The ‘Three E’s’ of Scam Disruption
Nic Fillingham: Hello, and welcome to "Security Unlocked," a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft Security engineering and operations teams. I'm Nic Fillingham.
Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science...
Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security.
Natalia Godyla: And now let's unlock the pod.
Natalia Godyla: Hello, everyone. Welcome to another episode of "Security Unlocked." Today we are joined by Juan Hardoy, assistant general counsel with the Digital Crimes Unit, and Nic Fillingham again. Welcome back to the show, Nic. How are you doing?
Nic Fillingham: Thanks, Natalia. Yes, hello. Welcome back to me (laughter). Thanks for having me back. Yes, I'm well. I'm good. Thank you, Natalia. I was actually out for almost - gosh, the best part of sort of three weeks with coronavirus - with COVID. My family caught it. My two young daughters and I caught it. Thankfully, I was vaccinated back in May, so I was sort of prepared, I guess, from an antibody perspective - from an immune system perspective. But it was still a bit of a - not a fun time. But we're all good now. We're all recovered. And I am excited to be back on the podcast with you, Natalia. Thank you for welcoming me back.
Natalia Godyla: That's so great to hear. I'm really glad you were able to take the time to get better as a family - equally excited for today's podcast. So today is a Part 3 of a conversation on tech support scams. So, you know, back on Episode 33, we had Anup join us to lay the foundations of the conversation on tech support scams as an investigator who has experience in India doing fieldwork. And then we had Episode 39, in which we talked about a tech support scam report with Mary Jo and the findings from that report. And today we are joined by Juan, who will continue the conversation on tech support scams, mostly focused on the solutions that we've identified to try to mitigate the scammers and cause disruption.
Nic Fillingham: Yeah, and if you loved those episodes, which I did - I'm very much invested in tech support scams and very passionate about this space, and I could talk about this all day. So if, like me, you really enjoyed those two conversations, you're going to love today's episode. Juan also walks us through a really useful framework in understanding how to combat tech support scams and how to sort of get ahead of them - the three E's; education, enforcement and engineering - for technical disruption. And that's sort of the bulk of what we talk about in today's conversation. And so I think folks who enjoyed the previous dalliances we had in this space will very much enjoy Episode 3 in this sort of mini arc on tech support scams. But shall we get on with the pod?
Natalia Godyla: On with the pod.
Nic Fillingham: Welcome to the "Security Unlocked" podcast, Juan Hardoy. Juan, thank you so much for your time.
Juan Hardoy: Thanks, Nic and Natalia, for having me.
Nic Fillingham: So, Juan, you are looking after the field - oh, gosh, I'll have you correct me here. I know you're part of the Digital Crimes Unit. If you would please explain your role and sort of introduce yourself to our audience, it'd be fantastic.
Juan Hardoy: Cool. I am an assistant general counsel with the DCU, the Digital Crimes Unit, and I lead all DCU field operations. That's our global operations. That's an international team of investigators, analysts and lawyers that share a common mission, which is to protect our customers and promote trust in Microsoft technologies.
Nic Fillingham: I've always wanted to ask - and I think, Juan, you're probably the perfect person to field this question - so Digital Crimes Unit. That, to me, sounds almost like a deputized organization that can sort of go out there and fight crime in digital space. Now, obviously, we're Microsoft. We're a publicly listed company. So, you know, we aren't law enforcement. We aren't policymakers. We aren't elected officials. Tell us about the mission of the Digital Crimes Unit and how it is that you partner with governments and partner with elected officials and partner with policymakers, et cetera.
Juan Hardoy: That's correct, Nic. What characterizes the DCU and distinguishes it from other Microsoft Security teams is that we play proactive action. We take action against cybercriminals that are trying to hurt our customers and the internet as a whole. People are not going to use our technology or the internet if they don't trust it. So we not only do technical disruption, but we also bring them to justice in the form of criminal referrals and civil actions. But we don't do this alone, as you properly say. We partner with academia, NGOs, international and national law enforcement, such as the FBI, Interpol, Europol, and across industry - with industry partners, with our competitors, too, when it comes to fighting cybercrime.
Juan Hardoy: I think public-private partnerships are the secret sauce for tackling these types of cybercrime, these issues, because nobody has all the skills and resources to fight this problem alone. It is too complicated. As you know well, cybercriminals are evolving at the speed of light. They are incredibly sophisticated, very well-financed. And cybercrime is a transnational type of crime, so you really need to have a strong public-private partnership. We, in Microsoft and the DCU, bring to the table what we do best. And I will speak to that in a minute.
Natalia Godyla: And before we dive into some of the work you're currently doing in the Digital Crimes Unit, you've been at Microsoft for 18-odd years. What has your career been like at Microsoft? How have you traversed the Microsoft ecosystem? How did you get to assistant general counsel?
Juan Hardoy: Thank you. So I was super lucky to get an email from a headhunter more than 18 years ago, when I was working in South America. That's where I'm from. I'm from Argentina originally, although I spent four years working for a New York City law firm. Then I moved back to Argentina, and I was working for another law firm there. And I got this email from a headhunter offering me to have an interview with a technology leader. I asked who that company was, and it happened to be Microsoft. That was one of my lucky days in my life. And I started as a commercial lawyer doing licensing agreements. And maybe two, three years thereafter, I got an offer to become the DCU lead for Latin America, which I did from our headquarters - regional headquarters in Fort Lauderdale, Fla. Thereafter, I spent seven years as the lead for the DCU in Europe, Middle East and Africa, based in Paris. And two years ago, I relocated to Redmond, where I have this global role leading the DCU field operations. So I had a fantastic and fascinating career with Microsoft. I love my job, and I hope to be doing this for another 18.
Natalia Godyla: (Laughter).
Nic Fillingham: Another follow-up question, Juan, here, on the DCU again. I'd just love to better understand, if you can, the sort of relationship with the NGOs, the government bodies, academia. Can you talk to the balance or perhaps the - I'll call it the yin yang of when digital crime - when cybercrime is identified? How often is it that Microsoft is sort of seeing the first signs, the first signals that digital crime, cybercrime might be underway and then initiating an investigation and then looping in law enforcement? And then how often does it happen the other way around, where a law enforcement body, perhaps a - you know, an industry body or some sort of external party, be it public or private, finds evidence of crime and then contacts Microsoft and asks for assistance? Do both of those things happen? And if so, what does it look like?
Juan Hardoy: Yeah. So ever since the pandemic broke out, we have all experienced an increase in cybercrime, right? Because it's committed remotely, because people - the world became more digital, right? So with more people moving to the digital world and doing more business and all aspects of life, cybercrime increased. Criminals also moved to committing cybercrime. So organized crime embraced cybercrime. And even now, we have nation-states attacking other nations or the citizens of other nations. So the work became more complicated. And good news is that Microsoft was investing way before the pandemic in security and cybersecurity. And we're just one of the many teams that Microsoft has, from all the way to product engineering to taking this proactive action approach within Microsoft, and we are well-prepared. So we have very good detection systems to protect our customers, to - and prevention systems. And whenever our teams detect some anomaly, they can escalate to the DCU to take action. So more likely than not, even before crimes are committed - cybercrimes are committed - we have an excellent detection system, and we're very well-coordinated internally within Microsoft.
Juan Hardoy: Now, we also get a lot of requests for support from law enforcement. And Microsoft, through the LENS team, responds to about 60,000 legal requests per year on different type of crimes. We at DCU concentrate only in certain type of crimes - of cybercrime. There's many different types of cybercrime. We concentrate in some. And it is in those priorities for our company and our customers that we partner together with law enforcement. It can be that they reach out to us for help, and they will have to go through the right legal process, and sometimes it is us that report crime to them in the way of a criminal referral. It happens both ways. As I said, it's a partnership. It's a public-private partnership with Microsoft, where Microsoft is not only - it's not the only industry player. There's many others. And we are constantly looking into trends and analyzing and detecting cybercrime.
Natalia Godyla: So, Juan, today we wanted to talk specifically about tech support scams. So what is Microsoft doing in general to impact these scammers?
Juan Hardoy: So our approach has been the three Es - education, engineering and enforcement. And on the engineering - it also includes technical disruption. Education - I think that's an obvious one. The best thing people can do to protect themselves against cybercrime and against tech scams in particular, is to educate themselves, to be aware. So we work a lot in raising awareness. This second thing is technical disruption of engineering. I will go back to that in a minute. And then the third one is enforcement. That - I understand that has been the subject of your previous interviews with my colleague, Mary Jo, and a global investigator.
Juan Hardoy: So going back to technical disruption, let me share an anecdote with you. Three years ago, we had about 13,000 customer complaints on tech fraud to Microsoft every month, OK? That's a lot of customer complaints. People complaining they had a bad experience with somebody claiming to be Microsoft offering support services, which, of course, it wasn't Microsoft. So our team got together around the table, and we said, what can we do to dramatically reduce the number in an impactful way? As I said, this is a transnational crime where you have perpetrators in one country or more than one country, victims in another country. The evidence might be in another country. So laws were not just designed to tackle cybercrime internationally. It takes time to bring cybercriminals to justice. We have very good success stories, but something else needs to happen.
Juan Hardoy: As you know well also, cybercriminals, tech scammers, use infrastructure to commit their crimes. They need communications services, internet. They need a space. They need a call center. They need human resources. They need software. They need telephone numbers. So they leverage. And they need domain names, URLs, malicious websites they use. So we decided to - on top of education and enforcement, to develop the technical disruption angle. Because there is not one thing you can do alone that will resolve this problem.
Juan Hardoy: So we said - we ask ourselves, how can we disrupt the criminal infrastructure being used by these tech scammers? And which of all that infrastructure could we disrupt faster and on a more scalable way? We thought of telephone numbers, for instance, when Microsoft is not a telephone company or an ISP provider. And probably companies like AT&T, with whom we partner, are better positioned and understand that business a lot better than we do. Then we ask ourselves, well, criminals have evolved and are using malicious pop-ups, computer pop-ups. How can we disrupt those? So how can we use that intelligence to disrupt their payment processes or systems? They are doing this for the money, right? This is an economic crime. And they need to pay for all the infrastructure they're using, scammers. And if they cannot pay their bills, we know what happens with any organization that runs at a loss. Sooner or later, they will go out of business, right?
Juan Hardoy: So imagine that a call center, one of these phony call centers, is working for weeks trying to scam people. And instead of getting their illegal proceeds, they get zero. They wouldn't be able to pay their bills, and they would go bankrupt. This is a little bit what we envisioned. And then we ask ourselves, OK, how can we scale this? The challenge with setting up a payment disruption program is that there's a lot of malicious pop-ups out there that are commingled with legitimate pop-ups on the internet. How do you find them? And how do you cluster them? There's thousands of malicious pop-ups a day, and then there's many call centers behind them.
Juan Hardoy: So we use machine learning. We trained a computer to read those malicious pop-ups and to stack rank them or prioritize them and distinguish them or filter them from the ones that are genuine. The ones that are malicious were filtered. And then the - they were aggregated or clustered, attributing them to the same entity behind it or the same criminal organization. So we would know who were the kingpins behind those malicious pop-ups.
Juan Hardoy: And then we would take the telephone numbers. So the computer would do this for investigators so that when they walked in the morning to the office, they will have a list of leads to concentrate on instead of having to try to navigate the internet and identify pop-ups that are sometimes alive only for two hours or less. So the machine will do that for them. They will dramatically facilitate the work of an investigator. And then they would take the telephone numbers. And we ask ourselves, why would we wait for another victim to be called by scammers? Why don't we instead call in those numbers?
Juan Hardoy: So we will call them in. I say, OK, you say you're from Microsoft, and you say there's a problem with my computer. And we would engage with the scammer, our investigators. And scammer will demand the payment to fix our computer that had no issues, to offer a service that we didn't need. And we would try to place a transaction using our method of payment. In doing so, we would collect information that then we can use to work with our partners in this public-private partnership. And the payment processors would use that information - not us - to identify merchant accounts being used by scammers to collect the money from victims.
Juan Hardoy: Typically, victims won't send money directly from the U.S., for instance, directly to a foreign country. They would typically set up a bank account in the same country where the victims are. When they open a bank account, they would typically say that they're a web designer or come up with some other pretext, when in fact they're not. And they would use that account to collect the funds.
Juan Hardoy: So in this process, we would help payment processors. So we would work with major credit cards and major banks to help them identify those merchant accounts within their systems that are pretending to be legitimate businesses, when in fact they're scammers, and they're collecting the money from hundreds of people that they have victimized - $400 on average, but it could be a lot more. It could be the life savings of an elderly person, or it could be a millennial that was saving money for college. So you've probably heard about many sad stories. And all that money gets collected in bank accounts, and then it gets wired outside the country, and then to another country and to another country through money mules.
Juan Hardoy: So long story short, we set up this disruption system and with a lot of success. We have seen the number of Microsoft complaints come down dramatically over the last two years. And we have provided information, again, in the way of criminal referrals, to the Department of Justice. The Elder Strike Force has a money mule program. So we have collaborated extensively with them to help accelerate prosecution and also with the consumer protection agencies to help them recover the money and send it back to victims.
Nic Fillingham: Are there other ways that tech support scams find their way to, you know, unwitting end users? I know I haven't seen a pop-up in my daily life, running around the web, doing silly things, following random links on Twitter and Reddit and stuff. I have not seen a scam pop-up in many, many years. So well done. Congratulations. It looks like you guys are doing a great job there. However, I do still get these phone calls. I still do get tech support scams. Now, it could be as simple as just, my phone number is out there. And these scammers are buying lists, and they're calling - or they're just calling random numbers. I'm not sure what it is. What are some of the other ways, though, that we know of, that tech support scammers are utilizing to continue their operations and continue to either get new leads or follow existing leads? And then what work is the DCU undertaking to try and disrupt these methods?
Juan Hardoy: That's correct, Nic. I also do get spam calls, and I try not to answer. I try not to answer my phone. And maybe I learned that from my millennial children.
Juan Hardoy: But then sometimes they don't even answer my call. They want me to text them or send them a message, an instant message. So cold calls still exist. And it's another way to get to the victims. Together with other ways, like hybrid models where it would start with a phishing email and a telephone number in the phishing email - that's another way to get a victim to call the call center. And we have seen that lately. When we get those customer reports, we also get information on the telephone number that was used to call them - right? - and the identity or the names that have been used by those criminal organizations to impersonate Microsoft. This is - I'm Microsoft representative. My name is X or Y. Or I work for this antivirus company, and you have a problem with your Windows operating system.
Juan Hardoy: So all that information gets collected. We are able to marry and link malicious pop-ups with cold calls through either the company names or the telephone numbers that have been used. We also take leads to call back those numbers when our customers report to us that, from this number, they got a cold call.
Juan Hardoy: So we use two sources. The reason I didn't mention that in the first place is, telephone companies have improved their systems to disrupt cold calling. But it's a lot more difficult to disrupt calls from my phone to the scammer because my phone is a legitimate phone, and I use it for legitimate reasons. But if I call a telephone number that's in a pop-up, that's a lot more difficult to block or to disrupt than just having one telephone number calling the entire United States - right? - from overseas. So we have seen a decrease. But robocalls continue to be a problem. So now it's not even a human being calling me at home, it's a machine asking me to call back a number or putting me in touch with a call center if I answer.
Nic Fillingham: So Juan, what do we know about the types of services and technology that the scammers are using? And then, therefore, what work is Microsoft undertaking, if any? Maybe the answer to this is, this is not our role. But to partner with those tools and service providers to try and get them out of the hands of scammers - I'm thinking of some of the remote desktop client server makers. I'm thinking of voiceover IP, software companies as well as services. I think these are part of the toolkit that the scammers are using. Does Microsoft have a role to play in reaching out to these tool makers and service providers and working with them to come up with creative ways of stopping their tools from getting in the hands of scammers or being utilized by scammers?
Juan Hardoy: We have them both. We have strengthened our technology to better protect our customers from fraudulent tactics, like smart screen alerting them when they are on bank, when they are navigating to a malicious website or dangerous place. And we have also reached out and worked extensively with financial services industry, with telecommunications industry, payment processors, fintechs, too. And those companies providing remote access tools. And the latest thing is - because once you think you have addressed one angle or one issue and made a product more secure, criminals will move on and try to use a new service or a new technology, right?
Juan Hardoy: So let me tell you what the latest is. The latest is the use of cloud platforms to commit their crimes. So instead of hosting their malicious pop-ups or the information on their victims on their own servers, they're using the cloud, the cloud of many cloud providers, including Microsoft. So that's why I also lead another program within the DCU called the malicious use of Azure, which is to protect the integrity of our cloud services and our customers. They have attempted, these criminal groups, these scammers, to leverage our cloud platform and host those malicious pop-ups, which are malicious websites, on our platform, on our cloud service.
Juan Hardoy: And we have also worked with other cloud providers because they oftentimes do it not only simultaneously in our cloud, but other clouds as well, other leading clouds. So we're collaborating with them even though they're our competitors. When it comes to cybercrime, it's important that we work together - also with the financial services industry because that's the way they get their money out. And we are very good at what I described. But they're a little better about tracing payments and transfers internationally and working within their community. And then, they obviously have information that we don't have access to and are not going to have access to. But they can leverage their own data and information to bring another criminal referral or do joint referrals, where they provide information they know to law enforcement. And we provide information we can provide separately, independently, to bring those criminal groups to justice and try to connect the dots internationally.
Nic Fillingham: Do the various remote desktop services that exist out there - and there's very many, you know? There's some built into windows, sort of native Windows, remote desktop capabilities, as well as a lot of other services out there. Are they putting in extra steps or warnings or building technology to try and identify when these tools are being used by scammers and not in legitimate uses?
Juan Hardoy: They are. They have introduced alerts in their software to alert people that their computer is being remotely accessed. Even after the conversation has ended, sometimes, with the engagement with the scammer, they may remain connected to a computer. So they have introduced features to better protect customers. But unfortunately, people are not that tech savvy. And sometimes they are so afraid by the tactics and the schemes these criminals use that they will do some unreasonable things. So we heard of people going to supermarkets to buy gift cards to pay for their taxes. Nobody pays their taxes with gift cards. And even though the cashier would try to convince the person that it was a scam, because also those cashiers are trained when they are selling gift cards to identify or spot that a scam is being committed and try to prevent that from happening. People would insist, because they are totally convinced that they are going to either lose their data or somebody in their family will be hurt, which is a total lie from a scammer that's calling our system, doesn't even know where the person is.
Natalia Godyla: So Juan, you've shared a number of ways that Microsoft has successfully worked to stop scammers. But what hasn't worked in the past? Are there any tactics that Microsoft tried that just didn't successfully stop the scammers? It seemed like one earlier was that you couldn't really do one of the tactics in isolation, that you had to create a hybrid of education, enforcement, technical disruption. Anything else that we've tried that just didn't seem to stop them in their tracks?
Juan Hardoy: Well, first of all, even if it looks like a successful tactic, payment disruption, it has its downside, which is we have seen a dramatic decrease in customer complaints to Microsoft, so anybody involving our brand. And even in raids that were conducted with our technical assistance in India against call centers, we learned through law enforcement and courts that there were instructions not to use the Microsoft brand when scamming because Microsoft was protecting their customers. Unfortunately, we are hearing reports from other brands that customer complaints associated with other brands is increasing. We need to work here together - right? - because what we may do well to protect our brand and our customers will, perhaps, result in the criminals moving onto another brand or to another country. We concentrated in a group of countries where we had most victims. But then they would change languages and migrate to try to prey on other countries.
Juan Hardoy: So they're concentrating on our top issues, resulted on a migration. And then it's moving us to expand our reach and our scope and try to cover more countries. So languages that were not being used before, we're starting to see - for instance, customer complaints in Japanese language. Initially, all of this was English-based. And that's why you would see the U.S., the U.K. as countries coming up on top, Australia - and even Germany or the Netherlands, where many people speak English as a second language. But now they're moving to Spain, Japan, France. And they're making these calls in - or sending pop-ups in their own language, in local languages. Or even in India, we have seen a spike also of victims, right? That was revealed in our most recent tech support survey that was also the subject of the previous interview.
Juan Hardoy: The other thing is legal processes take time, as I said. We initiated a number of international legal actions. And we have brought civil actions in India. And we have run into the fact that legal systems have been set up for not this type of modern crimes - right? - where, as I said, these are transnational crimes. And you have evidence in one country, victims in another country, perpetrators in a third country. And even perpetrators, sometimes, are in multiple countries. Law enforcement has done a terrific job working internationally, trying to tackle this together. But as you can imagine, mutual legal agreements or assistance agreements for international law enforcement and for countries were created for different types of crimes, more traditional crimes.
Nic Fillingham: I wonder, Juan, if we could shift the conversation now in the direction of, what can folks do? And what should folks do when they either encounter a scammer - a potential scammer themselves or friends and loved ones? I thought I might start, actually, sort of technically. My understanding is that these tech support scammers seem to target consumers and individuals. They don't seem to target enterprises and organizations. First of all, is that a correct observation?
Juan Hardoy: That's correct. Although, very recently, we have seen these call centers for hire to work for scammers or cybercrimes that are going phishing, sending emails, and putting in telephone numbers in those phishing emails for people - for enterprises to call call centers. So phishing, business email compromise now is leveraging this call center capability because it's more difficult to detect when, you know, there's this call placed from the victim to the scammer. But overall - so this is for something very recent. But overall, you're right. The scammers have been targeting consumers.
Nic Fillingham: Sounds like you're saying that then the scam is targeting organizations or enterprise is happening. And it might not be at massive scale yet, but it is happening. Is there, then, any action that we recommend, or guidance for security professionals to take their sort of security policies - we recommend they implement their various sort of firewall rules. You know, should RDP be sort of disabled by default? Are there any sort of technical guidance that we sort of recommend?
Juan Hardoy: Yeah. We say that in every organization, there is at least one person that will click on everything, right? And it happens everywhere, OK? So one should assume that breaches will happen, right? And there should be security policies designed having that in mind. That's the first thing, so separating the network. Training - when it comes to organizations and enterprises, training is super important. And when it comes to consumers, educating consumers, awareness campaigns. That's, as I said at the beginning, the best thing we can do to reduce the crime, prevent the crime. People should be prepared to protect themselves - and equipping them with some tactics and go-tos, right?
Juan Hardoy: So for instance, if they receive a call, and if they have to answer the call even though they don't recognize the call - when they are being engaged by somebody pretending to be a reputable brand offering customer support, just hang up. We are not going to call your home. We don't place unsolicited calls. And report it to us. That's the other important thing they should do, report it to the authorities and report it to Microsoft if it's about the Microsoft brand, of course. Or report it to some other brand. If it was a call that was impersonating a bank, call your bank. Because with that information, we can do our work to better protect them. All of this that I'm telling you with doing disruption and enforcement and education stems from all those customer complaints, all that information and all those calls that our own customers made to Microsoft, giving us that information that helps us identify the largest players behind those scams and bring them to justice.
Natalia Godyla: As I wrap up here, Juan, can you tell us who's winning this fight? Do you have optimism that we'll get ahead of these scammers and continue to be ahead of these scammers?
Juan Hardoy: So let me share my optimism. I do believe that scalable problems can be fixed through this three Es approach - right? - education, engineering and enforcement, and also by all players working together, coming together, both public and private sector. There's not necessarily one thing we can do alone to resolve it. We in Microsoft have dramatically reduced the number of customer complaints, as I said, from 13,000 to 6,000. And it's decreasing every month. The problem is that, as I also mentioned, other brands - the impact to other brands is growing. So we, Microsoft, are committed to continue to protect our customers and to share our expertise and knowledge with all other members in this virtual coalition and that are willing to resolve tech scams. That's why I'm very optimistic. I have seen it work. In this other example I mentioned. I've seen it work in Microsoft as it regards to our brand. And I do believe that if we all bring to the table what we do best, we're going to see a decrease in brands and also governments around the world that are also being impacted.
Natalia Godyla: Thank you for that, Juan. I'm glad we got to end this podcast on a happy note. I have full confidence that Microsoft will continue to be doing great work. And thank you for being a part of that and this episode.
Juan Hardoy: Thanks a lot, Natalia and Nic, for having me today. It was a pleasure.
Nic Fillingham: Thank you, Juan.
Natalia Godyla: Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.
Nic Fillingham: And don't forget to tweet us at @msftsecurity. Or email us at email@example.com with topics you'd like to hear on a future episode. Until then, stay safe.
Natalia Godyla: Stay secure.