Microsoft has issued a bulletin outlining how scammers will call impersonating the company's tech support. "They claim to know you have a virus on your computer and step you through downloading a solution, which is typically Team Viewer, giving them full access to your machine," Fincher said.
The simplest way to spot the scam, Payton said, is to remember some simple advice from Microsoft: Neither the company nor its partners make unsolicited phone calls.
In general ...
The most dangerous thing about social engineering scams is that the scammers have become so much better. "It is easy to do and hard to protect against," Hadnagy said. "The days of phishers being lame have passed. Now they use Spellcheck and they know what is enticing us."
James Lyne, global head of security research at Sophos, made a similar observation in a recent interview with SCMagazineUK. "Scam messages don't always have bad English, poor copies of logos or really obviously dodgy links. Sometimes they look practically identical to legitimate messages," he said.
David Britton, vice president of industry solutions, 41st Parameter (part of the credit monitoring firm Experian), agreed, adding that, "attackers can now actually use the "social" part of social engineering, to create communications that appear to come from "trusted" acquaintances."
This, he said, means criminals can, "cross-reference stolen consumer data to create very sophisticated scams, which could ultimately result in millions of dollars in losses if businesses cannot tell the difference between friend and foe, customer and attacker."
How can people avoid them? Christopher Martincavage, senior sales engineer at Silver Sky, suggests that for enterprises, "a good internal education training program is always a great start, especially since most attacks are longlined. Also, good security countermeasures such as email protection and zero-day detection can reduce the chances of this reaching an end user."
He and others also say it is crucial never to download patches or updates from an email. "Always patch from the app or go to the site manually," he said.
Hadnagy agrees that it is important to, "stay educated about the current scams. Learn to use critical thinking if something sounds too good to be true it probably is and therefore requires some checking into it before you start giving over data."
In short, don't trust unsolicited offers for tech support, updates, patches or free stuff. Payton said there are reputable companies that offer IT support. "Go someplace like the bbb.org to find a BBB Accredited Business, ask friends, or research places on Angie's List to find someone you can trust," she said.
Sign up for Computerworld eNewsletters.