Computer repair scam: what to do after a coworker fell for it
October 16, 2017 3:19 PM Subscribe
Coworker fell for the phone call saying that their computer had been compromised. They have a mac, they gave remote access, they paid money by credit card to the scammers.
Computer is used for work as well as personal use. They do not do any banking on it. They do use the work Dropbox.
What do we need to do?
call credit card company report scam & police
posted by patnok at 5:08 PM on October 16, 2017 [5 favorites]
posted by patnok at 5:08 PM on October 16, 2017 [5 favorites]
Disconnect the computer from the network. Backup the documents you need and verify the backup doesn't have any virus (scan with an antivirus from a different computer).
If you are not going to do any analysis on the computer then wipe the disk and re-install the OS. You do not know if they left any backdoor, keylogger, etc. so it's better to be safe.
Report the credit card to your bank and change all the passwords used in the computer.
I am not sure how dropbox works but if it's possible check the account and look for suspicious new connections to the shared folders.
posted by ruben at 5:44 PM on October 16, 2017 [4 favorites]
If you are not going to do any analysis on the computer then wipe the disk and re-install the OS. You do not know if they left any backdoor, keylogger, etc. so it's better to be safe.
Report the credit card to your bank and change all the passwords used in the computer.
I am not sure how dropbox works but if it's possible check the account and look for suspicious new connections to the shared folders.
posted by ruben at 5:44 PM on October 16, 2017 [4 favorites]
After changing the Dropbox password, log in and kill all connected clients and apps that're new... or just all of them; it'll force everyone who uses it to get the new password.
It's under two sections: Settings:Security and Settings:Connected Apps. Just click all the Xes next to everything.
Give them a glance to see if anything's there. Dropbox also has an elaborate "trash bin" system which hangs on to some things that may have been deleted by the scammers.
90% of the time, the scammers just wanted the card number, and probably just the amount of money. They work very cheaply for a call center in a cheap-labor country with cheap VOIP phones, and just the money is good enough for most of them. You're taking good precautions; just don't overestimate how important your stuff is to scammers; they likely didn't target you, and once they're out, they're out.
Retrain your staff.
posted by Sunburnt at 6:01 PM on October 16, 2017 [2 favorites]
It's under two sections: Settings:Security and Settings:Connected Apps. Just click all the Xes next to everything.
Give them a glance to see if anything's there. Dropbox also has an elaborate "trash bin" system which hangs on to some things that may have been deleted by the scammers.
90% of the time, the scammers just wanted the card number, and probably just the amount of money. They work very cheaply for a call center in a cheap-labor country with cheap VOIP phones, and just the money is good enough for most of them. You're taking good precautions; just don't overestimate how important your stuff is to scammers; they likely didn't target you, and once they're out, they're out.
Retrain your staff.
posted by Sunburnt at 6:01 PM on October 16, 2017 [2 favorites]
Best answer: In this order:
Note that these instructions also assume that this is a machine that is owned by the company/organization you work for. If that's not the case, and this is a personal device that they use for work, make sure to get permission to do this. I would be very wary about letting a personal device that had been compromised like this continue to access company/org resources without a reformat, though.
posted by Aleyn at 11:02 PM on October 16, 2017 [5 favorites]
- Immediately disconnect the computer from your network. Disable any internet access (WiFi, etc) on the computer.
- From a known-good computer, immediately change any passwords for accounts that were used on that computer (e.g. work email, dropbox login, etc.)
- If there are any documents or files that you need to back up, use a USB drive to back them up. Do not attempt to back up any programs. Be careful backing up documents that contain things like Word macros.
- Reformat the system drive and re-install the OS.
- Restore any backed up files--I would recommend running a virus scan on them, just to be on the safe side.
- If this is a work-owned computer, make sure that the employee that uses the computer is not given an administrator account on the machine when you give it back.
Note that these instructions also assume that this is a machine that is owned by the company/organization you work for. If that's not the case, and this is a personal device that they use for work, make sure to get permission to do this. I would be very wary about letting a personal device that had been compromised like this continue to access company/org resources without a reformat, though.
posted by Aleyn at 11:02 PM on October 16, 2017 [5 favorites]
Response by poster: Thank you all.
I'm in the midst of going through and changing all passwords.
It is a personal computer, but I will have permission to nuke it.
This happened Friday but no one told me until Monday. Grrrrrr
posted by sciencegeek at 4:45 AM on October 17, 2017
I'm in the midst of going through and changing all passwords.
It is a personal computer, but I will have permission to nuke it.
This happened Friday but no one told me until Monday. Grrrrrr
posted by sciencegeek at 4:45 AM on October 17, 2017
My mother did this. She called the bank to get the charge reversed. Then she changed the password on her PC. Nothing has happened to her since.
posted by GiveUpNed at 1:26 PM on October 17, 2017
posted by GiveUpNed at 1:26 PM on October 17, 2017
Response by poster: What I ended up doing:
Changed all online passwords from a different not involved computer. If two factor authentication was possible, set it up. Having staff change any related passwords for their individual accounts.
After backing up the HD to an external (just in case there was something completely essential on it), wiped and then reinstalled the OS.
Total time used was about six hours including a trip to the Apple Store to confirm with them that a wipe and restore was a good conservative thing to do (and to get the correct OS installed because we are still using Office 2011).
Thank you all for the advice.
posted by sciencegeek at 1:58 PM on October 21, 2017
Changed all online passwords from a different not involved computer. If two factor authentication was possible, set it up. Having staff change any related passwords for their individual accounts.
After backing up the HD to an external (just in case there was something completely essential on it), wiped and then reinstalled the OS.
Total time used was about six hours including a trip to the Apple Store to confirm with them that a wipe and restore was a good conservative thing to do (and to get the correct OS installed because we are still using Office 2011).
Thank you all for the advice.
posted by sciencegeek at 1:58 PM on October 21, 2017
This thread is closed to new comments.
go to system prefs --> sharing and turn off all remote access if not needed.
posted by koroshiya at 4:17 PM on October 16, 2017 [1 favorite]