Malware installed on your PC
Malware is short for "malicious software." Malware is any kind of unwanted software that is installed without your knowledge or consent. Cybercriminals sometimes try to trick you into downloading rogue (fake) security software that claims to protect you against malware. This rogue security software might ask you to pay for a fake product, install malware on your computer, or steal your personal information including your Microsoft account username and password.
There are several free ways to help protect your computer against malware:
- Make sure automatic updating is turned on to get all the latest security updates
- Keep your firewall turned on
- Don't open spam email messages or click links on suspicious websites
- Download Microsoft Security Essentials, which is free, or another reputable antivirus and anti-malware program
- Scan your computer with the Microsoft Safety Scanner
Phishing e-mails or websites
Phishing is an Internet scam designed to trick you into revealing information about your accounts. This information includes your Microsoft account and password, and details about you or your accounts that can be used to gain access to your accounts.
The majority of phishing scams are websites offering deals that are too good to be true such as free Microsoft points. To get you onto these sites they may send you the following:
- E-mails appear to be from Microsoft or Xbox informing that there is an issue with account information or claiming that your account has been compromised and immediate action is needed
- E-mail messages that appear to be from a coworker or friend with links to a website or asking for information about you or your account
- An instant message that appears to come from someone in your friends list with a link to a website
- In-game messages claiming to be from Xbox Support
- Gamerscore-boosting websites offering services to advance your level in a game
At a quick glance this site looks like the regular Xbox site you normally use to log into your account.
However there are a couple of things to alert you that this is a phishing site:
- You’ll notice at the bottom right of the page that there is an advertisement. Xbox does not place advertisements here
- Checking the address bar it tells you that you are at http://xbox.example.com
which is not xbox.com. When you click a link to sign into your Xbox LIVE account, the address should always start https://login.live.com . Another indicator is that there is no padlock icon which indicates that the address has been verified and secure. The address you should see to ensure you are entering your details in are secure should start with the following https://login.live.com
Solution: Microsoft will never ask for your Microsoft account username and password within email, over the phone or through a message in the console. Enter your Windows Live ID password only at known Microsoft trusted sites which can be identified by starting with https://login.live.com and having the verified padlock icon like below
If you suspect that someone is trying to phish you, you can use the following tools to report it as a potential scam. Doing so helps keep the Xbox LIVE community safe.
- Xbox 360: Bring up the player profile, select File Complaint, select File Complaint again, select Text and Voice Communication and then select Text message to file a complaint, where it will be reviewed by our Enforcement Team.
- Xbox One: Click here for instructions.
- Internet Explorer: While you are on a suspicious site, click the gear icon and then point to Safety. Then click Report Unsafe Website and use the web page that is displayed to report the website.
- Hotmail: If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Hotmail inbox. Click Mark as and then select Phishing scam.
- E-mail: Attach the suspicious email message to a new email message and forward it to firstname.lastname@example.org
Sharing Xbox LIVE accounts
The simplest form of account theft can occur when you share your account information such as your Microsoft account username or password with someone else. This could be a friend, relative, roommate.
If you see unexpected charges on your bill, check with family or anyone else who has access to your profile and console. Your kids might be using your card for Xbox LIVE purchasing. Compare your purchase history with content stored on your console; it may be from content being purchased on your own console by someone in your home.
Solution: If you share your console with other users, set a passcode or passkey.
Your profile may exist on another console
If you have more than one Xbox 360 console or you want to play games at a friend’s house, you can download your Xbox LIVE profile or gamertag to multiple consoles.
If you haven’t set your profile to require a password to sign in, your friend may have signed in with your profile. Your friend may have bought content with your credit card or points.
Solution: If you use a roaming profile, visit the Password Protect Profile page to ensure that it requires a password to sign in.
On Xbox 360 click here to ensure that your profile requires a password to sign in.
On Xbox One, click here to ensure that your profile requires a passkey to sign in.
Leveling and achievement boosts
This type of theft occurs when other users promise you that they can unlock specific achievements for you or level you up within a game to receive new features. These people will often send messages to your Xbox LIVE Message Center or post on forums advertising their fake services.
This involves providing the thief with your username and password. Once they have this, then it's safe to assume your account has been compromised. As a bonus for the thief, if there is a credit card or MS points on your account, they can go on a shopping spree.
Solution: Do not provide your Xbox LIVE or Microsoft account username and password to anyone.
Social engineering is the process someone uses, through seemingly meaningless conversation or other means, to manipulate you into revealing personal information about yourself or your accounts. Once the person has enough information about you, they can pose as you and attempt to obtain access or make changes to your account.
Solution: Do not reveal personal information about yourself or your accounts. Do not share personal information no matter how trivial it seems.
Third-party security breaches
If you use the same username and password for all web sites that you use, you are putting yourself at risk. If you are notified or hear that a website has been compromised. Go to http://accounts.live.com, sign in and change your password immediately!
Solution: Don’t use the same username and password for all of your sites. If you do then if a thief compromises one website, then he can easily get into all your secure websites.