Beware 'Microsoft Office' USB Sticks That Show Up in the Mail: It's a Scam

pcmag.com:

If you receive a Microsoft Office product randomly in the mail, be careful: It could be a scam. 

A cybersecurity consultant in the UK recovered a counterfeit Microsoft Office package mailed to a retiree that actually contained a malicious USB stick designed to defraud the user. 

Sky News reports(Opens in a new window) that the USB drive was engraved with the Office logo and came in seemingly real Microsoft packaging, which included a legitimate-looking product key. But if you plug the USB stick into a PC, it won’t install the Office programs. Instead, it’ll encourage the user to call a fake Microsoft customer support line, which will then try to install a remote access program on the victim’s computer. 

The scheme is pretty elaborate, and it could end up tricking unsuspecting consumers hoping to get free access to Microsoft Office Professional, which can normally retail for $439. Cybersecurity consultant Martin Pitman recovered the USB stick and packaging through his mother, who ended up calling him when she was at another person’s home trying to install it.

The scam works by triggering a virus alert once the USB stick is plugged into the victim’s PC. To fix the issue, the alert tells the user to call a customer support number. “As soon as they called the number on screen, the helpdesk installed some sort of TeamViewer (remote access program) and took control of the victim's computer,” Pitman told Sky News. In addition, the customer support technician also asked for payment information. 

Last month, Robert Pooley, a director at the UK-based cybersecurity firm Saepio, also sounded(Opens in a new window) the alarm about the counterfeit Microsoft Office USB scheme. “Quite the scam. Shows how important cyber awareness is at