Counterfeit Microsoft security alerts have been around for many years, but they are becoming much more problematic for two (connected) reasons: Many of these fake security warnings are very convincing, and many of the world’s knowledge workers are still working at home as a result of the pandemic. Rather than working from hardened, domain-joined corporate desktops, these users are often working from their own personal devices. This means that users who fall for a fake Microsoft security alert could put both their personal environment and their work environment at risk. As part of a security awareness program, it's important to teach end users what to look for to determine whether a Microsoft security alert is legitimate.
Microsoft Security Alerts: Signs of Fraud
First and foremost, if a security alert is displayed within a web browser, it is almost certainly fraudulent. While it’s true that a browser might occasionally indicate that a site that you are about to visit is not secure, Microsoft does not plaster warning messages inside of the browser indicating that your computer has been compromised and that you need to download a fix or contact technical support. It’s also important for users to know that Microsoft support does not contact people to tell them that their computers have been compromised. All such telephone calls are fraudulent.
Other obvious signs that a security alert is fake might include having alert text being read by a robotic voice, an alert being displayed in a way that is difficult to get rid of, or prompts indicating that you need to pay for support using either crypto currency or gift cards.
How Legitimate Microsoft Security Alerts Are Displayed
When Microsoft security alerts are displayed within Windows, it’s typical to momentarily see a black pop-up in the lower-right corner of the screen, as shown in Figure 1. When this alert clears, it will also be listed within the Windows Action Center, as shown in Figure 2.
This is what a legitimate security alert looks like.
Security alerts are also displayed within the Action Center.
One of the things that you will notice about the security alert shown in Figure 1 is that it is not written in a way that is designed to instill fear. There are no alert tones, flashing fonts or threats as to what could happen if you don’t take immediate action. Any such language is a clear indicator that a message is fake.
Another way to confirm a message’s authenticity is to check the message’s context against the settings within the Windows operating system. If, for example, a message indicates that the Windows Firewall has been disabled, it is easy enough to go into Settings to see if the firewall is indeed disabled. If the firewall is still turned on, then the message is probably a fake.
To check a Windows 10 PC’s basic security status, go to Settings and then click on Update and Security. From there, select the Windows Security tab. As you can see in Figure 3, the Windows Security screen backs up the alert indicating that there is a problem with the Windows firewall, thus confirming that the warning was real.
The Windows Security screen aligns with the warning that was given.
One more way that alerts can be verified is by looking at the Windows event logs. These logs are exposed through the Event Viewer, which you can access by entering the Eventvwr command at the Windows Run prompt. As you can see in Figure 4, the Event Viewer will usually contain a record corresponding to the event that triggered the security alert.
You can use the Windows Event Viewer as another source of information for verifying security alerts.
In most cases, it will be relatively obvious whether a security alert is real or fake. If in doubt, however, it’s better to attempt to verify the information than to blindly take action (or not take action) based on an alert’s contents.