Bob Young<p>This morning I did a tech support phone call with an existing client. Based on her area code, I think she’s in California, but I don’t actually know that for sure. It’s kind of humorous! With credit card billing, I have to enter the billing zip code, but I don’t bother looking them up. The location just doesn’t really matter.</p><p>Anyway, back to the call. She visited a website for an animal rescue organization. Seems safe enough, right? She ended up with an uncontrollable, noisy pop-up that said her computer was infected. “Don’t turn your computer off!” it said, and it wouldn’t stop beeping.</p><p>She did the right thing. She turned her computer off! I’m so proud of her.</p><p>At some point, she turned her computer back on, and everything seemed normal. She called me to see if there was anything else to do. An extremely computer literate person in her life had recommended that she do a factory reset on her computer, but she was hoping she wouldn’t have to do that much work.</p><p>This is where risk assessment comes in.</p><p>I told my client that her advisor was not wrong at all. That was absolutely the safest and best advice.</p><p>But, usually those pop-ups are the baited hook, and not the malware. If my client had clicked on a link, or called the “support” phone number in the pop-up, the risk level goes up immediately. Instead, she did the one thing the cybercriminal told her not to do, because it defeats the infection attempt: she turned the computer off.</p><p>I offered to reset the browser, but warned her that doing so might delete some saved security settings, and she’d probably have to re-enter passwords on some of the sites she visits. I also told her that she could keep using the computer for a few days without any changes, and if the problem doesn’t reoccur, everything is probably fine.</p><p>Remember, the pop-up is the baited hook, not the malware.</p><p>For now, she chose to take no action. The call was ten minutes long. She offered to pay. I told her no, let’s call this one customer care. I told her that if she had agreed to have me to reset the browser or run a virus scan, and things like that, I would’ve charged her, but not for answering a few questions.</p><p>THE LESSON<br>The client is the person with the power. Explain options and risks. Let the client make the decision. It’s their equipment. It’s their life. It’s their money.</p><p>I could’ve taken advantage of the situation and said, “Oh, yes, your advisor is right! We must factory reset your computer! I’ll help you do that right now!” That’s how I would’ve made the most money today. Instead, I chose to keep a client for life. The money will come.</p><p><a href="https://infosec.exchange/tags/CallMeIfYouNeedMe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CallMeIfYouNeedMe</span></a> <a href="https://infosec.exchange/tags/FIFONetworks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIFONetworks</span></a></p><p><a href="https://infosec.exchange/tags/HelpDesk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HelpDesk</span></a> <a href="https://infosec.exchange/tags/TechSupport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TechSupport</span></a> <a href="https://infosec.exchange/tags/RemoteSupport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RemoteSupport</span></a></p>