A hapless scammer pretending to be from a broadband network got more than he bargained for when he accidentally called (and tried to work his scam) on the cyber-crime squad of an Australian police force.
Claimed To Be From Broadband Network
The scammer, claiming to be from Australia’s National Broadband Network (NBN), which does not make such calls to end-users, accidentally called the Financial and Cybercrime Investigation Branch (FCIB) of South Australia. The purpose of the call appeared to direct the recipient to a website imitating the NBN website. Once there, the call recipient would be encouraged to download remote access software onto their computer with the ultimate aim of gaining access to personal information, including passwords for online banking details.
Tech Support Hoax
The caller, who is believed to have been part of a group of scammers calling Adelaide landlines, claimed to be a tech support person and that the call recipient needed to download software in order to fix an Internet problem (after an alleged hack).
Police Answered
Unfortunately for the scammer, the call was answered by a member of the FCIB who then used secure software in order to safely follow the caller’s instructions and thereby understand the true nature of the scam.
Directed To A Poorly Designed Website
The member of the FCIB reported being directed by the scammer to a “poorly designed” website where they were told to carry out the steps needed to download software. The FCIB member reported seeing that the fake website had Web-hosting text preceding the .com, thereby indicating that it was not affiliated with the NBN and was most probably a fake.
Following failed attempts by the scammer to convince the FCIB member to download the software (malware), the scammer terminated the call.
What Does This Mean For Your Business?
Luckily, in this case, the FCIB were able to see exactly how a group of scammers were operating and were able to issue detailed warnings in the local area. This story is a reminder to all that no-one is safe from scam calls and that scammers using phishing and social engineering pose a serious risk. Even though many businesses may know that legitimate companies do not call out of the blue and ask people to download software, all staff in an organisation should be made aware (e.g. by training) of the policy and procedures regarding this kind of risk (e.g. never to click on unfamiliar emails, links or to download unfamiliar software). Businesses should instruct staff that if they are in any doubt of who a caller is, hang up and only call the organisation back on the known, reputable number. Incidents should, ideally, be reported to the police, Action Fraud, and to the relevant member of staff in the call recipient’s company.
That said, cyber-criminals are becoming more sophisticated in their attacks on businesses, and a Proofpoint Human Factor report from last year showed that as many as 99 per cent of cyber-attacks now involve social engineering through cloud applications, email or social media. This illustrates how attackers are now much keener on trying to enable a macro, or trick people into opening a malicious file or follow a malicious link through human error, rather than having to face the considerable and time-consuming challenge of trying to hack into the (often well-defended) systems and infrastructure of enterprises and other organisations. Businesses should therefore boost their efforts in guarding against this type of attack.