Security Unlocked 8.4.21
Ep 39 | 8.4.21

Mary Had a Little Scam Report


Nic Fillingham: Hello, and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft security, deep dive into the newest threat intel, research, and data science.

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft security. If you enjoy the podcast, have a request for a topic you'd like covered, or have some feedback on how we can make the podcast better ...

Natalia Godyla: Please contact us at or via MicrosoftSecurity on Twitter. We'd love to hear from you.

Natalia Godyla: Welcome everyone to episode 39. Today is another good episode. We will be covering tech support scams with Mary Jo Schrade, who is the Asia regional lead for the digital crimes unit. As you might recall, we have talked about this topic in the past. So on episode 33, we had Anup Bekmar, the investigative lead in Asia, join us to discuss the inner workings of tech support scams. We now just released the global tech support scam research, and this work was conducted by Mary Jo Schrade's team, so we'll be using that data as the centerpiece for the conversation today.

Nic Fillingham: The survey is a huge sample size, 16,000 people- over 16,000 people were included covering 16 countries. So really can get very, very deep analysis and sort of numbers on how big is this problem. And I think if you remember from episode 33, that was one of the questions that we sort of kept coming back to with Anup. Like we know the problem's big. We know people are getting- are getting impacted, but what do we know in terms of actual hard data? And we- and we have that now, and it's a great conversation.

Nic Fillingham: I won't give away too many numbers, but I will say that some things are up. So, you know, there are some areas where folks are getting exposed more, some areas where they're getting exposed less, but also there are some countries that are being targeted more and where people in those countries seem to be impacted more than others.

Natalia Godyla: You also had an opportunity to ask a- a rather fun question to Mary Jo about scam baiting.

Nic Fillingham: I did. So personally I'm a big fan of folks like Jim Browning and Kit Boger, who are doing this scam baiting work. They're out there trying to take down the scammers. Now this is a very gray area, legally. So I- you know, I'm certainly not commenting one way or the other on the legal status of what they are doing. That's a very complex area. I'm not wading into it. But simply I think the- the sort of the motivations for them as humans of wanting to sort of protect others and protect the vulnerable, I- I really sort of relate with. I really feel this sort of compulsion to try and keep the scammer on the line as long as possible with this sort of feeling that if they're- if they're talking to me and I'm wasting their time, they're not scamming someone else.

Nic Fillingham: So I got to ask Mary Jo about this. I got to ask, "Hey, am I helping? Or am I making it worse? You know, should I stop doing this? Is it okay to do this?" And frankly, I just like to have someone to talk to on the phone to tell you- no one- no one seems to call it us anymore.

Natalia Godyla: As a millennial I avoid the phone at all costs, but hats off to you.

Nic Fillingham: I mean, is that why every time I call you I just get a text back saying, "New phone, who dis?"

Natalia Godyla: Yeah. That's one of the reasons.

Nic Fillingham: (Laughs). And with that, on with the pod?

Natalia Godyla: On with the pod.

Nic Fillingham: Welcome to the security unlocked podcast, Mary Jo Schrade. Thank you so much for joining us.

Mary Jo Schrade: Thanks for having me.

Nic Fillingham: Mary Jo, thank you for your time. Um, you're the lead of the digital crimes unit in Asia, and today we're going to talk about the global tech support scam research that has just been released this month, July 2021. And this conversation is a- a follow on from a previous episode we had with one of the folks in your team, Anup, who leads, I believe, uh, investigations in the Asia team.

Nic Fillingham: Really excited for this. We've got some really interesting data and sort of numbers to- to discuss from this survey. Mary Jo, if you could introduce yourself to the audience, and if you could also sort of give us a- a reference point to the previous conversation with Anup? Uh, how does Anup work as part of your- your organization?

Mary Jo Schrade: Yeah, thanks. So I'm Mary Jo Schrade. I lead Microsoft's digital crimes unit for Asia, as Nic said. Um, and I'm based in Singapore. We have a team that is spread across Asia, and we actually cover more than Asia because we cover Australia and New Zealand as well. So we go from India, across to China, and then also Australia and New Zealand.

Mary Jo Schrade: Anup on my team leads our investigations and analytics. And- and you interviewed him about some of the work that the team has done, which he has led on referring cases to law enforcement, kind of the behind the scenes of what the digital crimes unit has done as a result of this tech support fraud surge that we've seen.

Nic Fillingham: Awesome. And so, uh, I think Anup might've hinted at it towards the end of the conversation on that previous episode, but you've just released the findings from this new survey. It's called the Global Tech Support Scam Research Project or research survey. It was just released this month. So this is- this is fresh. This is hot off the press. Can you tell us about the survey? You know, what is it? How many years has it been running? And, uh, you know, what's the scope of what we're going to talk about in today's episode?

Mary Jo Schrade: Yeah. So this is the third time that we've done this survey. Um, we started it in 2016 as a result of hearing complaints from customers that they had a bad experience when it came to Microsoft support. And so initially we were struggling to figure that out- what was happening. So we decided to conduct a survey in 2016.

Mary Jo Schrade: Our current survey is across 16 countries around the world, um, representing every geography. And as the third time we're doing it, we're asking many of the same questions, a couple new ones, just because there's been some evolution in the way these scams take place. So the surveys were initially conducted in 2016, 2018. Our 2020 survey got a bit disrailed by, uh, the pandemic, so we did it in 2021.

Natalia Godyla: As you mentioned, this is the third time that the survey is happening. So why are we doing the survey?

Mary Jo Schrade: A few reasons. One is we want to see the extent to which the way that the scams are being conducted may be changing so that we can adapt as well. We also want to raise awareness about these scams. We want people to read about them or hear about them in- in advance of perhaps being targeted so that they may be less likely to engage with the scammers.

Nic Fillingham: What's the scope of the types of scams that are- that are covered here in this survey? We obviously talked about them with Anup, but just to sort of reorient the listener. When- when we say tech support scam, what are the communication mediums that are covered here? And what are sort of the types of- the types of scams that are- that are being perpetrated?

Mary Jo Schrade: So a tech support scam is a type of scam where some individuals pretend to be Microsoft or another technology company, and they offer up services, uh, supposedly to help you clean your computer of viruses or malware and that kind of thing. And the scammers, we've seen they've evolved in terms of the way that they get consumers to believe them. Initially, in the US it was done through cold calling, so just an unsolicited phone number. They would often spoof or pretend to use a phone number that they weren't really using so that if it comes up on someone's cell phone, it says Microsoft on it. And so they would do something like that.

Mary Jo Schrade: The people would answer, and they would say, "This is Microsoft. Uh, we wanted to alert you that you have malware on your computer. You're at risk of losing your documents. Criminals are using your computer." And that kind of thing. So it was always an alarming message of some sort. And the idea was to get people to believe they needed to pay for a non-existent service to clean up the problem.

Mary Jo Schrade: So this evolved over time and it later became pop-ups. And so a pop-up is a box that just pops up on your computer at some point in time. The pop-up would say something very alarming, something really scary, and often it would have a noise associated with it that would really get people's adrenaline going. That would be a- a sound like a siren. And it would say, "Warning, you're about to lose all of your documents. You're about to, uh, have your banking taken over by criminals. Call immediately." And so it was that kind of thing where I think it takes people into a different mindset where they may not be as logical. But that's what the criminals are- are leveraging when they do this.

Mary Jo Schrade: So the evolution of that further has been to search terms that they would buy. And some of these things are interrelated. But they would buy search terms for, for example, Hotmail support. And then if you went online to search Hotmail support, they- it would come up with something that says Hotmail customer service and you would click on that. Sometimes that would initiate this pop-up, or it might just give you a link to click, or a phone number to call. So those are the main ways that these scammers are targeting people. And then they try to get you to pay for something you don't need.

Natalia Godyla: Thank you for that. That is an awesome overview for our listeners here. And I'm so eager to get into the data and insights from this report, because there is a lot that's shocking from the data and- and super informative here.

Natalia Godyla: So let- let's start at a high level. What did the survey find?

Mary Jo Schrade: The survey found that fewer customers overall were reporting engaging with scammers. It also showed

Mary Jo Schrade: There's some skepticism around pop-up messages that wasn't present in the last time we did this survey three years ago. So perhaps people are becoming a little more used to this kind of thing and may be less likely to engage. But overall we found something of a... a surprising level of engagement and across different countries it would vary in terms of who would actually go all the way to the point of paying a scammer.

Mary Jo Schrade: So when we would contact people, there would be high numbers of people who encountered an attempt at a scam. And so then at each level below that when it's like, okay, you encountered but did you engage or not engage? And so then most people did not engage but among those who engaged, did you go to the point, for example, of letting them remotely access your computer? And that's something that's really dangerous because once they're in your computer, they will try to take documents or take information. If you have a copy of your driver's license on your computer they might try to get into your banking and transfer money to themselves and things like that. And so they have techniques where... um... especially for people who may not be used to having someone remotely access their computer, they have techniques for how they distract these people so that they're not noticing that things are happening behind the scenes.

Mary Jo Schrade: So at each layer there are fewer people, but still a significant number. And I think one of the most surprising things to me was a dramatic increase in India of people reporting that they had been the victim of a scam and had gone all the way to the point of paying money to the scammers.

Nic Fillingham: Got it, so you saw an increase in the country of Inda... India but it sounds like overall... and I have the report open here in front of me for... for folks that want to play along at home... we'll have the... the link in the show notes... um... but it looks like the exposure level has trended down over the last... uh... three years. But you're saying India as a sort of an outlier had a... had an increase.

Mary Jo Schrade: Yes that's right. I think perhaps initially... because many of these call centers are located in India... perhaps initially they were not targeting people in India for fear of law enforcement being therefore

more likely to engage. But actually what we've seen is law enforcement in India is very likely to engage. So regardless of whether there are victims in India or not, law enforcement has taken action in many places. And so I think they figured, "Well, we might as well be targeting in India and make more money that way if they're already going to be looking for us anyway."

Natalia Godyla: Speaking of this... uh... particular jump in India, are there any other demographics or groups that seem to be more susceptible to the scams?

Mary Jo Schrade: Yeah, that's a great question... uh... one out of six consumers was tricked into continuing with the scam, but the people tricked most frequently were Millennials and what's called Gen-Z, which is... um... presently aged 18 to 23. And they had the highest exposure to tech support scams, so that was definitely a surprise.

Nic Fillingham: That is such a surprising result to me. I would have thought it was my parent's generation, sort of Baby Boomers and above, that are... you know... a bit more... sort of trusting and they want the world to be... I guess... uh... you know... uh... lovely place where the person that calls me is really trying to help me. Aren't... aren't Millennials and Gen-Z... aren't they all sort of jaded and cynical? What... uh... this is... this is very confusing.

Mary Jo Schrade: Yeah, I was surprised as well. I think one reason that there may be a distinction is that they're much more active online. So... more so than the Boomer generation in... in a generalized way. They also... I believe... are more free with their personal information, so that sense of privacy or worry about disclosing your email address... um... in exchange for getting something, those kinds of things I think may be factoring in.

Mary Jo Schrade: The other thing that was interesting is that males seemed much more likely to get all the way to the point of paying the scammers, more so than females, so that was another surprising one that I don't have an explanation for, but just an interesting fact.

Mary Jo Schrade: I will say that we worked with entities that speak to victims in collecting information from them about the scams, and one of them is called IDCARE. It's a non-profit in Australia. And so one of the things they've found when it comes to giving... paying money has been that younger people may be more likely to pay something, but older people are more likely to be scammed out of a lot more money. So the... the extent of the scam is higher for older people, and they have some examples.

Mary Jo Schrade: For example, they interviewed one couple that encountered a pop-up with the alarm noise that really shook them up. They engaged with the scammers. The scammers... somehow they talked them into also letting them have access to their phones, and then they got remote access to their computers. The people paid money to the scammers for this fake service, but then they left the computer and went out of the house. And the scammers had never released control of the remote access on their computers, and it ended up stealing tens of thousands of dollars.

Mary Jo Schrade: They also will repeatedly go after... especially if they encounter someone who's older and really doesn't understand what's happening... they will repeatedly target those people. It's really shameful, but they 

also will do that scam on people where they say, "Oh, you... we're going to refund money to you." And then they'll refund money, supposedly, and it's not really going into people's accounts. And then the people, they say, "Oh we over-refunded you. Now you need to pay us back. We accidentally over-refunded you." And it seems like... that once people fall victim to the scam, the scammers will continue and continue to get as much as they can out of them.

Mary Jo Schrade: So I think that may be a distinction between the younger victims and older victims, this repeat scamming which I don't think we see with younger people.

Natalia Godyla: In these examples you've described you can see the additional costs to those who have been scammed. I mean, it's the added stress and panic. It's the additional time spent just interacting with these scammers. So, the research report has a really great tree diagram that shows what the true costs of the... these types of scams are. Can you walk us through that? What are the ramifications of interacting with these scammers?

Mary Jo Schrade: Yeah, so beyond what we've talked about, which is the preliminary that they pay some money, the kind of things that we see that are the results of this are that people encounter computer problems after the fact. So, one of the things we suspect is that these scammers are putting malware on people's computers when they remotely access the computers, and that later causes computer problems. Their passwords have been compromised, so if they store passwords on their computer then the scammers can get access to those when they're on their computer.

Mary Jo Schrade: And then... uh... fraudulent use of their debit and credit cards... um... store cards, that kind of thing. If... if they're able to find anything on their computer that they can monetize in some way they'll take advantage of that. So, if you keep a copy of your passport because you had to submit it at some point in time for a visa, they will look for your passport on your computer and will take a copy of that from you.

Mary Jo Schrade: And so when you're thinking about, "I just lost $200 to a scammer," you may not be thinking about those things. And it may be a while later before you realize it, but at that point people are questioning everything about their computer. So they want to go take it for computer repairs, to have it cleaned, to have it looked at, and that kind of thing. So the steps can take months after the actual scam before people are satisfied that things are okay.

Nic Fillingham: What can you tell us about... sort of... the methods of payments or the transactions and how that has changed? You know, what are some of the changes that we've seen?

Mary Jo Schrade: Yes, that is the case. So I know when you talked to Anup, he was talking about... um... a number of partnerships that Microsoft has established to work on this problem. And one of the partnerships is with the credit card processing entities... um... like MasterCard and... and that kind of thing. So we provide information about the merchant accounts that are used by the scammers for these credit card companies to investigate.

Mary Jo Schrade: And when they investigate, of course, if they find that they're engaging in a scam, they will shut that down and cut off the access for the criminals to using credit cards. And so then they'll switch to other 

things. So we've seen, for example, using PayPal. But again, we report that to PayPal and they address it. So we see decreasing use of PayPal, but the cryptocurrencies being tougher to address are being much more frequently used, and also bank transfers. And that's really the most dangerous because if someone engages in a bank transfer, especially when being remotely accessed by the scamming group, you're showing them information that will allow them to get back into your computer.

Mary Jo Schrade: So the payment methods vary, but it's really all around what's more traceable...

Nic Fillingham: It...

Mary Jo Schrade: ... um, what's easier for them to get access to.

Nic Fillingham: It, it looks like, uh, and again, I'm on, I'm on the, uh, the report I opened here and I think we're on page nine where the, the methods of payments graph is. It looks like, I guess, sort of good news or some sort of semi-positive news that those who did lose money, uh, were able to recover some of that money in 2021. Or, I should say, the, the, the percentage of responders that were able to recover some money has increased. So, am I reading that correctly? Is that, and is that sort of a, a, a somewhat of a silver lining?

Mary Jo Schrade: Yeah. So, I think that people are realizing sooner that they've been the victim of a scam than they may have in the past, and it allows them to go into their bank and try to reverse a payment or to co- contact their credit card company and try to get a, a payment reversed that's been made through the credit card company. So, that is good news. And I think the more awareness we raise, the more people will hopefully realize sooner, if they become a victim, and then, of course, try to avoid becoming a victim for people in the future, that they can have less likelihood of actually losing all of their money. They can recoup at list some of their money back and that's important. And so, I do think that if people can just keep that frame of mind of, why would Microsoft ask me for a crypto currency? Why would whatever the technology company is ask me for a gift card for another entity? Why would anybody ask for a gift card?

Mary Jo Schrade: u don't go to any place, um, where you purchase something and have them ask you to go get gift cards in order to pay them. So, I think that those kinds of things, the more people think about that, they'll be prepared in advance to realize that they're being targeted in a scam.

Nic Fillingham: I, I'd love to talk about the work that Microsoft's doing, uh, in the industry here to combat scamming. But before that, there's actually a really interesting question on page 22 of the report, question 18, which is the perception of responsibility. So, of the respondence in 2021, those that identified as having been scammed, I guess, once they learned that they were scammed, where did they see the responsibility lying in, in actually, you know, combating scamming? Does it lie with the company that is actually being, that the scam is pretending to, to be? So, in this case, does Microsoft bear the responsibility of blocking scammers from pretending to Microsoft?

Mary Jo Schrade: Microsoft does come up as one of the entities that they believe should be addressing this, and, and for that reason, we are. Um, but also, they look to government entities and to low enforcement and others as also having a high level of responsibility. So, I think that that plays out in a, a realization, because I know law enforcement in the United States has been quite active, um, in Europe and in Asia. So, I think 

that what people feel is that they should be protected from criminals, um, in, in a way that probably traditionally most of us feel we should be protected from criminals. But they do believe that the tech companies themselves have some level of responsibility and they feel a decrease in their trust in those brands.

Mary Jo Schrade: And, and that's really part of the problem for us is that we're trying to address this, but at the same time, if they don't report it to us, if the, if we aren't aware of what's happening, it's hard for us to, to address the, the problem. So, one of the things we're asking people is, i- if you or someone you know, um, has been a victim of a tech support scam to, um, report it to us at And that is something that we will use to build cases and, and try to en- engage with law enforcement and make them aware of these things that are happening and address them.

Nic Fillingham: I wonder if you could talk a little bit more about that process. So, if I believe I have been targeted by a scam or if, you know, I know I've been scammed, and I, and I go to report a scam and I, and I enter my details in there, what happens from, from that point forward? Where do my details go? You know, is it, is it folks like a NOOP on your team and others that are actually receiving that, and then they're chasing down leads and they're, and they're seeing what information they can potentially find to identify a scammer, and then pass that on to law enforcement? Or, or is, is the process sort of a bit longer, and, like, how, how, how does it work?

Mary Jo Schrade: That, how you you described it is very close to how it works. So, a NOOP and people like him across the world have a responsibility initially to sift through the information provided. And we request a lot of information. I mean, it's not a, a long form, but we ask for specific things that we need in order for us to investigate, and then we investigate. And we work with law enforcement around the world. So, in India alone, we have already referred, and the Indian law enforcement has actually dealt with more than 30 call centers. So, that's just in one country. And this is the result of our investigators and analysts from Europe, from the United States, from Asia, working together on one team to build these cases so that when they go to law enforcement, law enforcement has all of the information they need to initiate their investigation locally to confirm the points that we've provided to them to supplement those with their investigation, and then to take action.

Mary Jo Schrade: So, that is something we take very seriously. These reports that we receive, they are looked at daily. We have a team who's responsible for going into those and looking at those daily.

Natalia Godyla: And the DCU does a couple other things to combat tech support scams, right, i- in addition to investigating these fraudulent networks?

Mary Jo Schrade: Yeah, that's right. So, one of the things we do is we provide information to Windows Defender and other teams internally at Microsoft to help them create solutions that protect customers from scams. So, for example, if you've ever clicked on a link and you get a, a, a pop-up that says, "This is a dangerous link, you shouldn't continue to this site," those kinds of things are, in small part, the result of the work that we do in providing that information. Obviously, there's a lot of other, um, sites that identify that way. So, we feed that information in, and then we also, um, work on educating customers. So, working with the various entities to try to raise awareness among people who might be targeted that they should avoid these scams and should not believe that Microsoft is reaching out to them.

Mary Jo Schrade: Microsoft does not contact individual people to say, hey, this is Microsoft, you have a virus.

Nic Fillingham: Mary Jo, I'm gonna go out on a limb here and I'm gonna say that the majority of the listeners of this podcast probably wouldn't fall for a scam. I hope I don't have to eat my hat on that, but the reason that I point that out is, are there any, and I wanna be compassionate here, but I think the, the most efficient way to ask this is, are there any warning signs, for the folks listening to the podc- this podcast, to try and think about, okay, who do they need to go and tell this information to? Because I would've thought it was my parents and their generation, you know, boomers and above, who are gonna be most susceptible. But the results here in, in this survey would, would tell me otherwise.

Nic Fillingham: And so, I'm listening to this conversation and I am thinking, all right, as a, as a tech-savvy, you know, security-modded person, who am I on the lookout for in my, my friends and family to make sure that I'm telling the right people? Is it just everyone? Or, or are there sort of some, are there some sort of little, little red flags that I can be on the lookout so that I, I can look out for my friends and family that would be most susceptible here?

Mary Jo Schrade: Yeah, I do think that everyone is potentially a victim. I think that younger people, while they may be more likely to pay money, uh, as our survey showed, they don't have the kind of money that older people do in general. So, I think they are likely to pay money, but less likely to lose $100,000, for example. So, I do think it's still important to raise awareness among all generations, especially those who are less tech-savvy. I, I agree that your listeners are less likely to be victims, but I do think that their parents, regardless of what the contact that they have with their children, knowing what their children do, they may still be more likely to be victims.

Mary Jo Schrade: So, I think that just raising awareness with them, um, trying to ascertain if they've already been a victim, perhaps asking questions of, have you ever had some pop-up come up on your computer that tells you that you're about to lose your information, or something like that, um, would, might be a good way to start that conversation. I do know that when ID care in Australia has interviewed who had lost a lot of money, one of the things that they've said, um, fairly consistently is that they're very embarrassed and that they don't want their children to know because they feel that their children might thing that they are infirm or that they are extremely gullible, or, you know, that they, they don't wanna be patronized by their children.

Mary Jo Schrade: And so, I do think that people should be careful in the way that they go about talking about it, but it is important to raise awareness and to ask questions, just to help maybe get their money back, if at, if it's possible.

Natalia Godyla: We talked about the reporting process. You can go to

Natalia Godyla: .../reportascam to report a scam and we can have professionals share that resource out to folks who might be susceptible. What other resources could they share to somebody that they believe is susceptible to a scam?

Mary Jo Schrade: Yeah, so, we have a lot of information on if you go to search tech support scam. But one of the things that I think outside of Microsoft would be that they can go to the bank, that they can go and try to take some steps to see if they can get money back or at a minimum report this as well. They can go to law enforcement. Law enforcement also keeps a database of these scams and, like, a, a number of federal agencies and the Department of Justice are actively investigating many of these cases.

Mary Jo Schrade: So, so, I think there are multiple places, but we would ask that if, if the name of any Microsoft product was used, or Microsoft itself, um, so, Xbox or, H- Hotmail or OneDrive or whatever it might be, we do ask that people report it to us even if they are also reporting it to law enforcement because that piece of information might just be the last piece of the puzzle that we needed to put together to make a successful referral to law enforcement and to hold these people accountable.

Nic Fillingham: I'm nervous in asking you this question, Mary-Jo, but I'm gonna do it anyway. So, I am a big fan of a gentleman on YouTube named Jim Browning. Do you know who Jim is?

Mary Jo Schrade: I do.

Nic Fillingham: Okay. Quick little plug-

Mary Jo Schrade: (laughs)

Nic Fillingham: ... for Jim. Um, Jim inspired me to simply play dumb when I get a tech support scam and just keep him on the line as long as possible and try and waste their time. Am I helping or am I hurting by doing that? Because I have a feeling that there might be some, some listeners of the podcast that think like me and they know where the scammer has called them and has contacted them, and they just wanna pl- they just wanna string him along as long as possible to, to sort of waste their time. Are we helping or are we hurting? Or is this a benign action? Are you even able to answer this? Wh- (laughs)

Mary Jo Schrade: (laughs) Uh, yeah, it's, it's hard to say. I, I would say that, I mean, on one level keeping a scammer on the phone keeps them from calling someone else, so maybe you're helping. Um-

Nic Fillingham: (laugh)

Mary Jo Schrade: ... you know, I, I'm not condoning the way that some people go about tricking scammers or, you know, it's sort of like that question of whether it's appropriate to hack back at a-

Nic Fillingham: Vigilantism.

Mary Jo Schrade: ... hacker and-

Nic Fillingham: Scam bait-

Mary Jo Schrade: (laughing) Yes.

Nic Fillingham: ... yeah.

Natalia Godyla: Mm-hmm (affirmative).

Mary Jo Schrade: (laughs) So, I-

Nic Fillingham: Yeah, I know, I, I don't want you to comment on that. I'm not trying to put you in that corner there. I'm just trying to work out... You know, I try and keep them on the line as long as possible, just sort of being, you know, really long winded in my answers and asking them-

Mary Jo Schrade: (laughs)

Nic Fillingham: ... to spell things and, you know, pretending that the, the keyboard battery has died and all that kinda stuff. But a part of me is wondering, like, am I actually doing the wrong thing here? Am I actually, am I actually making the problem worse?

Mary Jo Schrade: I don't think you're making the problem worse. And, honestly, if you get enjoyment out of that, if that brings a little sunshine into-

Nic Fillingham: Oh, I do.

Mary Jo Schrade: ... your day-

Nic Fillingham: Oh, yes.

Mary Jo Schrade: ... well, then, you know, carry on. Um, as long as you're not doing anything illegal, I think, you know, having some fun with a scammer is no problem. And, like I said, if, if they're talking to you for 45 minutes they're not calling anyone else during those 45 minutes. So, maybe you're helping keep one more person from being (laughing) scammed.

Nic Fillingham: All right. You've, you've made my day, because I-

Mary Jo Schrade: (laughs)

Nic Fillingham: ... I get, I get genu- some, for some reason I get targeted a lot. And Mar- um, N- Natalia and I talked about this, I think on Anup's episode, like, if you put both of our names into B- Bingle, that's Bing and Google combined, yeah, I- I don't think there's too many people whose names would, would show up that aren't us working on a security podcast. So, like, in theory we're not good targets for scammers. But I get targeted all the time. I don't know why.

Nic Fillingham: And, so, I just like to, I just like to strong them along, and it makes me really happy, and I feel like I'm 

doing good, and I, and I think I can now rest easy that Mary-Jo said that what I'm doing is, is condoned. Can you say... Can I say that?

Mary Jo Schrade: (laughs)

Natalia Godyla: That's why we're doing this podcast.

Nic Fillingham: That's the only reason why this podcast exists, to get your permission, Mary-Jo. That's the only reason why we're doing it.

Mary Jo Schrade: (laughs) Yeah. I, I would say that, you know, I'm, I, I'm not your lawyer but-

Natalia Godyla: (laughs)

Mary Jo Schrade: ... as long as your not doing anything illegal I think it's fine to just keep acting as though you're falling for their scam, because they decide on how they're going to focus their time, on where they're making the most money. And if people start doing this to them and they start losing money, then they'll stop doing it. So, I, I mean, I think it's better to report it and refer it to law enforcement, but if you get a little enjoyment out of this I think that's okay.

Nic Fillingham: And I should have said I, I also do that as well. I, as soon as they hang up, like, I do go to and I put in as much information as I have. So, I, I, I h- I hope to do good two ways. That, that is my goal. Before we close out, and I think this is a question that, that, that we asked Anup, how big is this problem? Do we have an idea of the sorta, the scale in terms of the number of people that are getting impacted or the, the, the dollar amount, the financial cost of scamming? Is that, is that something that we've been able to sort of wrap our hands around? It's... I, I'd say this is pretty big, right?

Mary Jo Schrade: It's really big. I mean, a couple years ago we were getting 13 thousand reports a month. And those were just the people who realized they were victims and then took that added step of going in and completing a form online, researching whether there is a place to report it and reporting it. So, 13 thousand is obviously, I mean, maybe 5% of the people who were victimized at that time, because not everybody's gonna go to all those steps, or not everyone realizes they were victims.

Mary Jo Schrade: So, today we're getting about 6500 reports a month, so roughly half of what we were before. But that doesn't mean the scammers aren't active. So, I think it's a huge problem and it's something that I think if we don't have everyone understanding what's happening we'll never solve this problem because it, it's really important that pe- potential victims don't become victims in order for us to stop these scams.

Natalia Godyla: Well, thank you, Mary-Jo, for spending some time with us today to, to better understand the problem, and I hope our listeners enjoyed it as well. We'd love to have you back on the podcast on another episode.

Mary Jo Schrade: Yeah, I'd love to. Thanks for having me. It's been great talking to you guys.

Natalia Godyla: Well, we had a great time unlocking insights into security. From research to artificial intelligence keep an eye out for our next episode.

Nic Fillingham: And don't forget to Tweet us at @msftsecurity or email us at with topics you'd like to hear on a future episode. Until then, stay safe.

Natalia Godyla: Stay secure.