"Microsoft" scam calls

Don’t fall victim of the “Microsoft” call scam

Victims are cold called, usually by phone and told that there is a problem with their computer. The suspects often claim to be working with Microsoft who have identified that the computer has been infected with a virus and offer an update or fix.

The victims are talked through the logon steps in order for the fraudster to gain remote access to the computer. The next step is to show the potential victim a filtered event log showing lots of errors which the fraudster claim means the computer will fail and suffer data loss without their intervention. In reality all computers will have errors of one sort or another logged in its event log, this does not means it is about to fail or that data loss will occur.

Often the victim will be transferred to a “technician” who can fix the issues, this is the point a fee is usually mentioned (anything from £30-£140). Once the initial payment has been processed it is not uncommon for additional larger payments to be debited from the victim’s account without their permission. If you refuse to pay the fee the technician is likely to trigger an action that will lock you out of the computer.

Whilst the lockout looks very scary and victims will fear the worst for their data some of the technologies used are not as sophisticated as you might think and someone with experience and in depth operating system knowledge is likely to be able to remove the password in a relatively short space of time. The methods used to lockout the victim varies from one fraudster to another and will also depend on the victims operating system version.

A common method of locking your computer is to enable a Windows feature called SYSKEY that requires a password to be entered prior to reaching the user logon screen. Syskey is a utility that encrypts the hashed password information in a SAM database in a Windows system using a 128-bit RC4 encryption key. By default, the SYSKEY encryption key is hidden in the Windows registry.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista and Windows 7 that stores users’ passwords.

In addition to enabling SYSKEY, passwords are set on all Windows user accounts.

Using a boot disk and some knowledge of how and where the passwords are stored SYSKEY can be disabled and the passwords can be removed from the accounts returning access to the computer. If you don’t have a boot disk or enough knowledge of Windows to carry out the fix above data can usually be retrieved by removing the hard drive from the host and connecting it to another computer to which you do have access to Windows.

Who is most likely to be affected?

Victim reports assessed by the National Fraud Intelligence Bureau indicate that:

  • The average age of a victim is 59.
  • 91% were White (English, Welsh, Scottish, Northern Irish, British).
  • 53% were female.
  • The average reported loss is £210.
  • Anyone who has a home computer connected to the internet can become a victim.


How to protect yourself

  • Do not allow unknown\unexpected calls remote access to your computer.
  • Hang up the phone when you identify that the call is uninvited.
  • Never divulge passwords or pin numbers.
  • Microsoft or someone on their behalf will never call you.