Here’s part of the web search I made of that phone number. Clearly the number’s owner has been sending scam emails. The email’s From: address probably comes from the site “onlinestore.services,” which is obviously not a “microsoft.com” address. The search data specifically names that domain address and reports scam complaints.

Another way to try to validate a phone number is to use its description to search for the correct number. In this case we search for a “Windows Support” phone number. There isn’t one. The Microsoft web site doesn’t publish a support phone number. A web search brought up various numbers posted to Microsoft support forums by users. Closer inspection suggests these phone numbers are also phishing lures.

Not just for Internet any more

This type of phish isn’t unique to email. I received one by postal mail five or six years ago. It explained how my Master Card had some sort of problem and they were closing the account within 30 days. I actually believed the letter at first. I learned an important lesson:

Compare your credit card or account statement with the message you received. Look for inconsistencies.

This applies to emails, physical letters, and any type of text message. In my case, I realized the partial credit card number was wrong. Most importantly, the company’s phone number was wrong. The only accurate information in the letter was my name and mailing address.

Do’s and Don’ts while researching a scam

I prefer not to disclose my personal identity when researching potential scammers.

• Don’t call the phone number. It discloses your own number.
• Don’t respond to the email. It verifies a victim (you) resides on the other end.
• Don’t use the domain name to visit the web site.
• Don’t type the domain name directly into your browser address bar by itself.

Here are some safer research techniques

• Do look up the phone number with a web search engine. This usually discloses the number’s owner, location, and a selection of complaints reported online.
• Do prefix web searches with “Who is” to ensure the browser does a search instead of actually visiting a questionable site.
• Do use legitimate information sites to follow up leads about ownership or complaints: domain “Whois” sites, Better Business Bureau (BBB), state incorporation records, etc.