The news was just hours old, and the scam phone calls were already coming in.
Last Monday, in a warning to some of its longtime computer users, Microsoft announced it was no longer supplying security fixes for Windows XP, the operating system that’s been around for a dozen years and is still used by millions of consumers and small businesses.
The next morning, some people were already getting hit by fraudsters, trying to capitalize on the news.
The attempt was “pretty blatant,” said Emmet Zaworski, a retired telecommunications engineer in Roseville, who received two suspicious calls on Tuesday morning. In one, the caller had an “Eastern European” accent, appeared to be using a cellphone and had a caller ID number that was only zeroes.
Claiming to be from Microsoft’s tech support team and checking security for XP computers, he asked for Zaworski’s passwords so he could “check my machine and make sure everything was OK.”
Zaworski smelled a scam and, after expressing his disgust in words that “aren’t fit for a family newspaper,” hung up.
“It was so obvious it was ridiculous,” said the 61-year-old, “but that doesn’t mean people won’t get fooled.”
It’s been an unnerving week for computer users, starting with Microsoft’s announcement that it would no longer offer security upgrades, technical help and other protections for those running Windows XP.
And for almost everyone else, there was the even more troubling announcement that a wily computer bug, dubbed Heartbleed, had wriggled its way into Internet security systems.
Both news items are a reminder to shore up your personal computer, change your passwords and be wary of attempts to fleece you.
Look out for scammers
Last week, the Better Business Bureau issued a warning to consumers, advising them to be on the lookout for unsolicited offers by fraudsters claiming to be from Microsoft, Dell or other companies with “tech support” staffs.
The tech support scams have been around for years. In 2012, the Federal Trade Commission announced a global crackdown on such scams and froze the assets of six groups that were accused of running foreign-based boiler rooms – mostly in India – that dialed consumers around the world. In those cases, the callers claimed to have detected computer viruses and malware that could be eradicated for a fee, ranging from $49 to $450.
In January this year, the FTC warned of another twist on the tech support scam, in which callers offer to “help” obtain a refund on your computer service. In that hoax, the callers took down banking and credit information in the guise of providing the refund.
Often, these scams flare up when headlines lend themselves to fraud attempts.
Earlier this month, the BBB shared the story of a St. Louis couple who got a call from someone claiming to be from a computer company, “PC Clean-up,” who persuaded them to purchase a $313 “lifetime” plan to rid their computer of viruses. Over the phone, the couple supplied their Visa debit card number, according to the BBB. Only when the scammer tried – unsuccessfully – to pull another $1,200 from the couple’s bank account did they realize they’d been scammed.
Microsoft’s tough love
What does the loss of Windows XP security patches and tech support, which became effective April 8, mean for consumers? “It means you should take action,” said Microsoft bluntly, in a website notice this week urging consumers to, at the very least, upgrade their operating system to protect their computers.
If you don’t, “your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information,” the website said. And, it noted, anti-virus software will “not be able to fully protect you once Windows XP itself is unsupported.”
Computer security experts, some who’ve likened XP’s situation to a “security sinkhole,” warn that individuals and businesses whose computers use Windows XP or the Web browser Internet Explorer 8 (or earlier versions) will be extremely vulnerable to hacking.
“Currently, Microsoft releases security patches once per month to fix the bugs found in the previous month,” said Robert Siciliano, computer security expert for Internet security company McAfee, in an email. “Once Windows XP users cease to receive these patches, it will be easier for cybercriminals to gain access to their systems.”
For those whose PCs still run Windows XP, the company itself has a couple of suggestions.
Last Tuesday, it offered its last security patch for Windows XP, which consumers can download from their computer. If your computer can handle Windows 8 (or 8.1, the most recent upgrade available), you can purchase it from Microsoft for $119.
And lastly, the company suggests you might want to buy a new computer. Seriously.
As with any computer system, installing and running anti-virus, anti-spyware and anti-phishing software and having a tough firewall are basic protections for your personal data online.
Stemming the Heartbleed
With its memorable moniker, the Heartbleed computer bug is especially alarming. Detected by two groups of researchers, it infiltrated a common encryption technology used to protect the transmission of our passwords, credit-card numbers and other personal data, whether it’s on Facebook, Gmail or other sites. It means that sites carrying the “https” and padlock symbol – which we typically assume indicate that data transmissions are locked and secure – may not be safe from criminal hackers.
“This is a vulnerability that strikes at the heart of the most fundamental security the Internet has to offer,” said computer expert Siciliano. “And from what we are learning, it’s been broken for over a year.”
Not every site uses the vulnerable technology, but most do, so nearly everyone is susceptible, say computer experts.
How to protect yourself? Consumers should change their passwords on financial accounts, on Yahoo and social media sites like Facebook and Gmail.
“Frequently changing your passwords is a good option, maybe even do it weekly until this is resolved,” he said. Regardless of whether there’s been a data breach or other computer intrusion, he recommends that consumers routinely change out their passwords every six months.
Some experts have advised waiting to change passwords until after companies have finished installing their own fixes for Heartbleed. But Siciliano says there’s no reason to wait.
“Consumers won’t know what sites were affected until it’s too late. I’d change passwords for the most crucial sites once every one to two weeks for the next month.“
Passwords should be “strong,” which means using a combination of at least 8 letters and numbers. Use both capital and lower-case letters. And mix them up: don’t use the same password for your Netflix account that you use for your online banking.
Equally important, Siciliano said, is monitoring all your online accounts for unauthorized activity and refuting any such transactions immediately.
And lastly, be aware of unscrupulous offers of Heartbleed “help” that could start popping up on your computer or your phone. Don’t buy ’em.