reading time 7 minutes
A warning is massively shared on Facebook about dangerous USB sticks containing Microsoft Office (more specifically the Professional Plus 2021 suite). It looks like an official product from the tech giant, but in reality scammers are sending you ransomware. The ultimate goal is to take control of your computer and then steal money, or so the story goes. Where does that story come from? And are consumers really at risk? Checkout makes inquiries with Microsoft and the Fraud Helpdesk. We also explain what you should (not) do if you receive an unsolicited USB stick.
The story is spreading like wildfire via a Facebook post, of which we share a screenshot below. On Thursday, August 25, around nine o’clock in the morning, the counter stood at approximately 13,300 sharing campaigns, but a day later – at the time of this article’s publication – the counter had already reached almost 18,000 sharing campaigns.
Assume the average Facebook user has 150 friends, not an unreasonable estimate. Then imagine that a large portion of them saw the shared warning, times 18,000. In theory, in this scenario, it’s possible that more than two million people have seen this warning on their timeline.
In short, every possible reason to devote an article to it, so that readers know what it really is.
Below is a – anonymized – screenshot of the warning. The article continues after the image below.
Where does the warning actually come from?
The report originates from the Briton Alexander Martin, tech journalist at Sky News. He recently reported on Twitter that he had received a USB stick in a box that appeared to be genuine Microsoft in design and content.
However, the USB stick was not addressed to him, but ended up in the mailbox of a retired man whose son happens to be a cyber security expert. He did not trust the matter and decided to subject the USB stick to an analysis.
The article continues after the tweet below.
Subsequently, the story was picked up by a number of tech blogs, including computer blog PCMagwho devoted an article to it. Other media outlets followed suit, and private individuals also began sharing the warning. Thus the proverbial ball was started, and the warning is now also shared in the Netherlands.
But are you really in danger? What should you take into account? And what should you (not) do if you receive such a USB stick? That’s what we’re going to talk about now.
Is this a scam?
The short answer: “Yes, it’s a scam”. This USB stick does not come from Microsoft, although in principle it appears to be a legitimate Microsoft product.
The USB plug comes in a box with the Microsoft logo on it and has the characteristic Microsoft house style in terms of design. It would be one Office Professional Plus 2021-package; In addition to a USB stick, the box also contains an activation code – or a unique product key – for installation and use on one PC. At least that is what is suggested according to the text and content.
Incidentally, the USB stick had a Microsoft Office logo engraved on it: the sender has gone to great lengths to make it look like the USB stick is really from Microsoft.
Tech journalist Martin inquired with Microsoft, and got the answer that Microsoft has encountered this type of fraud in the past, but that it is a rare type of fraud with a random nature. More often, fraudsters choose to send a fake activation code via email; a counterfeit USB stick in a box with the Microsoft logo on it is fortunately a rarity.
What exactly is behind this?
Alexander Martin himself has also published an article about it on the employer’s website Sky News. That article described how the proverbial fork is in the handle. If you insert the fake USB stick into your computer, you will not be able to install Microsoft Office at all. Instead, a pop-up appears asking you to call a (fake) Microsoft help desk.
The employee of this so-called help desk then tries to convince the unsuspecting recipient that TeamViewer-like software must be installed. “I see that there is a problem installing Microsoft Office. I can help you remotely, but you will have to give me access to your computer,” is a common excuse in these cases.
Would you like to comply with this request? Then the fraudster on the other end of the phone will direct you to make a payment via online banking, or the computer will be locked with so-called ransomware (ransomware) until the victim pays the ransom – usually several hundred to several thousand euros.
So this is a combination of help desk scam and with a little imagination too spoofing: You think you’re calling Microsoft’s help desk to solve a problem, but unscrupulous scammers are hoping to steal large sums of money from you. In other words, wrong thing!
Are the Dutch in danger too?
We were a bit skeptical when we saw the warning, because it is simply too difficult for fraudsters to make fake “Microsoft” USB sticks, put them in fake “Microsoft” packaging and then also send them to numerous addresses.
However, in this example it did, although the extent to which this occurred is not disclosed, except that Microsoft has indicated to Sky News that this type of fraud is highly unusual. After all, a digital version via e-mail is much more efficient, easier to organize and cheaper.
We decide to inquire with the Fraud Helpdesk because we are curious if there are any reports of this scam in the Netherlands. Spokesperson Tanya Wijngaarde from the Fraud Helpdesk confirms our suspicions, stating that there are no reports yet of this specific type of fraud: “Based on the reports, it appears that these are more likely to be incidents. In any case, we have not yet received any reviews.”
It is also not inconceivable that physical media such as USB sticks are used for espionage-like activities, even if it is primarily something that is aimed at (semi)famous people, journalists, people in power and people with access to sensitive information. Average Dutch people don’t have to worry about it, although of course some vigilance is always recommended.
Answers and tips from Microsoft
Although we are reassured by the confirmation from the Fraud Helpdesk, we also decide to contact the Dutch branch of Microsoft. We wonder if there might be signs of this kind of fraud. Our suspicions have been confirmed once again: the scam variant is known to Microsoft, but in their own words it occurs ‘very rarely’.
Microsoft’s full response is as follows: “After an internal investigation, we can confirm that the packaging and USB device are counterfeit. We have seen this type of fraud before, but very rarely. Microsoft is committed to helping protect our customers. We are taking appropriate measures to remove suspected unlicensed or counterfeit products from the market and to hold those who deceive our customers accountable.”
“We would like to emphasize that Microsoft never sends unsolicited packages”
Microsoft also sends never unsolicited packages, emphasizes the tech giant. If out of the blue you find a USB stick with a Microsoft logo in your letterbox, you already know enough: Time to scratch your head and see for yourself whether it’s wise to use the stick. We didn’t want that anyway.
Microsoft continued: “We want to emphasize that Microsoft will never send unsolicited packages or contact you out of the blue for any reason. You can visit this page for advice on how to prevent fraud and scams. We advise consumers to be vigilant to continue to report suspicious activity and incidents through this page.”
What should you do if you just get a USB stick sent to your home?
We remember a case from a few years ago where countless Dutch people reported unsolicited products, including USB sticks. However, they were blank USB sticks and it was completely separate from the fake ‘Microsoft’ sticks that this article is about.
In that situation, it was about unsolicited transmissions. You just get a USB stick on the bus and you might think “Ha, that’s handy”. Not much later, an invoice appears on the mat: if you want to pay. The price on the invoice is of course quite a bit higher than the market value, and by putting pressure on you with payment reminders and by threatening reminders, they hope you’ll just pay out of fear, because then you’re done with it.
But in this situation you need under no circumstances payable: this is an unsolicited transmission and unless the company can provide an order confirmation that clearly shows that you have knowingly placed an order, they cannot obligate you to do anything. You can use the product To keep, send back or simply throw away. But Pay is not necessary.
At the time, these were secure USB sticks. Nevertheless, it is wise never to just insert an unknown USB stick into your laptop or computer: it is not inconceivable that it contains harmful, malicious or even dangerous software.
And if you don’t know who owns such a USB stick and what might be on it, it’s probably best not to take the risk. The potential risks are simply too great for that, and you can get into a lot of trouble.
Source: PCMag.com, Sky News UK / Thanks to Microsoft Holland and the Fraud Helpdesk for their cooperation
usb, scam trick, package, help desk scam, microsoft, fake help desk, ransomware, hoax, Microsoft Office, fraud help desk,