Carnegie Mellon University

Picture of phone with "scammer calling"

May 21, 2019

Voice Phishing Phone Scams Hit Home and Office

In this digital day and age, the average Carnegie Mellon user is likely familiar with the techniques cybercriminals use to get ahold of personal data and money. However, cybercriminals have become smarter and therefore their attacks have become more complex. Take phishing, for example. There has been a shift in phishing attacks, from simple and general to complex and personalized. These sophisticated attacks are not only being sent to victims in the form of an email, but in a deceptive phone call termed vishing, or voice phishing.

Vishing is a type of phone scam that uses a combination of scare tactics and emotional manipulation to trick people into giving up their personal or financial information. The perpetrators will make phone calls to victims claiming to be government agencies such as the IRS, software vendors like Microsoft or Apple, or services offering to help with benefits or credit card rates. The scammers will even create fake Caller ID profiles (called ‘Caller ID spoofing’) which makes the phone numbers seem legitimate.

Carnegie Mellon University has become aware of multiple affiliates, both on and off-campus being hit by Vishing scams within recent week. The scam begins with the cybercriminal identifying himself as a Microsoft engineer calling to alert the victim of a virus on the victim’s computer. In order to “remedy the computer problems” the victim is instructed to install an application to give the caller remote access into the victim's computer.  Once given access, the scammer runs a phony virus scan on the victim’s computer which claims to find a computer virus. The scammer then asks for credit card information to pay for the fix.

It is important that Carnegie Mellon students, staff, and faculty recognize these scam attempts in order to protect personal and financial information. Below are tips on how to protect yourself from vishing scams.

  • Never give out your personal information to unsolicited sources. Just as you would never give out personal information if asked to do so via email, the same should be practiced over the phone. If the caller starts asking for personal information it's best to hang up immediately and report the call to  
  • Never call the number on a pop-up window that reads your computer is infected or has a virus. By calling the number, you will be directly contacting the bad actor. 
  • Reach out to the company directly if the call has you worried. If a call has you worried that there might be something wrong and you wish to call them back, don't call the number offered to you by the caller. Either log in to your account or go to the official company website and look up their main customer support number. 
  • Never allow a caller claiming to be from a company providing your technical support to "clean" your computer. Once a bad actor has remote access of your computer, he/she can retrieve personal or banking information from the machine. 
  • Consider downloading a Caller ID & Spam Blocker application. Both Android and Apple have built in features that will allow you to block a number you know is spam. Additionally, most mobile phone carriers as well as Apple and Google, have applications that will detect whether a call is legitimate or not. These apps also allow the user to report scam calls so that the number becomes blocked.
  • Only install apps from authorized sources. To avoid malicious apps getting a hold of your data, only download apps from authorized vendors such as the Google Play Store or Apple App Store. Never trust a third-party app with information that could be exploited in the wrong hands. 
  • Always think twice. In addition to tips and apps, there's no better judge than common sense. If an offer or deal sounds suspicious, it most likely is. Unless you initiated the contact, remain cautious when speaking to companies over the phone or corresponding online. If the caller provides you a link and directs you to click on it to confirm your identity, consider it a red flag. Additionally, challenging the caller to identify the IP Address of the computer in reference can help reveal if the caller is legitimate or not.