Who You Gonna Call?

A few weeks ago I received a call from a man suspiciously claiming to be from Microsoft’s IT department. I was in a loud area and initially wasn’t sure I’d heard him correctly, so I told him that I’d call him back later. When I tried, though, I got a message saying that the number had been disconnected. A few hours later, he called me back—and what ensued was a truly confusing but obvious attempt to access my computer and its files by claiming that someone needed to remotely install updates to “everything” and provide me with access to “all the new programs.”

Thankfully, I’d heard enough about similar things happening to others that I started asking questions. I hadn’t ordered any updates, so what updates was he talking about? Why was he calling me instead of following the normal protocol of sending me a Microsoft-branded email? How did he get my phone number? Could I speak to the manager? If the scheme had had any credibility to begin with, it quickly broke down, as this person passed the phone to his “manager” and said in Hindi, which is one of my primary languages, “This girl is being so difficult. She won’t give me access!”

I made a “sassy” comment to the two men, informing them that I understood everything they were saying, and that they’d failed. Resisting the urge to dig into them more as they started yelling at me over the phone, I hung up. As I ran an antivirus scan on my computer, ignored the seven additional times they called me, and processed what had just happened, two things struck me: Despite practicing sound cyber-hygiene practices, I’d almost been the victim of a cybercrime—and I had no idea how to report it. And while this line of thinking is based on a personal experience, it’s something that ought to concern everybody.

To figure out where the gaps are in how we report cybercrimes, it’s worthwhile to look at what safety mechanisms currently exist. As I asked my friends and searched the internet for information on how best to handle the situation, I realized that I wasn’t the only one who didn’t know how to respond to an attempted cyber-attack. When you contextualize this lack of knowledge with the fact that hackers attempt attacks every 39 seconds, and 1 in 10 Americans have experienced a cyber-attack through their home networks, it’s surprising that there isn’t a greater repertoire of knowledge and awareness of how to respond to such incidents. After doing some digging, I found three main recommendations—and at least as many attendant limitations.

The first recommendation is to file a complaint with the Federal Trade Commission (FTC). According to the FTC’s website, you can file a complaint related to fraud, scams, and abuse via its online complaint form or by calling its Consumer Response Center. The first question when giving details on the online complaint form, however, asks you to report the amount of money you paid and the damages you suffered as a result of the incident. This made me wonder: Should I submit a complaint if I hadn’t actually suffered any losses? I reached out to a support agent on the website, only to come away with a similar impression. For its part, the FTC’s website does offer clear directions and guidelines on what areas of fraud, abuse, and scams the agency covers, and these areas include identity theft, unwanted telemarketing schemes, and malicious computer viruses. Still, the complaint form clearly states that the agency can’t resolve individual consumer complaints, and instead offers tips on how to get your money back.

Another recommendation is to call local law enforcement. And, indeed, if a crime occurs offline, my first instinct is to call 911. However, almost all online mentions of local law enforcement operations related to cybercrime suggest that officers are too busy to handle cases like these, and are ill-equipped and untrained to do so properly. Some of the people I reached out to directed me to the FBI’s Internet Crime Complaint Center (IC3). However, the IC3 form outlines that complaints should be filed by or for individuals who believe they’ve “been the victim of an Internet crime,” and again prompts me to highlight the amount of financial damages I’d suffered as a result of the incident. More online research suggested that the FBI’s IC3 was primarily focused on large-scale cybercrimes, and cared less about individual consumer incidents.

The third recommendation is to reach out to Microsoft. To me, this seemed like the most logical and feasible step to take, since the scammers who contacted me had posed as Microsoft employees. I called Microsoft’s customer service number and was directed by an automated message to the website, where I was told to fill out a form in order to report a technical support scam. Unlike the forms on the FTC and FBI’s websites, this form asks questions that seem more tailored to my experience, and focuses more on collecting information about the incident than on assessing the damages I’d suffered. However, after filing the form, I never heard back with information on how to protect myself from similar scams going forward, which I’d requested.

The vast majority of the resources I found during my search suggested to me that the apparent best practice was... just to let the incident go. None of these resources offered me any substantial advice on how to report an incident that almost took place. Nor did they offer me any guidance on how to secure myself against fraud and cybercrime going forward. On top of so much else, the lack of consensus on whom to reach out to when an incident like this takes place is concerning.

As the fraud and cybercrime industries grow, big businesses aren’t always going to be the primary targets. According to past editions of the Norton Cyber Security Insights Report, “978 million people in 20 countries were affected by cybercrime in 2017,” resulting in the loss of approximately $172 billion and nearly three full workdays to clean up the aftermath. In addition, almost 40 percent of people in 2016 were susceptible to phishing attacks (when a hacker poses as a representative from another organization online in order to secure personal or sensitive information).

Government agencies, law enforcement organizations, and companies ought to develop clearer, more comprehensive resources to guide the growing pool of fraud and cybercrime victims around the world. It shouldn’t take three hours of research and more than 20 different conversations to identify how and where to report an incident. More than that, users who try to report incidents shouldn’t continuously be turned away, simply because they managed to avoid falling prey to scammers, or because their losses aren’t considered significant enough.

The cybercrime market is growing, and it shows no signs of slowing down any time soon. In times like these, the best offense is a good defense—and cybersecurity programs, whether they target businesses or consumers, need to be preemptive and proactive, rather than only reactive.