Security Unlocked 6.23.21
Ep 33 | 6.23.21

Dial 'T' for Tech Support Fraud


Nic Fillingham: Hello, and welcome to Security Unlocked, a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft's security, engineering, and operations teams. I am Nic Fillingham.

Natalia Godyla: And I am Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research, and data science.

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security.

Natalia Godyla: And, now, let's unlock the pod. Hello listeners, welcome to another episode of Security Unlocked. And, hello, Nic.

Nic Fillingham: Hello, Natalia. How are you?

Natalia Godyla: I'm doing well. So I have a question for you. Have you ever received a call from Microsoft Support telling you that there's an issue with your PC and if you paid a sum of money, say $75, they would help fix the issue for you?

Nic Fillingham: You know, I have. I get these calls all the time, which is bananas because, first of all, I work in Microsoft. Second of all, I work in Security and know that these, these aren't real phone calls, these are tech support scams, and third, you can really easily put my name, and I guess your name as well, into, into Bing, into Google, and it'll show that we work for Microsoft and we work in Security, and so we're probably not good targets for this tech support scam. But, yeah, no, I get these all the time. And, and for me, they're sort of... you know, they're a mildly entertaining inconvenience, but for many people there, they're a real problems.

Natalia Godyla: Yes. Unfortunately, not everyone knows that Support just won't call you. That's not part of the model. So we see that as a clear red flag, but others are, sadly, duped by it and then they lose money to these scammers to pay to fix their laptop. And, in reality, if there is an issue with the laptop, typically the solution is turning on and off again.

Nic Fillingham: That is true. Turn it off and on, on again is often the solution to many of life's problems, uh-

Natalia Godyla: (laughs).

Nic Fillingham: ... technical or otherwise. But tech support scams are a very real problem, and so we thought here on Security Unlocked, we'd take a few episodes to really dive into this issue and sort of better understand it. And so on today's episode, we are joined by Anup Kumar, who is the Asia lead in the investigation and analytics division of the Microsoft Digital Crimes Unit. Anup is joining us from Singapore, and Anup is very uniquely qualified to discuss this problem with us. Apart from leading the, the Asia Digital Crimes Unit, investigating tech support scams, Anup was the, uh, inspector of police for the Central Bureau of Investigations in India for over 10 years. And so, he's really seen the public sector, or sort of the government side, as well as the private enterprise side.

Nic Fillingham: Anup really sort of walks us through the entire problem and understanding the motivations and how they work and the infrastructure and the culture of these tech support scammers are. Very happy to have Anup on the podcast and to really help us understand this problem. On with the pod?

Natalia Godyla: On with the pod.

Nic Fillingham: Welcome to the Security Unlocked Podcast, Anup Kumar. Thanks so much for joining us.

Anup Kumar: I'm glad to be here. And I would like to congratulate both you and Natalia for doing such a great job, especially for somebody coming from this field. Your podcast, which I listen to when I'm jogging. It's quite insightful, and it's quite interesting, you know, to understand and see, you know, what else is happening, because, at times, you are just limited, uh, to our area of functioning, but there is so much more to security than just, you know, what we are doing here.

Nic Fillingham: Oh, Anup, that's lovely. Thank you so much for saying that. Um, I think we can just end the interview there. That's, uh, that's all we need for-

Anup Kumar: (laughs).

Nic Fillingham: ... today's episode. Just, um... no, that's wonderful. Thank you. But tha- thank you for joining us. It's wonderful to hear that you're a listener as well as, as now a guest. You're, uh, you're dialing in from Singapore, so, you know, obviously, thanks for getting up early for the interview. We appreciate that. Could you introduce yourselves to the audience? Uh, what is your role at Microsoft, what does your day-to-day look like, and then maybe we'll jump into this interesting topic of tech support scams.

Anup Kumar: Sure. So I am from the Legal Department of Microsoft, and within this department, I am the Asia lead for investigation and analytics for the Digital Crimes Unit, and I'm based in Singapore and I cover the Asia region. So my team comprises of investigators and analysts, and our primary focus is to protect our customers against organized cyber crime, and also understanding the mechanics of cyber crime. And attribution is one important part of our job, but we take it a little bit further wherein we not only attribute it, but we also invest time and resources to filing civil and criminal referrals, which also means that a lot of my time also goes into working with the cyber crime units of the law enforcement agencies of various countries in the region in Asia.

Nic Fillingham: On today's episode of the podcast, we're going to unpack tech support scams, and I'm very much looking forward to this conversation. When you say tech support scams, walk us through it. What is a tech support scam? Is it just getting an unsolicited phone call trying to get you to hand over your credit card details? Is it more than that? What do we need to know?

Anup Kumar: So it's actually a mix of a lot of things. You know, at the end of the day, it's basically a scam. The only difference, I would say, is that generally, in this type of scam, uh, the perpetrator want you to go to your device or machine, whatever you're using, and trying to gain your trust in order to scam you. And while doing that, there'll be some kind of an urgency and try and scare you and then coerce you, or even at times sweet talk you, into believing that your device has got some kind of a technical issue which needs to be rectified.

Anup Kumar: Earlier, it was limited technology companies, but we have seen that, uh, of late, you could be approached by, say example, your internet provider. You know, they could approach you stating that, "We are calling in from your internet provider. That is an issue with your IP address, et cetera," and then make you go near your device and try and remote login and try and get remote access to your device so that they can display that there is a big issue, which is most of the time not there at all, and make you believe that you need to immediately, uh, you know, get some kind of a service from them, for which they will charge you a fee. Many a times, these are like subscription charges, which keeps on recurring, and that is how, uh... you know, that's the basic mechanics.

Anup Kumar: But over the time, it has moved on from just cold calling onto, you know, popups for example, which is now increasingly we are seeing that cold calling is reducing, but the popups are increasing, for example. But, at the end of the day, it is just a scam which uses technology extensively and is at a hyperscale.

Nic Fillingham: Got it. So from my experience, I've received, you know, an unsolicited phone call. My phone will ring, it will be a number that I don't recognize, but it'll probably be a US number. I'll answer the phone and it'll be someone saying, "Hi, this is John Terry, whatever it is, from Microsoft. We've detected a problem with your PC and we're here to help. We wanna help you get this resolved. You know, are you in front of your computer right now?" And then they'll go through sort of this elaborate sort of scheme to, essentially, get me to go to my computer, turn it on, visit a web page, maybe install some kind of remote desktop client, then they'll try and sort of display something on my computer to make it look like there's a problem, to then make me think that I have to pay them to fix this problem that doesn't actually exist.

Nic Fillingham: And so that's, that's sort of the experience. I mean, I knew what they were doing, but that's the experience that I sorta had. Is that the bulk of tech support scams, what I've just sort of described there, Anup, or are there other sort of permutations of that?

Anup Kumar: Yeah, that's the bulk. That forms a major, because, you know, that's the easiest way that they can because most of the people have devices, machines, computers. So that's the reason that's the easiest way for them to make contact with you, speak with you. Uh, at the end of the day, they are just wanting you to speak and, you know, they improvise... they are very good at improvising. And, depending on who you are, what you are looking for, and they are very good at assessing that pretty quickly, and then accordingly, they will try and sell you anything which, in the first place, was never required for you.

Nic Fillingham: Hmm.

Natalia Godyla: And who are the target victims? Who did the attackers go after? Is it indiscriminate?

Anup Kumar: Actually, I think many years back, when this started, you know, they were basically looking for people who are not technologically savvy, or maybe seniors, who do not understand as much, but over the years, it doesn't matter who it is, because they have improved their script, they have improved their conversation skills, they improved how they engage with the victim. So it could be anybody. Even, you know, I know certain people who are in the tech industry who were also scammed, you know, who lost money. At the end of the day, it is anyone who they can target or victimize.

Anup Kumar: And the big shift now is that earlier, it was just cold calling, but now they have devised a mechanism so that the victim calls them up, instead of they calling the victim. So you can imagine that if the victim calls them up, they have almost won half the battle, because now the victim believes that there is an issue, and that is how that victim is calling up the number which is displayed on a particular popup.

Natalia Godyla: It's an indicator that they've considered the scam to be credible. And how do attackers even pull off the tech support scams? What's the technology behind these scams?

Anup Kumar: So one of the primary technology enabler are the popups. And, as you know, that pop-up has legitimate business use, for advertising or authentication. And popups are, basically, JavaScripts, right? So what they do is that they attach these JavaScripts on certain websites and then the JavaScript runs on a loop at the backend, and it could have intimidating, uh, sound or, you know, messages, apart from the display, the blue, uh, s- uh, display, which kind of would be representative of a particular company, and creates an impression and it kind of locks out their device and, you know, creates a situation of a panic for the victim.

Anup Kumar: So that's the main thing. But we have also seen another thing, use things like add-words the... on the advertisement. So when you're going onto the search engine, the first pages, when you see, when you look for a Dell Support or a Microsoft Support is actually not the real Dell or Microsoft, it is the scammers which was there. However, now, all the search engines have taken care of that so, at least, on the first page, I can assure that you won't see the webpages of the scammer. So it is taken care of. But still you would encounter that.

Anup Kumar: Secondly, could be search engine optimization. They use that quite a bit. Thirdly, it could be fraudulent URLs. They could be using URLs which consists of brand name, for example, Hotmail Support. So it actually is not Microsoft, but it's creating an impression as if it is associated with Microsoft. Or it could be, uh, uh, you know, sub-domains. For example, they could register and then add a sub-domain,, which, again, gives an impression, uh, that this is, uh, you know, associated with the company. And, similarly, it could also be that, you know, because they are also running name servers at the backend, so they will, they will customize the sub-domains according to whose server their target is. It could be Google, the next time it could be Apple, so they will keep on changing that depending on the process that they are running at that time.

Anup Kumar: And, recently, we have come across, uh, potentially unwanted programs, or malware as we call them, uh, also being increasingly used, which is also, again, it's the same thing but then, at the end of the day, they will expect you to click a link. Once you click the link, it will run a kind of a scan, which displays that your device has all these viruses and all these issues which you need to take care of. But, primarily, it is user-initiated action in most of the time, because of which, eventually, they'll end up in the hands of these perpetrators.

Natalia Godyla: Do the scammers know that they are scamming?

Anup Kumar: (laughs) Yeah. I think in most of the cases, they know that they are scamming. And part... how they justify what we believe is that they are justifying that they are, at the end of the day, making a sales. But they know and understand that what they are doing. And there are many reasons how they get drawn into this, but they know what they are doing. And the infrastructure that has been used are all legitimate infrastructure, so these are registered entities. You know, they have got directors, they have got HR, they have got employee benefits. So, as somebody... you know, one of your s- earlier speaker had said, uh, cyber crime is a business. That's absolutely true. And if you want to see cyber crime as a business, this is one of the perfect examples of how it is run as a enterprise.

Nic Fillingham: And so, Anup, one of the reasons why we're talking to you today and we're, we're doing this episode on, on the Security Unlock Podcast is because Microsoft is one of these entities that is being impersonated to perpetuate this scam. These scammers are... they are impersonating large corporations like Microsoft, like Dell, like Apple, Amazon, et cetera, et cetera, in order to operate this scam and have people think that there's something wrong, and to get that thing wrong, they need to sort of pay some money. So tell us, from Microsoft's perspective, from your perspective, the, the work that you and your team do, what is Microsoft's role in all of this, and what is Microsoft doing to, to try and combat this, you know, bizarre new form of, of cyber crime?

Anup Kumar: Yeah. So, uh, you know, before we go there, uh, I would like to take a step back and-

Nic Fillingham: Please.

Anup Kumar: ... you know, take you many years back, wherein around 2014, 2015, wherein we started receiving a lot of reports from our customers stating that they were scammed, and somebody representing Microsoft had reached out to them and all that. And that is where Microsoft felt that there is something that needs to be done about it and we opened up a channel called Report A Scam. It is like So anybody could come in and report to us. And we started receiving close to 24,000 reports a month. And when we began, the reports didn't make a lot of sense, because as you can understand that somebody reporting doesn't exactly know what pings to feed in and also things like, you know, uh, what will be important evidence or what will be important for investigation. So they were just putting in, you know, different stuff.

Anup Kumar: But what we did was that down the line, we started using, uh, machine learning, and we start to triage the reports that we were receiving, so that we could, uh, attribute a particular domain and associate it with a phone number which has been reported, and then associate it with a merchant account which has been reported, and associate it with an entity which has been reported by somebody else. And you can imagine that this was a global program open for anybody could... and it gave us a very clear picture that this was a global issue, it was an industry-wide issue, and it was, basically, targeted towards developed English-speaking countries.

Anup Kumar: But, uh, the interesting thing with machine learning and triaging was that it started to emerge a picture about groups of people or entities who could be clubbed together, that multiple reports could be clubbed better and make sense of, of what it is. And, apart from that, we also started scraping their tech support fraud-related popups and used a two-model machine learning approach of text and image classification. And crawlers would categorize, uh, these popups into legitimate words as fraudulent, and then we were feeding all this information into the artificial intelligence technology so that we could identify the fast moving scammers, we could prioritize, we could attribute or group them into certain group of people or their... based on their modus operandi, or based on the location where we believe they were, or where they are being reported or where they were targeting, because there were some companies who could be targeting from a particular country, there could be some entities who could be targeting a particular kind of a geography and things like that.

Anup Kumar: So once we started doing that, picture started emerging clearly. And because DCU is a global team and, you know, we work across the globe and our team are based in Europe, US, and Asia, and, you know, and we cover the region and, and we work collaboratively together operationally as well. And we had the geographical reach to actually go and verify, on the ground, that were exactly the call center which actually scammed a particular victim was located. So you can imagine what was basically happening is that a victim could have reported from the US, and a merchant account ha- that has been reported is actually registered in, say UK, and the money was actually routed via China because there is, again, a, a merchant account showing up there, which is connected with another report, and then we have an associated domain name reported from Australia.

Anup Kumar: And we could bring all that together and then identify who exactly... where the call center is located, and then we would deploy other outside investigators to go and verify that what exactly they are doing, and we're able to then pinpoint where they are coming from, who they are, and identify as much intelligence as possible out of them.

Nic Fillingham: Wow. And so all of this began really just, I think you said maybe like five, six years ago, is that right?

Anup Kumar: Yeah, that's right.

Nic Fillingham: It is sort of a newish problem. It's a, it's a problem that's only been around... it hasn't been around for 10 years yet. Do we have any indication of the size? Do we know how many scammers there are, or sort of the volume of the victims that they've, they've encountered? How big is this problem, Anup?

Anup Kumar: I think, at this point, I can only, you know, make certain assumptions, which I want to avoid, however, but the thing is that, as I said that 24,000 victims were reporting to us, now it's down to around 10,000. But actual number of people reporting to us is very, very small, because many a times victims, don't even realize and know that they have been scammed, or the victims don't even know how do they attribute who did it to them, so they don't know and they can't take any further steps. And there are very, very few people who actually report to us.

Anup Kumar: So... but one thing I can say is that it's hundreds and thousands of victims all over. And, you know, this is an insight that we also got because of some of the work that we di- did along with the law enforcement agencies to understand that one call center was actually making hundreds and thousands of dollars, uh, every year. And so I don't have the exact number, and it's very difficult to really give, but we have a survey coming up, uh, which will give more insight pretty soon.

Nic Fillingham: Anup, I wanted to ask if you could talk a little bit about the partnerships that you have gone and created with the law enforcement agencies and any other sort of like cyber protection groups that may exist at sort of the government or the industry level. Who is Microsoft partnering with? How do you partner with them? I wonder, are you able to... you know, without, um, you know, jeopardizing any sort of operational security here, can you tell us about maybe one of these engagements, one of, one of the, the times when maybe you've partnered with local law enforcement and you've gone and actually visited, uh, a call center on the ground and seen what the operation was like?

Anup Kumar: Yeah, sure. But I also want to, uh, you know, take you more in-depth into why we stepped in and, uh, why why we felt a need to actually do something about it and partner with law enforcement agencies, because at the end of the day, it is definitely our brand name being used. And this was also one of the challenges that many of the victims, um, who actually tried to reach out to law enforcement agencies. This is typical of cyber crime, because the victim is in a country, the payment processor is in another country, the money was routed to a th- third country and likewise.

Anup Kumar: So there are some challenges in terms of where does the victim actually go, and how does he, he or her report? So once we started realizing that our customers, our victims, could not actually be able to, you know, go to the country where these perpetrators are based and report it to the police, and even if they reported, the police is, is not able to take any action, because there is not enough evidence or enough material for them to proceed any further. That is when it was thought that, you know, we could step in and try and bridge that gap. And, uh, we started partnering with, uh, law enforcement agencies, uh, from the victim countries.

Anup Kumar: We also, uh, started working with the law enforcement agencies, uh, in India where these call centers were based. We immediately understood, uh, the ground challenges and, uh, you know, I also want to mention here that I'm a former police officer and I was with the Central Bureau of Investigation, uh, back in India, and wore the federal law enforcement hat for about 11 years. So, on the ground, I could understand the ground realities, 'cause they wanted to take action but they were, uh, tied because it would also require a victim who is based out of India, would require some kind of a mutual legal assistance from the law enforcement agency from the, from the victim countries.

Anup Kumar: So here, uh, what we did was that we... the intelligence and the analysis that we were able to do, and as I said that we would attribute it to the person, the entity, the directors who were involved in, in such type of operations. So what we did was that we built the intelligence which was good enough, which we could go and, uh, share it with the law enforcement, so now it was not a John Doe complaint that somebody did s- "I don't know who did to me, but I was scammed." So this was very specific, wherein victim reported to Microsoft and here is the victim's declaration, which our lawyers in, say for example US, went and approached the victim who lost money, got a declaration from them, and we built all the intelligence and we went to the law enforcement agency and told them sh- and showed it to them that, "This is what we have."

Anup Kumar: And we also were ready to file a criminal complaint on behalf of Microsoft, because our name was being used to scam the victims. And once the law enforcement saw that, that there is enough meat and enough material, so they took internal approvals, they did verification, and once everything was... uh, you know, they could verify on the ground, they said, "Okay, let's go ahead." And, you know, they were keen to take prompt action on it. And, uh, you know, they went a step further that they said that, "Okay, let's not only do one call center, let's... why don't we do a sweep? Because, you know, doing one call center may not be effective enough, let's do a couple of them. Do you have enough intelligence?"

Anup Kumar: And we... because of the machine learning and the triaging that we were doing, we already were sitting on a lot of information. So we built on that information and then, uh, the police... uh, we shared criminal complaints and the police took criminal action against them. They made arrests, they sealed the premises, and also, uh, you know, many of these cases, they have already framed charges and these are in trial at the moment.

Anup Kumar: And then, likewise, it was just not limited to one state. And this was done by the state police. We went to various state police and once the name got out that our approach worked in one state, we knew that we could go to other states. So, likewise, we went from... to multiple states, three, four states, and we worked with the cyber crime units of those states and then, you know, they took in- uh, action based on, on our criminal complaint.

Nic Fillingham: So these, these employees, these people who are working in these call centers, you know, I assume they're taking these jobs because they're paid, and maybe they're actually paid well, maybe scamming is, is lucrative. Is there also a role here to play for, uh, skilling up these sort of folks who are looking for employment, looking to make money, and seeing scamming as an opportunity for them? Is there a way that we can actually provide for the training better job opportunities? You know, is there something that can be done here to, to make not just scamming difficult, but to make it hard to get employees to actually conduct the scamming?

Anup Kumar: I think Microsoft is doing quite a bit in this space as well. However, the thing is that these are people who do have some kind of a basic skill. And, as you can understand, that there is a very large backend processing operations, and there is a huge ecosystem which supports those operations. So there are a, a lot of trained people out there. So that issue will always be there of, uh, you know, things like unemployment, which drives these people. So creating more job opportunities would be, definitely, something, and, and Microsoft in India is heavily investing in this area, including, you know, creating a new office and space around the National Capital Region.

Anup Kumar: And also up-skilling through various, uh, you know, our NGOs for the people so that not only use of the technology, but, you know, they could use that effectively so that, you know, these, these people that are working on the right side of the law. Also, I think education and educating, because many of these scammers are actually graduates out of college and they start their career with such type of acts, which will have an impact in their career later on as well. So, you know, educating from that point of view is also something that we are working on, we are focusing on.

Anup Kumar: And, uh, we have also seen that not everybody who joins the call centers or who is part of the scam are people who intentionally intended to do that in the first place, because there are a lot of whistleblowers who actually reported to Microsoft who were employees of these companies, who once they understood and knew that what was happening, they actually reported to us, which actually helped us build some of the targets. And you can understand that somebody from inside, that's the best source of information for us.

Anup Kumar: So we have seen that also increasing, and, and you can see that there is a lot of attention towards this in social media as well. I have seen a lot of people who are working in the in- in this industry, raising their voices, and also are creating awareness, uh, around why these people could... have been moved into, uh, into this, uh, this because of some greedy employers of theirs.

Nic Fillingham: Yeah, it's fascinating. So it sounds like... I should ask, like are we... you know, is the scope of this problem, is it contained within India or is India, you know... we, we... you've mentioned India a few times. Are there other countries throughout Asia or throughout Asia Pacific, throughout the Americas, South America, like where, where else are tech support scams happening?

Anup Kumar: Unfortunately, because of the ecosystem which exists, a bulk of the export-related calls are actually originating from India. But, uh, we are also seeing some countries in North Africa, uh, which are French-speaking countries, which are also setting up similar kind of, uh, setups. In India, the law enforcement agencies, uh, you know, we are in talks with some of the state agencies and, you know, clearly the message is that they want to clean up the entire city.

Anup Kumar: Unfortunately, you know, in India, the COVID situation came in in, in 2020, and it's still going... ongoing. So that... you know, there was a lot of break towards it, but, clearly, you know, the, the action which was taken by the Federal, Federal Law Agency clearly gives a message that, uh, you know, India is serious about taking action against, against such type of scam, because... and there are people who are committed to take action against this, but only thing is that it will take some time, but I think we should be there.

Natalia Godyla: How can you identify a scam from a legitimate support request, and what should you do if you're targeted by a tech support scam?

Anup Kumar: First of all, I will say that please report it. Report it to a law enforcement agencies or Microsoft, if you are a Microsoft customer, because I can assure you that we are looking at each and every report, and it forms a part of the action that we are taking. And it's not limited to just criminal action, we are doing a lot of other things, civil actions, you know, even cease and desist, and, you know, even sending letters, educational letters, et cetera. We are doing a lot of stuff there. And it helps if you report. If you don't report, you know, you have lost money, but that, you know, that scammer will continue to scam someone else. So you need to please report.

Anup Kumar: And remember that there are never any cold calls coming in from any of the companies. There is a lot of material and education being spread around this that there will never be a cold call coming in from... it is always has to be initiated by the customer. Uh, it is never that Microsoft will contact anyone. For that matter, any technology company will not contact anyone. If there are any technical issues, a lot of things are taken care by using technology. And if at all, there is any kind of error message on your device, remember that if it is a error message generated by the operating system, it will not have a number to call back. That's one of the important things to always remember. If there is a number to call, you are sure that this is a scam and you are being swindled.

Anup Kumar: And if, if at all, you know, your device locks in, your screen is locked in because of that popup, the easiest thing to do is just restart your device. There is nothing wrong with your machine. You can stay confident, you can stay sure that there is nothing wrong with your device. Just shut down, restart the machine, I can assure you the popup will go.

Nic Fillingham: So that... just to summarize that, Anup, so you're saying like if in any doubt, report it. Report it, report it, report it. We want that data. We want those reports. It sounds like there's some pretty sophisticated, some data science happening behind the scenes there to try and correlate those reports to try and link those reports to the phone numbers, to the websites, to the sort of payment infrastructure. And so, really, it sounds like the number one here is if you know you've been targeted or you think you've been targeted, just report it, because that data is gonna ultimately help, uh, either weed out false positives or help, uh, narrow down on actually identifying real scams.

Anup Kumar: Yeah.

Nic Fillingham: And then I think the second thing you said there, and it's, it's something that I've, I've seen a lot in literature, is, you know, Microsoft will never cold call you with an offer of tech support. I don't think we sell a product. Even in our sort of like highest enterprise tiers, I don't even know if we even have a product where Microsoft would, essentially, (laughs) cold call you to say that they've found a problem. So, so yeah, you'll never receive a legitimate cold call from Microsoft. That's probably the first one, and then the second one then is, if in doubt report, it.

Anup Kumar: Yeah.

Nic Fillingham: Would that be your two pieces of guidance or is, is there something else?

Anup Kumar: Yeah. I think these are the two most important things, and always keep in the mind. And these are simple things, but just keep it in mind.

Natalia Godyla: I really appreciate the simplicity of that. If you are targeted by a tech support scam and you start to worry, turn it on and off again. That's it.

Anup Kumar: Yeah, that's it.

Nic Fillingham: It fixes most things, really, doesn't it?

Anup Kumar: (laughs).

Nic Fillingham: You know, you can, you know-

Natalia Godyla: (laughs).

Nic Fillingham: ... turn your car on and off, your toaster on and off. Um-

Natalia Godyla: (laughs).

Nic Fillingham: ... I got one of those air fryers and it stopped working, and I just turned it off-

Anup Kumar: (laughs).

Nic Fillingham: ... and just back on again, and now it's fixed. So-

Anup Kumar: Yeah.

Nic Fillingham: ... it's amazing how well that works. Anup, I wondered if, if in your time researching and investigating these problems, have you visited, have you visited any of these call centers? Have you actually gone on the ground in India and seen some of these places, you know, in-person?

Anup Kumar: Yeah. Oh, yeah. In fact, uh, visited in the sense, not, uh... you know, I've looked at it from outside because, uh, when these operations are being carried out, before we go to the law enforcement, one of the things that we do is that we, we verify that what we are writing on the criminal complaint is something which exists. So I would do... uh, you know, of course, we have a large team in India and, uh, with support, we have got team of outside investigators and we also have outside counsels who ensure that we, we take the right steps in the right manner.

Anup Kumar: But I do visit, looking at, at it from outside and, at times, you know, I've seen pictures because these call centers also like to share a lot on social media. So they'll have birthday parties... as I said, you know, it's just another company, right? So they do share a lot. So I see that a lot in, in the reports that I get from our outside investigators, but actually going inside the call centers, I haven't done it myself. But, yeah, whenever the law enforcement does any kind of operations, uh, they do expect the complainants to be present.

Anup Kumar: And also, there could be, you know, something technical that needs to be addressed or explained, so, um, me and, you know, our analysts and our outside counsels are there because we also want the law enforcement to feel comfortable and be there that we are not only writing a complaint, but we are also, uh, you know, providing any kind of, you know, clarifications that they may need, you know, before they take any kind of actions.

Nic Fillingham: Anup, I think one of the things is you've sort of blown my mind here, is, you know, (laughs) the, the idea that these tech support scams, they just look and function like a business. Like they have birthday parties, they share pictures on social media, they have sales quotas, they... I think when you hear the word scam and cyber crime, I think you sort of think of underground organized crime, and I'm sure there must be some component to that sort of infrastructurally or sort of from a funding perspective, I mean, certainly that's where the money's going, but the day-to-day operation, these are people showing up to work, putting on a headset, doing a job, hitting a quota, having lunch with their friends, sharing memes. It's just blowing my mind to think that that, that sort of exists at sort of like, uh, some degree of scale.

Anup Kumar: Yeah, actually that's the unf- unfortunate part. And, uh, and increasingly, it's just not tech support scam. We are seeing a lot of, you know, and I mentioned this, that cyber crime is run as a business now. I'm just digressing, but, you know, for example, Malware as a Service, you know, MaaS, as, as you call it, it's, basically, a service. They have got customer care. You can call them up. Uh, (laughs) and they will actually advertise that, uh, you know, you can, you can do this and that.

Anup Kumar: So it's, basically, it's the same thing. The only thing is that here, because of the work that we have done, we have got a clear picture of how exactly they are operating, and it's very encouraging to see that, you know, the law enforcement and other agency, the cyber crime units are increasingly, you know, building their own capacities, and industry also. You know, we are coming together and trying to address this collectively, because this is not just one single company gonna address it all, uh, you know, take an action.

Anup Kumar: Like, for example, you know, two, three years back, I attended an Interpol conference, wherein... and it was a cyber crime conference which Interpol organized, and, similarly, Europe will organized a cyber crime conference and, you know, I, I was invited, wherein I was able to address and talk to the law enforcement officers as to what exactly is happening on the ground and the challenges that, you know, that exist and need to address them. And these are big changes, because, you know, an Interpol cyber crime conference inviting industry, and it was just not Microsoft, there were other companies as well who were invited who work in this space, so the law enforcement is also opening up to this idea of partnering more of... more with, uh, with industry.

Anup Kumar: Now, the way we, at least, in Digital Crimes Unit, the way we are trying to fight crime is, basically, by partnerships and, uh, you know, taking everyone together. It's just not we, uh, who are trying to do it, and we are doing it not only for our customers, but for the larger public as well, because it impacts everyone. It im- impacts my parents, you know, my seniors in the family, it impacts my family, my children. So we believe that this is, uh, you know, absolutely the right thing to do, and that is where our team is primarily focused on areas like this.

Natalia Godyla: And for anyone who's interested in learning more about tech support scams, protecting themselves against tech support scams, where can they go? What resources are available to them?

Anup Kumar: So there is, you know, a lot of material definitely from Microsoft. You can just go and, you know, just key in that word, "Tech support scam," and you will definitely find a lot of material there. And, and there are a lot of guidance, you know, some of the actions that we have done, details about that, you can just search on the internet, there is a lot of material. But the easiest is And, remember, Please report, to the listeners, whosoever, you know, has faced or has come across any such type of calls or such type of popups, et cetera. Whatever little information, uh, would also, remember, that could help out investigations.

Nic Fillingham: We'll definitely put those URLs in the, uh, show notes. Anup, thank you so much for your time, and, and thank you for taking on this, uh, really, really important work. You know, I think we've only just scratched the surface here, so we'll, we'll definitely try and learn some more about tech support scams on Security Unlocked. I'd love to talk to you again on the podcast one day, but thank you so much for your time today.

Anup Kumar: Same here. Thanks Nic, thank Natalia. It was a pleasure. Nice talking to you, guys.

Natalia Godyla: Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.

Nic Fillingham: And don't forget to tweet us @msftsecurity, or email us at, with topics you'd like to hear on a future episode. Until then, stay safe.

Natalia Godyla: Stay secure.