It actually boils down to trust. You can safely click on the X to close.”
    Maybe I misunderstood Connie’s comment, but If it’s unsolicited or unknown, when would any trust be established? Even if the source seems familiar, why this new method never used before? Robert Shield’s reply is more appropriate to such intrusions. Having ADD, I was taught something to consider before any spontaneous action, “Whenever in doubt…Don’t”, or better yet, “It Pays to Be Skeptical”.

  27. Very good information. What about unsubscribe links? I’m always worried about clicking on these unsubscribe links because they might be malware or malicious links.

    Are they safe?

    Thanks in advance for your reply!

    • Better yet, tell them nothing. I just say that I do not use the indicated OS and let it go at that. When / if they ask me which OS I am using, I respond that it is none of their business. The best thing I can do for all the potential victims they may reach is to take up as much of their time as I can, while giving absolutely no information about myself. In other words, I try to use their ‘social engineering’ against them.

  28. Recently I had a problem with Quicken. I went to their support site to look for a solution. After looking through the various notes, out of the blue I received a phone call wanting to help with my problem. I asked where he got my phone number, and he said he was Quicken support. I looked at the site header and it said “we are not Quicken.” I mentioned that to the caller. He said he needed to connect to my pc to help me. Red flag. I told him I never let anyone connect to me pc, would you? Hung up.

  29. Appropriate timing for recycling this article. In the wake of the LastPass situation, I’ve noticed an increasing number of news articles about problems with other password managers, in particular Bitwarden, 1Password, and KeePass.
    Upon closer reading of the articles, the problems don’t appear to be with the programs themselves, but rather how people are trying to find or access them through search engines and being led to questionable websites.
    The article I read about KeePass was even more alarmist than it should be. In order for someone to exploit that particular vulnerability, users would have have a much bigger problem than stolen passwords.

  30. Great article. Being skeptical to me also includes not clicking on any “Right-click here to download pictures” links that may appear in an email … unless you absolutely know and trust the sender. Even “Unsubscribe” links could hide malware.

  31. Leo,

    I’ve commented on this topic several times over the years and my position has not changed. If anything, it has become better defined (or more intense). While I could not have expressed the topic any better, I’d have recommended greater skepticism, even distrust of anything you cannot verify for yourself.

    In my NSHO, if it comes from the Internet, it comes from strangers. Noone should ever trust any stranger because we cannot know their motives/agenda. When I was little, my mother taught me to never trust strangers. When my children were young, my Wife and I taught them about Stranger Danger. Theat advice has always been fundamentally the same. DO NOT TRUST STRANGERS BECAUSE YOU CANNOT KNOW THEIR MOTIVES OR AGENDA!

    This advice has helped to keep generations of children safe, and it can help to keep adults safe (especially on the Internet) too, not to mention that a very healthy dose of skepticism may help to reduce the abundance of fake-facts that seem to abound on social media.

    The rules are simple:
    1. Never click any hyperlink on any webpage or in email before you check the URL it will take you to. If you have ANY doubt about the validity of the URL, DON’T CLICK! Go to the site via some other means (Internet search, etc.).

    2. NEVER trust anything you see, read, or watch on the Internet (especially if it seems to support your own point of view) unless you can confirm its validity from other sources.

    3. Never click any link on any malware warning (pop-up or otherwise), whether you’re on the Internet or not. Use your default antivirus suite to perform a full system scan of the computer, then do the same with Malwarebytes Free (or whichever secondary malware scanner you prefer), because between two scans you should catch nearly any malware that may have found its way in.

    4. Keep your computer system as up to date as possible and use a software update manager to keep your installed apps up to date too.

    These are my top rules. I call them “Cognitive Security”. I keep the first three in the back of my mind anytime I’m connected to the Internet. I perform monthly maintenance routines that include the fourth rule to close as many known vulnerabilities as possible.

    Since the earliest days of BBSs, I have never contracted any malware on any of my computers because I keep all my software as up to date as possible, and I employ a very healthy dose of skepticism about everything, especially what comes from the Internet.

    My philosophy on life is “Expect the worst you can imagine but hope for the best. What you get will usually fall somewhere in between”. With this philosophy, I have been able to avoid panic and remain calm, even under the most harrowing circumstances, so I make well considered choices/decisions to deal with whatever the issue may be. Between my philosophy on life and my Cognitive Security rules, I believe I am as safe as I can be.

    I hope something in this post helps others, but remember to read this with a very healthy dose of skepticism,


  32. I would like to add one more thing. Whenever I receive a file from somebody, even if it’s from somebody that I know and regularly receive files from, I always run a malware scan before opening that file. And if it’s a file from somebody who rarely or never sends me files, I contact them directly (*not* via a reply from that email) to verify that they indeed sent the file. And even if they confirm that they did send it, I still scan that file. Even a trustworthy person could inadvertently send out a file to you that they had received from another person and not realize that the file contains malware.

  33. We used to live in England, now back in the US. This happened years ago.
    Got an email from a close Brit friend in a panic. He was in Madrid on vacation, had been mugged and they took everything; passport, wallet, watch and cash. He’d reported it to the police and they were working on it but meantime he was in a foreign country, broke with no passport. He was using his hotel’s computer to contact me and wanted me to wire $1000 to the hotel desk (a legit Madrid hotel) so he could pay for his room, eat and taxi to the embassy for help.
    I knew he was on vacation in on the Continent but didn’t know where. I was on the verge of buying it when I thought, “Why didn’t he email his Mom?” So I did. She said he’s in Germany and just talked to her. Somebody had a lot of information on both me and my friend to pull that off. I wonder who was waiting at the hotel desk for a wire.

    • This usually his the result of your friend’s email addressbook being hacked. This is a common scam. If any of you get an email like that, investigate further. Phone or email all of your mutual friends to ask them if the’ve received the same request. It might also prevent them from being ccammd.

  34. Nice to have this 2016 article recycled. A lot has changed in the last 7 years. I came into the computer world around 2008 and I was completely dumb to everything back then. I even remember falling for the Microsoft scam and letting someone access my computer remotely to fix “problems” that were detected. As far as I know, I didn’t suffer any lasting damage, but I shiver every time I think of all the “wrong” things I did when I was a novice.

    On the other hand, I think it is possible to be “too skeptical” and render all technology useless. Like the young lady above who stopped using her computer for months because “she was frightened something bad may happen”. I met a lady like her when I went to computer class, and she was almost unteachable. I’m hoping most of the stuff I learned in the last 15 years will just be natural for the new younger tech-savvy generation.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.