If you happen to receive what looks like a full retail copy of Microsoft Office in the mail and you don’t remember ordering it, it’s probably a bad idea to actually try and install it. But that’s what at least a few people in the UK have done recently, subsequently finding themselves prospective victims of a familiar social engineering scam. The randomized and surprisingly professional approach to this scheme caught the attention of Sky News.
It works like this: you get a random package in the mail that looks convincingly like a retail copy of Microsoft Office stored on an engraved thumb drive and even complete with a product code sticker. You plug the USB drive into your PC and it immediately tells you that you have a virus, and you need to call “Microsoft Support.” On the phone, “Microsoft” encourages you to install a remote access tool, after which the problem is apparently solved, but not before you’ve given up a credit card number for verification purposes. Then, of course, come the fraudulent charges.
Impersonating Microsoft or other authoritative figures isn’t a new technique by any means — here in the US we get spam calls from “Microsoft support” all the time. But the extra layer of expense and sophistication in creating branded USB drives and shipping professional-looking packing in order to sell that authority is an interesting innovation on the part of the scammers. This takes a lot more time and money than the usual website and fake download.
One of these USB drives was spotted by a woman who turned out to be the mother of a security consultant. Her son immediately spotted the sketchy nature of the package. After Sky News received the reports, Microsoft was alerted and began an internal investigation. The company confirms that a number of people have received the fake USB drives, seemingly at random, through the UK post. Scammers do not appear to be singling out high-value targets.
As Microsoft Office 2021 currently starts at $150 (£119.99), it’s easy to see why the prospect of a free copy is tempting. But, now as ever, the old advice applies: if something seems too good to be true, it probably is.