This is a real one. A number of people using Dell PCs have been contacted by scammers claiming to be Dell Tech Support who actually had specific data that only Dell could have had. We're talking the customer service tag number, a support number printed on a sticker on every Dell computer. I have used Dell machines for 20 years and am very familiar with that sticker.
This Scam Of The Week is a variant on the Microsoft tech support scam where they call PC users and claim they have detected a problem with the person's computer and need to fix it. End-users gullible enough to give access to their workstations (usually via remote software), are billed hundreds of dollars on their credit card but the scammers of course don't fix anything — and in some cases their PCs are infected with ransomware until they pay up.
Last week, there was a story in Ars Techica where a man said he called Dell about a problem with his optical drive, and soon after he got a call from a scammer who knew about his specific problem and had his service tag number and other customer information.
In October the company posted a warning about this type telephone scam on its website, but it doesn't mention a service tag number hack. Dell does not seem to know what exactly is going on and is investigating. To me it seems that one or more of their servers have been compromised and support data is exfiltrated and used by scammers. Dell needs to fix the leak.
In the mean time I suggest you send this to your employees, friends and family:
"There is a new tech support scam doing the rounds. This time it is cyber criminals with foreign accents calling you, claiming they are from Dell and they even have the correct service tag of your Dell PC. They will try to manipulate you into giving them access to your computer so that they can "fix the problem" and charge your credit card or worse, infect your computer with ransomware.
If you get called by unknown people claiming to be tech support (any company) and need to get access to your computer, hang up the phone immediately and delete any email they might send you with similar claims.
ONLY give out personal information if you have initiated the call and properly looked up the main company number yourself on the company’s main website you want to reach. Do not rely on a popup, advertisement, or general web search on another website or forum unless you can verify it is a valid source and verify it is a valid phone number for that company." (Hat Tip to Ryan)
Stepping your employees through effective security awareness training would prevent them being a victim of this kind of social engineering. Find out how affordable this is for your organization and be pleasantly surprised.