Every year, thousands of people lose money to telephone scams and Cal Poly employees are prime targets for these phone phishers. Although phishing is commonly done by email, phone phishing is another tool used to obtain your personal and Cal Poly information. The caller may claim to work for a company you trust like Microsoft or even claim to be from the Cal Poly service desk. They may send mail or place ads to convince you to call them. The caller might offer to help solve your computer problems or sell you a software license and request your credit card information to bill you for the phony service call. They may also attempt to get your Cal Poly username and password, or ask you to make configuration changes to your computer which allows them access to install malicious software and capture sensitive data from you.
Cal Poly will never ask for your password via email, phone or a non-calpoly.edu web form. All password changes are handled through the Cal Poly Portal. You should also expect Cal Poly affiliated vendors to work with your IT support rather than contacting you directly.
How do Phone Call Attacks Work?
First, you have to understand what these attackers are after. They usually want your money, information, or access to your computer (or all three). They do this by tricking you into doing what they want. The bad guys call people around the world, creating situations that seem very urgent. They want to get you off-balance by scaring you so you won’t think clearly, and then rush you into making a mistake. Some of the most common examples include:
- The caller pretends that they are from a government tax department or a tax collection service and that you have unpaid taxes. They explain that if you don’t pay your taxes right away you will go to jail. They then pressure you to pay your taxes with your credit card over the phone. This is a scam. Many tax departments, including the IRS, never call or email people. All official tax notifications are sent by regular mail.
- The caller pretends they are Microsoft Tech Support and explain that your computer is infected. Once they convince you that you are infected, they pressure you into buying their software or giving them remote access to your computer. Microsoft will not call you at home.
- You get an automated voicemail message that your bank account has been canceled, and that you have to call a number to reactivate it. When you call, you get an automated system that asks you to confirm your identity and asks you all sorts of private questions. This is really not your bank, they are simply recording all your information for identity fraud.
The greatest defense you have against phone call attacks is yourself. Keep these things in mind:
- Anytime anyone calls you and creates a tremendous sense of urgency, pressuring you to do something, be extremely suspicious. Even if the phone call seems OK at first, but then starts to feel strange, you can stop and say no at any time.
- If you believe a phone call is an attack, simply hang up. If you want to confirm if the phone call was legitimate, go to the organization’s website (such as your bank) and get the customer support phone number and call them directly yourself. That way, you really know you are talking to the real organization.
- Never trust Caller ID. Bad guys will often spoof the caller number so it looks like it is coming from a legitimate organization or has the same area code as your phone number.
- Never allow a caller to take temporary control of your computer or trick you into downloading software. This is how bad guys can infect your computer.
- If a phone call is coming from someone you do not personally know, let the call go directly to voicemail. This way, you can review unknown calls on your own time. Even better, you can enable this by default on many phones with the “Do Not Disturb” feature.
- Notify email@example.com and (if possible) include the incoming number, the campus extension receiving the call, and the date and time so we can take appropriate action.
- If the caller claims to be contacting you regarding a service request for a computer you aren't aware of, take their information and follow up with ITS Service Desk or the IT contact in your area.
Scams and attacks over the phone are on the rise. You are the best defense you have at detecting and stopping them.