Skip to main content

Don’t fall for this devious new Microsoft Office scam

With packaging looking legitimate enough at first glance, scammers are sending out fake Microsoft Office USB sticks — loaded with ransomware — to individuals.

As reported by Tom’s Hardware and PCMag, the USBs are sent out to randomly selected addresses in the hopes of convincing targets that they inadvertently received a $439 Office Professional Plus package.

Related Videos
A package with a fake Microsoft Office USB stick.
Image source: Martin Pitman/LinkedIn/Tom’s Hardware

Alongside the bogus USB stick, a product key is also included. However, plugging the USB stick into a system directs the user toward calling a fake customer support line as opposed to an actual launch installation window for Office.

Once connected to the fraud support line, the threat actors attempt to install a remote access program in order to breach and control the target’s PC.

Cybersecurity consultant Martin Pitman confirmed the scam’s existence when his mother called him regarding the package. Because she tried to install what she thought would be Office programs, Pitman was able to get an insight into how the scheme operates.

An alert of a virus is presented to the victim when the USB is plugged in, prompting the user to call a support number. “As soon as they called the number on screen, the helpdesk installed some sort of TeamViewer (remote access program) and took control of the victim’s computer,” he said to Sky News.

Disguised as a Microsoft customer support technician, the individual on the other end of the phone would also ask for payment details.

As highlighted by Tom’s Hardware, postal packages schemes are not among the usual tactics used by criminals. But with the increasing awareness of email scams, it seems scammers are now reverting to sending out physical products.

Microsoft, which has launched an internal investigation into the matter, said it has seen such methods being used in the past, but they’re not widespread.

Robert Pooley, who works as a director at U.K.-based cybersecurity firm Saepio, brought attention to the counterfeit Microsoft Office USB strategy in July. “Quite the scam. Shows how important cyber awareness is at work and home,” he said via a LinkedIn post.

In a similar case that occurred in 2020, security company Trustwave found counterfeit USB sticks, disguised as a Best Buy $50 gift card promotion, were being sent to unsuspecting targets.

Editors' Recommendations

AI is making a long-running scam even more effective
An elderly person holding a phone.

You’ve no doubt heard of the scam where the perpetrator calls up an elderly person and pretends to be their grandchild or some other close relative. The usual routine is to act in a distressed state, pretend they’re in a sticky situation, and ask for an urgent cash transfer to resolve the situation. While many grandparents will realize the voice isn’t that of their grandchild and hang up, others won’t notice and, only too keen to help their anxious relative, go ahead and send money to the caller’s account.

A Washington Post report on Sunday reveals that some scammers have taken the con to a whole new level by deploying AI technology capable of cloning voices, making it even more likely that the target will fall for the ruse.

Read more
Gmail client-side encryption adds security for businesses
Google services (YouTube, Gmail, Chrome, Duo, Meet, Google Podcasts) icons app on smartphone screen.

Google has made client-side encryption (CSE) available for a number of its Workspace applications after introducing the function in beta mode last December.

Detailing the feature in a blog post on Tuesday, Google announced that client-side encryption would allow professional users to send data in Gmail and Calendar apps in such a way that no one except those in the organization and the recipients can access or read the content. Google as an entity is not even able to access data sent or created through Gmail or Calendar as it would be encrypted before reaching its servers. This is yet another way Google is using AI to the benefit of customers the brand said.

Read more
Cybercrime spiked in 2022 — and this year could be worse
malwarebytes laptop

Last year saw a massive spike in cybercrime, with some types of malicious digital activity rising by as much as 87%. It doesn’t bode well -- but there were a couple of relative bright spots.

That information comes from a new report published by cybersecurity firm SonicWall. It makes for interesting reading, especially since one of the biggest rises came from an unusual source -- and one of the most feared types of malware saw a hefty drop.

Read more