Recently, I’ve been hearing about and receiving phone calls from people with Indian accents about something a little different from the classic your PC is virus-infected but you can pay me to get it fixed’ support scam. Craig Johnston, a friend (and former colleague at ESET) who was one of my co-presenters at Virus Bulletin this year (yes, it was a paper about support scams) recently received a call from someone claiming to be from something called the Australian Refund Agency, and that Craig was entitled to a refund of fees and taxes to the value of 5,349.27Australian dollars. All he had to do was write down a reference number and contact the scammer’s supervisor on a local phone number, and the supervisor would organize the refund. Being a security guy from way back, Craig wasn’t about to fall for that one, even if he hadn’t met with the exact scam before. A quick Google search found him an Australian web site that described very similar scams. He still hasn’t called that supervisor, even though he keeps getting calls urging him to do so.
The calls I’ve been getting have been slightly different (apart from the fact that I live in the UK, not Australia, of course). Most of them have started off by asking me to participate in a spurious survey, but I’ve also been getting calls that offer me refunds on a mortgage I don’t have, or a way to save money by registering for a consumer group. In a little more detail:
Since I don’t really want to spend the whole of my working day in fruitless discussions with scammers, I’ve taken to simply pointing out that my phone number is registered with the Telephone Preference Service (the UK’s Do Not Call list) to get them off the line. (Though I have in the past had heated if short discussions with scammers who denied the existence of such a list or argued that it didn’t apply to them, whereupon I’ve made short sharp references to UK law and European Community directives before putting the phone down.) However, there have been scams that actually try to exploit Do Not Call lists. (Some of these actually predate the current spate of Indian call-centre scams by several years.)
The most common variation is to offer to register your phone number: for a fee, of course. In fact, such lists are usually free, so if you give your credit card details in response to such a phone call, you not only waste your money and expose your credit card to further misuse, the chances are that you still won’t be signed up to anything. In fact, our readers in the US should note that the Federal Trade Commission doesn’t allow third parties to register telephone numbers for the National Do Not Call Registry. Unfortunately, I can’t guarantee that this applies to all such lists, or that registration is free on all such lists and always will be. However, US readers might want to check the National Do Not Call Registry’s page rather than pay attention to random phone calls. That page also makes an indirect reference to a scam variation suggesting that you have to re-register your number (for a fee), and assures subscribers that their registration does not expire.
Meanwhile, let me be the first to wish you a Merry Christmas. Oh. Too late. I’ve just received (un)seasonal spam from a company offering very good’ prices on laptops, TVs, and iGadgets. I don’t think I’ll be checking out that particular offer.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, We Live Security