[Senate Hearing 114-855]
[From the U.S. Government Publishing Office]
S. Hrg. 114-855
VIRTUAL VICTIMS: WHEN COMPUTER
TECH SUPPORT BECOMES A SCAM
=======================================================================
HEARING
BEFORE THE
SPECIAL COMMITTEE ON AGING
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
WASHINGTON, DC
__________
OCTOBER 21, 2015
__________
Serial No. 114-15
Printed for the use of the Special Committee on Aging
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
48-532 PDF WASHINGTON : 2022
SPECIAL COMMITTEE ON AGING
SUSAN M. COLLINS, Maine, Chairman
ORRIN G. HATCH, Utah CLAIRE McCASKILL, Missouri
MARK KIRK, Illinois BILL NELSON, Florida
JEFF FLAKE, Arizona ROBERT P. CASEY, JR., Pennsylvania
TIM SCOTT, South Carolina SHELDON WHITEHOUSE, Rhode Island
BOB CORKER, Tennessee KIRSTEN E. GILLIBRAND, New York
DEAN HELLER, Nevada RICHARD BLUMENTHAL, Connecticut
TOM COTTON, Arkansas JOE DONNELLY, Indiana
DAVID PERDUE, Georgia ELIZABETH WARREN, Massachusetts
THOM TILLIS, North Carolina TIM KAINE, Virginia
BEN SASSE, Nebraska
----------
Priscilla Hanley, Majority Staff Director
Derron Parks, Minority Staff Director
C O N T E N T S
----------
Page
Opening Statement of Senator Susan M. Collins, Chairman.......... 1
Opening Statement of Senator Claire McCaskill, Ranking Member.... 2
PANEL OF WITNESSES
Frank Schiller, Computer Tech Scam Victim........................ 4
Lois Greisman, Associate Director, Division of Marketing
Practices, Bureau of Consumer Protection, Federal Trade
Commission..................................................... 7
David Finn, Associate General Counsel and Executive Director,
Digital Crimes Unit, Microsoft Corporation..................... 8
Lew Polivick, Deputy Director, Legal Services of Southern
Missouri....................................................... 10
APPENDIX
Prepared Witness Statements
Frank Schiller, Computer Tech Scam Victim........................ 31
Lois Greisman, Associate Director, Division of Marketing
Practices, Bureau of Consumer Protection, Federal Trade
Commission..................................................... 34
David Finn, Associate General Counsel and Executive Director,
Digital Crimes Unit, Microsoft Corporation..................... 46
Lew Polivick, Deputy Director, Legal Services of Southern
Missouri....................................................... 56
Statements for the Record
Frank Schiller, Computer Tech Scam Victim, Exhibits 1 and 2...... 65
VIRTUAL VICTIMS: WHEN COMPUTER
TECH SUPPORT BECOMES A SCAM
----------
WEDNESDAY, OCTOBER 21, 2015
U.S. Senate,
Special Committee on Aging,
Washington, DC.
The Committee met, pursuant to notice, at 2:30 p.m., Room
562, Dirksen Senate Office Building, Hon. Susan M. Collins,
Chairman of the Committee, presiding.
Present: Senators Collins, Cotton, Tillis, Sasse,
McCaskill, Nelson, Donnelly, Blumenthal, and Kaine.
OPENING STATEMENT OF SENATOR
SUSAN M. COLLINS, CHAIRMAN
The Chairman. The Committee will come to order.
Good afternoon. Today, the Aging Committee is continuing
its focus on scams targeting our seniors. Our Fraud Hotline
recently was contacted by a senior who reported that he had
received a troubling call from a man who claimed to be a
Microsoft support technician. This so-called tech support
representative told the senior that his computer had been
hacked and was about to crash.
Understandably concerned, the senior followed instructions
to log onto his computer and provided the caller with
information that would enable him supposedly to fix the
technical problem. By providing the caller with this
information, the senior inadvertently gave the scammer remote
access to his computer. In addition, the con artist
successfully convinced him to provide his credit card number to
cover the $300 fee to fix the computer problem.
When the con artist called the senior back a few days later
to ask for even more money for supposed computer upgrades, he
realized that he had been scammed.
Over the past year, our Committee's Fraud Hotline has
received more than 70 complaints about this kind of scam, with
the majority of calls occurring within the past three months.
As our witnesses today will attest, the incidence of these
scams is increasing dramatically. In fact, Microsoft estimates
that approximately three million Americans fall victim to
technical support scams annually.
In another far too prevalent version of this scam, the con
artist uses malware or spyware to infect the computer with a
virus so that its user is locked out. Not surprisingly, the
scammer will then charge a fee of several hundred dollars to
rid that computer of the implanted virus.
In yet another variation, seniors have been offered a
senior citizen discount if they are on a fixed income and
cannot afford the initial price cited by the scammer.
According to Microsoft, these computer tech support scams
cost Americans an estimated $1.5 billion a year, but even more
chilling than the enormous amount of money that criminals are
stealing through these scams is the massive scope of personal
and financial information to which these con artists have
potentially gained access. By breaking into a victim's
computer, a thief could gain access to information such as bank
account and credit card numbers, passwords to investment
accounts, Social Security numbers, and other personal
information that could enable criminals to continue to steal
from their victims.
Today's hearing will examine these troubling computer
scams, efforts that could help prevent Americans and our
seniors, in particular, from falling victim to them, and
efforts being made by Federal agencies and law enforcement and
the tech industry to stop these scams and to prosecute the
criminals who perpetrate them.
I am very pleased to welcome Frank Schiller of Peaks
Island, Maine, to our hearing today. Unfortunately, Mr.
Schiller is far too familiar with this type of computer tech
scam and he has graciously agreed to share his experience with
us about how a call led to his loss of more than $1,400 to a
con artist.
Putting a stop to the multitude of ruthless and endless
scams that target our seniors is among our Committee's top
priorities. To date, this year alone, our Fraud Hotline has
received almost a thousand calls reporting on nearly 30
different scams, including this scam that we are examining
today. It seems the inventiveness of con artists is endless and
they will constantly evolve and come up with variations on
scams and brand new ones to target our seniors.
It is my hope that the hearings that we are holding will
help shed light on these scams, alert and educate our seniors,
and prompt law enforcement to more aggressively go after and
prosecute scammers who deliberately prey upon seniors.
I look forward to hearing from our panel of witnesses
today, and I am now pleased to call on our Ranking Member,
Senator McCaskill.
OPENING STATEMENT OF SENATOR
CLAIRE McCASKILL, RANKING MEMBER
Senator McCaskill. Thank you, Chairman Collins.
Today's hearing highlights the latest scam preying on our
Nation's seniors, the tech support scam, but when you think
about it, these scams have been around for ages. They are
confidence scams, pure and simple, and if there is one thing
many seniors are not confident about, it is technology.
It makes perfect sense that these fraudsters would cling to
a senior's insecurity about technology to swoop in under the
guise of assistance. Not only do these scammers charge for
their, ``services,'' they also get access to personal data and
financial information that could potentially be used to further
other crimes. We are all very familiar with the dangers that
can occur when identifying information gets into the wrong
hands.
Technology scams are on the rise, so much so that the
Federal Trade Commission has now turned them into their own
category, and fighting them will not be easy. On the criminal
side, you have anonymous actors who can work from anywhere with
a computer and Internet access, and they can find victims,
especially seniors, who are not very adept at understanding
what is actually happening on their computers.
What can be done here? Consumer education helps, for sure,
as does more robust law enforcement against scammers. However,
there are a variety of consumer education organizations and a
number of law enforcement entities. Often, what is the most
disconcerting in these cases is they do not talk to each other
and share what is working and what is not working. A general
lack of collaboration makes it much more likely for criminals
to succeed in defrauding victims and much more likely that a
victim will not even recognize that he or she is being scammed.
In Southern Missouri, however, leaders from many of these
groups have decided to come together to fight fraud. In 2013,
Legal Services of Southern Missouri brought together local law
enforcement, the Federal Bureau of Investigation, the Missouri
Attorney General's Office, the U.S. Postal Inspector, and the
Better Business Bureau to create the Consumer Fraud Task Force
of Southern Missouri. This group meets at least quarterly and
shares information with each other and the public in an effort
to stem the tide of these scams. I am pleased that we are
joined today by Lew Polivick from the Legal Services of
Southern Missouri to talk about this effort as well as the scam
schools his group has set up to partner with senior groups to
teach seniors about new scams and ways to protect themselves.
I am eager to hear from both government and industry
witnesses today to get a sense of what we can do in Congress to
help fix these problems.
Once again, I want to thank our Chairman for calling this
hearing and to our witnesses for joining us to discuss this
problem today. I look forward to hearing your testimony.
The Chairman. Thank you very much.
Before turning to our witnesses, I just want to welcome the
other Committee members who are here today, Senator Tillis,
Senator Cotton, Senator Kaine, and the former Chairman of this
Committee, Senator Nelson. Thank you all for being here.
Senator Nelson. Madam Chairman, you are continuing the
tradition of this Committee in the way of really going after
the issue and I appreciate you bringing it up. How many of
these scams have we heard over the course of the last three
years?
The Chairman. An endless number.
Senator Nelson. Just another one happened the other day in
Florida. A woman who had lost her husband suddenly had the
phone call she had won $100,000 in the lottery, that her late
husband had purchased a ticket that she did not know about.
That was the scam, and of course, she started paying, so thank
you for doing this.
The Chairman. That is a truly cruel----
Senator Nelson. By the way, there are a bunch of our bills
out here.
The Chairman. Yes.
Senator Nelson. We ought to get the leadership to combine
the bills and bring them to the floor.
The Chairman. Hear, hear. I certainly agree with that, as
well.
We are now going to turn to our panel of witnesses. As I
said, I am delighted to welcome Frank Schiller from Peaks
Island, Maine. To get here, understand that Mr. Schiller has to
take a ferry first from the island to Portland and then fly to
Washington. He has made an extra effort to be here today and I
very much appreciate his willingness to share his personal
experience in dealing with tech support con artists.
Next, we will hear from Lois Greisman, who has testified
before us previously. She is the Associate Director of the
Division of Marketing Practices of the Bureau of Consumer
Protection at the Federal Trade Commission. The FTC is the lead
civil law enforcement agency combatting these scams and also in
charge of educating consumers.
We will then hear from David Finn, the Executive Director
of the Digital Crimes Unit at Microsoft Corporation. He is
married to someone who graduated from a fine Maine college,
Bowdoin College, so we know his testimony will be excellent
today.
He will talk about the extensive work that Microsoft is
doing, both on its own and in collaboration with law
enforcement, to combat these scams, and finally, we will hear,
as our Ranking Member has already indicated, from Lew Polivick,
the Deputy Director of Legal Services of Southern Missouri.
Senator McCaskill, I think you introduced him in your
opening statement. If you want to add anything now, you are
welcome to do so.
Senator McCaskill. I am just--I am proud of legal services
generally. You all are woefully understaffed and underpaid
throughout this country. There is never going to be justice for
all unless everyone has access to legal services, and we are
falling way short of the mark in this country, and your
organization is doing the very best it can to keep up with an
absolutely unmet demand of legal help among our Nation's less
fortunate, and I just am a big fan of people who choose your
work as their life's work, and thank you so much for being
here.
Mr. Polivick. Thank you.
The Chairman. Thank you.
Mr. Schiller, please begin.
STATEMENT OF FRANK SCHILLER,
COMPUTER TECH SCAM VICTIM
Mr. Schiller. Good afternoon, Chairman Collins, Ranking
Member McCaskill, and distinguished members of the Committee. I
am Frank Schiller. I am from Peaks Island, Maine, and I
appreciate the opportunity very much to be here today, albeit
perhaps as the distinguished dummy, to share my story as a
victim of a computer scam.
While the whole episode was and is extremely embarrassing,
I want to share my story with you and others today out of my
concern that these criminals are still preying upon seniors and
others. These people need to be stopped and their calls need to
be ignored.
As a short summary of my circumstances, on October 1 of
2013, I received a call at home from somebody calling himself
``Brad.'' He said he worked for somebody calling themselves the
Kavish Techno Software Company. He said that they had a
contract with Microsoft, or some probable company. He claimed
that they had identified some reports from Microsoft, many,
many problems with my computer's operations. He gave me a 32-
item alpha-numeric code. He said if I wrote it down, he could
verify my problems and further convince me that his concerns
about computer problems were legitimate if I went on my
computer.
I did write it down. I went on the computer. I followed his
instructions, very few of them, very simple, and sure enough,
what it showed was my computer's ID, its IP address. I am not
sure how he got that. I was kind of amazed, and he said, well,
now let me show you this. A few more instructions, and my
computer screen began to scroll, pages and pages and pages of
small groups of numbers. He said that was machine code, that it
was from programs that were cluttering up the computer which
were interfering with its operations.
How he had known my name--the call had been to, ``Is this
Frank?''--how he had known my phone number, how he had known my
computer ID or IPA, I have no idea, but his ability to identify
those things and to walk through that computer as easily as we
go through our front doors was impressive, so I continued.
He said, okay, he had software to clean the computer up and
to stop those malicious files. He gave me several options. One
was $349. For $79 more, you could get two years additional. I
said, okay, I could pay for it with Visa. He said, no, they
could not accept Visa because they had to work through the
Central Bank of India and Visa would not authorize payment to
there, so I would have to authorize Visa directly. I was still
suspicious enough to stay mute about that I had a cell phone,
and said, well, I would have to get off the phone with him and
call him back if he could give me a phone number. He did, with
an area code of 1-90-something or other, which is in my
material.
I talked to Visa. I authorized the payment. I hung up,
called back, got some very ruff person, not at all like a
professional at a company, I thought. He referred me back to
Brad, and the process was cleared. I got a couple of additional
programs for my computer. That was the end of that and Brad.
I ran those programs and it did not seem to do anything. I
mean, it did not hurt anything. It did not seem to help
anything. It did not do anything.
I found a support folder on my desktop at the time that had
a contact file in it and it had two receipts in there from
Visa, including transaction bank numbers, which are in the
material I have sent with my complaints.
Then it was quiet until December 16th, nine days before
Christmas, whatever. I got another call from Brad. He said that
his contract with Microsoft had been canceled and therefore, he
had to refund the money that they had charged me for those
programs. Fine. Send me a check, I said. He said "well, no, no,
no. We cannot do that. We have to process your refund the same
way that you made a payment. Again, Visa was not going to allow
a transaction from the First Bank of India. Oh, well, I am
sorry. The only thing we can do is transfer it into your
checking account." Well, this is where I get dumber.
It was right before Christmas, you know. You can always
find things, people that need things right before Christmas.
Okay. I gave him my account number, my routing number. He said,
look, I do this every day, day in, day out. I can put this
right in for you, press a few keys for me here and it will get
it done. Well, what I did was gave him control of my keyboard.
The next thing that popped up was a Western Union transfer
box. It came up. It flashed very quickly, miniaturized to the
size of a bottle cap. In the process, I noted this $980 figure
plug in. I said, well, what is that? Oh, well, I have to bundle
a few transfer requests in one. Do not worry. That was done,
gone.
The next day, I discovered the $980 had been withdrawn from
my checking account. I have got it in my testimony, but I
complained. I froze the account. I complained to the local
police department. I e-mailed a complaint to Western Union. I
filed--I closed the checking account. I filed formal grievances
with the Maine Attorney General's Office, the State Police
Computer Crimes Unit, the Federal Trade Commission. I got a
very nice piece of correspondence back from the Federal Trade
Commission giving me a complaint number and a counselor number
in case I needed to get more upset, or not.
The next day, after I had closed my bank account and
whatever, Brad called back, very upset. He wanted access to my
computer. Well, no, it did not work that way. I was not going
to do that again. They called me probably three times a week
for the next couple months. You know, it is why they invented
caller ID, but even then, it comes up ``unknown.'' You do not
quite know who is calling. You do not want to never answer the
phone, but it makes you feel different about answering your own
telephoned, and they vacillated between very courteous--we are
sorry, there had been a mistake, if you let us on your
computer, we will fix it--to very insistent--you need to get on
your computer now. I am not going there.
I think it is important that people know. I worked in
assisted living with elderly people. I used to give little
workshops to people. Do not trust people on the phone. Never
give your checking account information to anybody. Do not ever
do that. Well, I did, and it was a sequence of circumstances. I
was not trying to be sold something. They were trying to give
me money. You know, the timing in mid-December was pretty good
from their perspective. His knowledge of how my computer
worked, where it would go, what it would do was beyond anything
I had any imagination of.
I realize that chances of financial recovery are near zero,
but I am here today to share that story hoping that it helps
other people from falling into the same process, the same scam,
that it helps you in your work, that it helps these agents and
agencies in their work, honestly, to shut this down. I mean,
there is no reason, with all the technological capacity we have
on our side, that they should be making thousands of phone
calls a week to thousands of people with this just terribly
bogus information, just stealing them blind, and it does not do
anybody any good. I mean, we have got natural disasters. We
have got crises to deal with. We do not need to be giving it to
some ``Brad'' who I am sure is not helping out his family,
neighbors, and others that need help.
I thank you for the opportunity to be here, and when we get
to it, would be glad to answer any questions you have.
The Chairman. Thank you very much, Mr. Schiller, for your
willingness to come forward and share your personal
experience--very unfortunate personal experience.
Ms. Greisman.
Mr. Schiller. It has happened to a lot of us.
The Chairman. It does.
STATEMENT OF LOIS GREISMAN, ASSOCIATE DIRECTOR,
DIVISION OF MARKETING PRACTICES, BUREAU OF CONSUMER
PROTECTION, FEDERAL TRADE COMMISSION
Ms. Greisman. Thank you. Good afternoon, Chairman Collins,
Ranking Member McCaskill, and members of the Committee. I am
delighted to appear before you today to discuss the FTC's work
to fight tech support scams, which the FTC's consumer complaint
data indicates may have a disproportionate effect on older
consumers.
I will comment briefly on the nature on these scams, the
FTC's aggressive law enforcement efforts to shut down this kind
of illegal conduct, and then I will talk about our outreach and
educational initiatives.
As Mr. Schiller artfully described and as you have alluded
to, tech support scammers use a variety of means to lure
consumers into their traps and extract millions of dollars.
They may place cold calls, telling consumers their computer is
infected and in dire need of repair, as has happened in his
case. I too, have received such calls. Scammers also may place
pop-up ads offering free antivirus scans or enticing consumers
with software promising to speed computer performance. Further,
scammers may place ads with search engines so that consumers
who truly are in need of assistance reach out directly to them.
Whatever the method, the deception is plain. Scammers
impersonate a trusted name, such as Microsoft, Facebook,
Symantec. They falsely State the computer is infected, often
gaining remote access and displaying utility programs that to
an untrained eye do support the scammers' lies about infection
and the risk the computer will crash. The scammers then seal
the deal, claiming they can fix the problem for maybe less than
$100 or several hundreds of dollars. Overall, consumers have
lost well upwards of $100 million to scammers for repairs they
did not need, and those people who actually were in search of
true genuine technical support were not aided.
In late 2012, the FTC initiated a major crackdown, suing a
number of tech support scammers located in the United States
and in India. Working with several international partners, we
obtained solid orders that prohibit the misrepresentations we
challenged. Just late last year, we filed yet an additional
three cases against tech support scams, one of which again
involved a call center operating in India. That case settled.
The other two remain in litigation.
I assure you, we will continue to identify and sue tech
support scammers in the U.S. and abroad, working with Microsoft
and with other industry partners, but as the testimony
indicates, enforcing judgments against defendants located
offshore presents a real challenge.
Working with U.S. industry members and our colleagues from
Canada and the U.K., we have had a series of meetings with
people in India, with authorities as well as representatives
from Indian call centers and consumer groups, to develop an
action plan to tackle telemarketing fraud from Indian call
centers. We are not going to pretend we found a silver bullet,
but we have laid a foundation from which we will seek both to
encourage and support Indian law enforcement against illegal
telemarketers, and I am also very encouraged that so many of
our international partners are equally committed to combatting
tech support scams.
Education and industry outreach are indispensable
complements to our law enforcement work. ``Pass It On,'' which
I will hold up, and I hope each of your offices has taken a
close look at, is really our signature education effort aimed
at active older seniors. The goal is to encourage seniors to
share critical information about issues such as imposter fraud
with families and friends. Blog posts and videos on the FTC
site also spread the word about tech support scams, and our
collaborative work with the AARP Foundation, through which it
provides one-on-one peer counseling, is aimed at making it less
likely a senior who was victimized once will be duped a second
time.
One final point. From January through August of this year,
we received nearly 24,000 discrete complaints about tech
support scams, and nearly half of them were from consumers aged
60 or older. I cannot over-emphasize the value of these
complaints to the more than 2,100 law enforcers in the United
States and abroad who access these complaints through the
Sentinel data base. While it is not at all possible,
unfortunately, to assist each consumer, we do mine the
complaints, find commonality, such as company names, software
names, phone numbers, billing descriptors, all of which we use
to identify targets and build cases. In some cases, we do reach
out directly to the complainant for direct assistance by way of
a declaration or testimony in court.
I fully realize there are many reasons consumers do not
file a complaint, and in all too many instances may not even
know the tech support they received was a scam. Nonetheless, we
urge all who think they see such a scam or may have fallen
victim to one of them to file a complaint at FTC.gov.
I thank you and look forward to your questions.
The Chairman. Thank you for your testimony.
Mr. Finn.
STATEMENT OF DAVID FINN, ASSOCIATE GENERAL
COUNSEL AND EXECUTIVE DIRECTOR, DIGITAL
CRIMES UNIT, MICROSOFT CORPORATION
Mr. Finn. Thank you, Chairman Collins and Ranking Member
McCaskill and members of the Committee, for inviting me to
testify today. My name is David Finn. I am Associate General
Counsel and Executive Director of the Microsoft Digital Crimes
Unit.
My testimony focuses on technical support scams, the
largest ongoing consumer fraud perpetrated in America today,
victimizing 3.3 million consumers a year at an annual cost of
$1.5 billion. This translates to a victim nearly every 10
seconds, with an average loss of $454 per consumer.
Since May 2014, Microsoft alone has received over 180,000
complaints about tech scams. We know these complaints are
merely the tip of the iceberg. Customers of other software
companies are also being victimized, and many victims are not
even aware they have been scammed, but this is not a scam that
can be described in just statistics and dollars lost. Behind
every scam is the face of someone like Mr. Schiller, a
neighbor, a friend, a family member, or a senior citizen who
trusted in someone to take care of a seemingly serious problem
and had that trust abused as their pockets were being picked.
In an effort to persuade seniors--to protect seniors from
technical support scams, our Digital Crimes Unit has a team of
attorneys, investigators, forensic analysts, and business
professionals collecting information from customer-generated
leads, using big data analytics and working with the FTC, the
FBI, State attorneys general, and others in law enforcement.
Regardless of how the scammers initially make contact, the
key for them is to get potential victims on the telephone. Our
investigators have seen firsthand how the scammers bamboozle
consumers. Fake support agents typically take control of the
victim's computer and pop up fake warnings, saying viruses have
infected your computer, unwanted people are trying to steal
your information, foreign agents and Russian hackers have taken
over your machine, all a complete and utter fabrication by the
scammers. Having raised consumers' fears, the fraudsters then
typically sell an unneeded service to fix a nonexistent
problem.
Microsoft is pursuing criminals who prey on consumers, but
there is a limit to what one company or what one organization
alone can accomplish. In the wake of new and rising scams, the
State attorneys general have become very active. Their offices
are also seeing an explosion in the number of complaints. We
are eager to work more closely with State AGs on both consumer
protection and criminal enforcement actions, perhaps even
through a multi-State action, to deter and bring to justice
these criminals. Such a public-private effort combines the
technical expertise necessary to investigate these cases with
the leadership, legal authority, and regulatory might that
State AGs can bring to the problem.
Microsoft has also worked to support the FBI and the FTC to
put these fraudsters out of business. Since 2012, as you just
heard, the FTC has brought a number of cases targeting
technical support scams. We provided evidence and sworn
testimony in many of those cases and helped the Commission
staff with technical details. We have also worked with the FTC
to reach call centers abroad, where many of these criminal
entities are located, and last month participated in a call
center fraud roundtable which included Indian and U.S. law
enforcement in New Delhi, India.
Microsoft is also partnering with AARP to develop a series
of scam jams focusing on online safety for seniors, and we
continue these education efforts, for example, by hosting
senior groups at our Cyber Crime Center in Redmond, Washington,
and running awareness workshops for seniors in our retail
stores across the country.
To conclude, this is not a State or a Federal problem, but
both. It is not a public sector or a private sector problem. It
is both. While I have outlined the challenge I face, let me
also suggest a solution: aggressive and unrelenting enforcement
of State and Federal criminal and consumer protection laws that
bridge law enforcement agencies and cross jurisdictional and
international boundaries. While education is also an important
part of any response, criminals will only stop when their greed
is checked with concrete consequences, and that includes
prosecution, conviction, and, where appropriate, imprisonment
of the most egregious offenders.
Microsoft is committed to protecting our seniors and other
computer users around the country and to working with all
stakeholders to achieve our common goals.
Thank you for allowing me to be here today, and above all,
thank you for drawing attention to the challenge ahead of us. I
look forward to answering your questions.
The Chairman. Thank you for your testimony.
Mr. Polivick.
STATEMENT OF LEW POLIVICK, DEPUTY
DIRECTOR, LEGAL SERVICES OF SOUTHERN MISSOURI
Mr. Polivick. Thank you, Chairman Collins, and I thank
Senator McCaskill for inviting me to speak here today and
before this Committee.
From the point of view of a legal aid program, addressing
these scams, it has to be done through education of our
clients. Once the scammers have got a hold of their money, they
are not going to get it back and there is nothing we can do to
get it back from them. We can try to help them correct their
credit reports. We can ask them to stop credit charges on
cards, that sort of thing, but the money is gone, and these
people cannot afford this. You know, they are living--our
clients are at 125 percent of the poverty level or below. Many
are senior citizens, are on fixed incomes, and they are the
ones that can least afford this type of fraud.
To that end, our program in 2013 established a Consumer
Fraud Task Force of Southern Missouri, and with that, we have
partnered with the Federal Trade Commission, the Missouri
Attorney General's Office, the FBI, the U.S. Postal Inspector,
Better Business Bureau, local prosecuting attorneys and police
departments, to get the word out about these scams, to meet
quarterly to find out what new is going on, what efforts are
being made to address these scams, and to get the word out to
our clients and the general public.
Usually, this is done through press releases. We also have
partnered with Springfield news station KY3, who have
established a ``Scam of the Week'' segment of their news show-
--that is how bad it has gotten, they have a Scam of the Week--
to get the word out of what is going on and to educate people
not to deal with these scam artists.
We do outreach programs through what we refer to as scam
schools. We meet with people at senior citizens' centers,
health care providers. Various organizations such as the
University of Missouri Extension Service set up meetings for
us, and we pass out information about these scams, and other
things, as well.
We get the feedback from our clients that those meetings--
and although we do not have a whole lot of cases based on this
one scam, you know, where we are actually representing clients,
if you go to a meeting and say, how many of you have had this
scam where these people have called you wanting to do computer
repair, about half the room raises their hand. Most of them
know not to talk to them, luckily, but it is happening and it
is happening more and more often, apparently. My mother-in-law,
for one, gets one of these calls once a week from the same guy
and has for six months, so it is just going on.
Once these scammers have got their hooks into these people,
basically, what we tell them to do is, of course, change their
passwords, change their bank accounts, and get a credit report,
and that is how many of these people get to us, is they have
got their credit report and seen something strange on it. They
have gone to get a bank loan and they cannot get it because of
something on their credit report, which is a whole another can
of worms, which pushes these people from a legitimate bank over
to a payday lender to get the money they need, which creates
even more problems for them.
It takes time to correct credit reports. We have to help
them get the reports together from the police or FTC
complaints, whatever they have done, get them properly filed
with the credit reporting agencies, get scam alerts put on
their credit reports so that, at least for 90 days, no new
accounts will get established by the scammers. By the time the
people get to us, they have usually tried to do this on their
own, and unsuccessfully. They do not have the wherewithal to
get all these reports together and get them filed properly, so
once the scam has taken place, there is really not a lot we can
do. We do not have anybody we can sue. We cannot sue the
scammers. They are not there.
We do end up defending a lot of credit card cases, where
the scammers have gotten a credit card for one of these people
and end up selling it to a debt buyer. The account goes to a
debt buyer, who then goes after our client and sues them and we
have to defend the case. Usually, we can get an affidavit of
fraud and file it and the debt buyers will go away, but it is a
problem that takes attorneys' time and it takes clients' money.
If they cannot afford an attorney and they are not eligible for
our services, then they end up having to pay somebody to do
this.
It is a large problem for the low-income community and it
has some--as Mr. Schiller said, you get to the point where you
do not want to answer your phone. Computers for the low-income
population, especially, are family affairs. I mean, you have
got your kids who are going to school are using them. The older
people are ordering things or getting on Facebook, whatever.
There are all kinds of people in that household using that same
computer, and if the scammer gets the right person--that is the
reason they keep calling back over and over again. They are
wanting to get somebody else to answer the phone to try this
scam on.
In my mother-in-law's case, she is afraid her husband is
going to answer the phone. He has got Parkinson's now and is
going downhill a little bit, and she does not want him
answering the phone because of this, so anyway, it is a large
problem, and again, education seems to be the biggest clue, or
the biggest thing we can do at this point, is get the word out
about it so people do not talk to the scammers.
Thank you.
The Chairman. Thank you very much for your testimony.
Education is clearly a key part of solving this problem and
one of the reasons why we are holding this series of hearings
and hearing from people who have fallen victim, like Mr.
Schiller, but I want to go back to a point that Mr. Finn made,
that we really need, I believe he said, aggressive and
unrelenting enforcement actions if we are really going to stop
these scammers.
Mr. Schiller did everything right once he found out that he
had been scammed. He went to local law enforcement. He went to
the State attorney general's office. He filed a complaint with
the FTC, and yet, as he said in his testimony, the chances of
him ever recovering the $1,400 that he was scammed of--which is
a lot of money--are very slim.
Ms. Greisman, I want to go to you in this regard. I know
the FTC is taking--trying to go after these scammers. I
understand how important it is for consumers to complain, file
a complaint so that you can analyze and see patterns, but how
many actual recoveries have you made that have resulted in
restitution to the Mr. Schillers who are out there?
Ms. Greisman. Unfortunately, we do not have a great track
record, I have to be candid about that, not for lack of trying.
When we file these actions, we often file them as an ex parte
TRO, and one of the first things we do if the court so
authorizes it is freeze any assets in the United States. What
we have seen with a number of cases that we filed, we believe a
good chunk of the money is offshore. We have successfully
obtained relief where there are U.S.-based assets, but if they
are offshore, it is a huge challenge.
The Chairman. We know from this hearing and from others
that we have had that, frequently, the scammers are offshore,
too. We looked at the Jamaica lottery case where the answer
became more cooperation with the local government and
extraditing the criminals and putting them in jail, prosecuting
them. What efforts are underway with India, in particular,
since that seems to be a source of boiler rooms that engage in
these frauds.
Ms. Greisman. Well, I would like to be cautiously
optimistic we are making progress. As Mr. Finn mentioned in the
testimony, we have had a number of meetings with them. We do
think they have economic incentives to take this seriously and
be as concerned about it as we are, and we are just going to
have to see how our cooperation progresses.
The Chairman. Mr. Schiller, you mentioned to me that you
worked for an Area Agency on Aging, that you actually put on
telemarketing seminars to warn people against scams. You are
obviously a very intelligent and knowledgeable individual, and
yet Brad was able to convince you to give him access to your
computer. Do you think that it was because it was a technology
issue that you were able to be convinced as opposed to if
someone had called you up and said, you have won the lottery,
just send us money and we will give you the payment? Do you
think it was technology?
Mr. Schiller. I think you are right. Yes. You know, as I
said, I know what an IPA is. It is your computer's
identification number. How he had that out of that machine, I
have no idea, plus my name, plus my phone number, with no prior
indication at all that I had been hacked or anyhow invaded on
that. I mean, it had not happened, so yes, he was coming from
somewhere and that impressed me, and I do not know how I am
going to even ever overcome that. I cannot understand--I am
still scratching my head about Windows 10 now. You know, there
is always a new world, the older you get.
Yes, it is a technological issue, but the principle is the
same. If it sounds good, do not believe it.
The Chairman. I think that is good advice, and believe me,
a lot of us, when we see upgrades, we always hesitate whether
that is for real or is it someone trying to implant a virus
into your system, so I am very sympathetic.
Finally, I just wanted you to share with everyone what
happened just last week when the Committee staff was calling
you to talk about this hearing. Who called?
Mr. Schiller. Someone from John--someone calling
themselves, this is John Boehner. I am calling from the
Microsoft Support Team. Microsoft has been getting reams and
reams of error reports for weeks from your machine. Apparently,
you are not paying attention to this.
The Chairman. Even in the midst of your preparation for
this hearing, you got yet another call.
Mr. Schiller. That was Friday, yes.
The Chairman. Thank you.
Senator McCaskill.
Senator McCaskill. Thank you. I hate to be like a broken
record. I know you know what is coming, Ms. Greisman, because
we have been down this road before, and I know this is not your
call, but we have got to put somebody in jail. We have got to
put somebody in jail for these folks to take us seriously.
I would ask both you and Mr. Finn, with the diagnostics you
have, Mr. Finn, and the capabilities you have, what do you see
as the major impediment to imprisoning these people? I mean, if
you look at the amount of money and time we spend going after
robbers in this country, compare and contrast the amount of
time and energy we spend going after robbers that are depriving
seniors of their money, their dignity, and more importantly,
isolating them.
What they are doing is beyond cruel, because if you are a
senior and you feel like you cannot answer your phone, then
your life can become incredibly lonely. Your life can be so
limited to the walls in your home, your inability to be mobile,
your inability to interact like you used to when you were much
younger in social situations. It just is so frustrating to me
that we cannot collectively get the political will to decide
that some of these people need to go to prison.
Can either of you help me help you light a fire under local
prosecutors or DOJ, because, you know, I know they are hard to
catch, but with your help, Mr. Finn, if your company and others
like your company are serious, we can get them. We can get them
much more effectively than if we try to do it without you.
Mr. Finn. We can. I think we can, Senator. I think, as
Senator Collins said, these are ruthless criminals, and that
means that they need to be dealt with in a very severe way.
I think one of the opportunities here is to leverage some
of the capabilities that the Microsoft Digital Crimes Unit has
to offer to law enforcement, and that includes using big data
and analytics and visualization. These are--we have some
technologies that enable us to better track and trace the cyber
criminals, put the pieces of the puzzle together, and then
actually quantify the harm.
Part of what I think is going on in the cybercrime space is
that it feels invisible to a lot of people. It does not feel
invisible to Mr. Schiller or to any of the millions of people
who have been victimized by these phone calls, but I think, for
some of the people sitting in difficult positions where they
have to prioritize cases and they are looking for the evidence,
it is not as easy or it is not as simple as maybe some other
conventional crimes that law enforcement has worked on for
years and years.
In the 21st century, where we have capabilities to use big
data and analytics, the kinds of things that we at Microsoft
have an opportunity to share, I think we can do things to fight
cybercrime that can really make a difference and we are working
very closely with the FTC, we are working closely with the
State AGs, and I am pleased to say we are also now working
closely with the FBI. We are sharing some of this big data and
analytics. I think we can do much more to quantify the harm and
then put these cases at the top of the priority list where they
belong.
Senator McCaskill. Ms. Greisman, is there an effort, and
maybe either one of you can speak to this, and perhaps even Mr.
Polivick can speak to it, are we reporting under the Uniform
Crime Statistics, the FBI, reporting crime statistics about
these crimes? Are they--when communities are compiling how safe
their communities are, are we even counting these crimes?
Ms. Greisman. I honestly do not know the answer to that. I
can look into it.
Senator McCaskill. Do you know, Mr. Finn?
Mr. Finn. What I can say is I know that there are
complaints made to the State AGs' offices. There are written
complaints made to Microsoft. There are complaints made to the
Senate. I think part of what is powerful about using the
analytic tools is we can see the thousands and thousands of
people who have clicked on the advertisements of the top
criminal targets, so that is how you quantify it, because the
fact is many of the victims are too ashamed, too embarrassed to
come forward. Many of them do not come forward because they do
not even know they have been a victim. They paid good money to
solve a nonexistent problem, so they did not know it was a
nonexistent problem.
Senator McCaskill. Right.
Mr. Finn. Our opportunity actually is to give a real clear,
concrete shape to the problem which is otherwise invisible
without the data.
Senator McCaskill. I know that Channel-3 has huge reach in
Southwest Missouri. Have you had any luck with any of the--have
you all reached out to any of the radio networks? I am thinking
of some of our--as you well know, having--if you drive through
the Delta area of the Bootheel, radio, local radio is still a
very big presence in many Missourians' lives, especially in
rural communities. Has there been any effort to reach out to
MissouriNet or any of the networks to maybe feature scams on
any of their programming?
Mr. Polivick. They are doing that to a certain extent, but
I think it is the University of Missouri Extension Service that
is doing that.
The Chairman. Would you turn your microphone on, please.
Mr. Polivick. I am sorry. Yes. The University of Missouri
Extension Service is doing that to a certain extent in
Southeast Missouri, as well as the television station in Cape
Girardeau which serves most of the Bootheel----
Senator McCaskill. Right.
Mr. Polivick [continuing]. and Northern Arkansas. They do
scam alerts quite often, not quite a weekly basis----
Senator McCaskill. Right.
Mr. Polivick [continuing]. but two or three times--two
times a month, probably.
Senator McCaskill. Right.
Mr. Polivick. Yes, there are people doing that.
Senator McCaskill. Great. Thank you.
The Chairman. Senator Tillis.
Senator Tillis. Thank you, Madam Chairman, for another very
important meeting.
Mr. Schiller, you said you were the dummy on the panel, and
I do not think you are a dummy at all. I think you are a very
courageous person and I appreciate you being here and being
willing to testify.
I had a quick question for you. When you said that this
lowlife called Brad gave you a number, did you go onto a web
browser and enter that number in? What exactly did you do with
that number that he gave you over the phone?
Mr. Schiller. No. He read me the number, you know, like
AB36N, whatever, to write down. I wrote it down. Then, with him
on the phone, he walked me through some steps with my computer.
The computer then generated that number.
Senator Tillis. Got you. That kind of explains how he ended
up getting into your PC. I was just kind of curious. One thing
I will tell you, during this----
Mr. Schiller. Well, was that a chicken or the egg? I mean,
if he had that number, did he get it out of my computer? I
mean, he gave me the number, and then he----
Senator Tillis. Yes. I think what you ultimately did was
provide him--it is a common practice, Microsoft support and
other legitimate technical support organizations, common
practice for them to set up what they call an IP connection, a
remote connection to potentially get into your computer, which
is what enabled him to make your screen look funny and do the
things that it did.
I will tell you, it is just about education. The reality
is, somebody as educated and as informed as you, we will never
get the broader population probably as educated as you were
with these scam artists working the way they are, which is why
I want to get to enforcement and prosecution, but I will tell
you, just a part of the education must be how much of your
information is available online to make them seem like they are
informed. In the time that the panelists were discussing, I
went online. Either you or a family member had a CompuServe e-
mail address at some point in time, and a lot of other
indicative data. I could be Brad on the phone with something I
did on my cell phone here.
Just a quick query. We need to let everybody know that if
somebody calls you over the phone and pretends--under no
circumstances would any legitimate technical organization
approach you that way. It is the same thing with all the other
scams that we have seen here, and I appreciate you being here
to testify.
Ms. Greisman, this may not be for you--and Mr. Finn, I have
a question for you about the underlying technology that
Microsoft and some of the other major platform providers may be
able to do to innovate and make this less likely to occur--but,
has there been any thought given to trying to define the--you
know, this guy Brad, I just want to call him a lowlife because
we know that it is not his real name. There is kind of a
criminal enterprise going on here. He happens to be the person
on the phone, but in Mr. Schiller's testimony, you mentioned
you called back, somebody else is on the phone. Has there been
any thought given to trying to define this as a broader
criminal enterprise, and would there be any advantage to doing
that in terms of additional options for prosecution? Has there
been any discussion along those lines?
Ms. Greisman. Not directly in that regard, but to follow-up
on the criminal side, we do have a Criminal Liaison Unit whose
sole goal is to get follow-on criminal prosecution on some of
the consumer protection cases we have brought, because we know
that what is going on is absolutely criminal. I assure you that
that unit is extremely active and particularly active in this
area.
Senator Tillis. What about other leverage over--just
because of the concentration of technology in India, it is not
surprising to me that is one of the source countries. I am sure
there are other ones. What sorts of discussions have we had
with foreign jurisdictions to not only seek their cooperation,
but potentially have a consequence if there seem to be these
clusters within countries where they seem to be the biggest
source of problems for the fraud occurring in the United
States? What have we done there, or what kind of leverage do we
have over other jurisdictions?
Ms. Greisman. Well, we have engaged in a number of meetings
with India, in particular, and with other countries where we do
see call centers targeting not just U.S. consumers, but
English-speaking consumers throughout the country. A number of
meetings have been had. We are working directly with not just
law enforcement counterparts there--and law enforcement
counterparts, I am referring both on the civil and criminal
side--but industry. The legitimate call center industry in
these countries has strong economic incentives not to lose
American business, so I think that is another leverage point
that we have.
Mr. Finn. If I could just--I just want to underscore a
couple of things. First, Senator Tillis, I want to stress
something you said and I want to be clear on the education
front. Microsoft will never make an unsolicited, cold telephone
call to someone about technical support.
Senator Tillis. Is that also true of your certified
partners?
Mr. Finn. It is a little bit harder for me to say what
everybody else will do, but you will never get a call from
Microsoft in that way.
Senator Tillis. It could be a good consideration for your
certification program, to make them adhere to the same.
Mr. Finn. They cannot. Our certified partners, that is not
the practice, but if there are partners who are doing this,
they should be prosecuted, as well, I will say.
Senator Tillis. Go ahead.
Mr. Finn. The only other thing I wanted to add to your
question about the criminal laws, I mean, when I was a
prosecutor at the U.S. Attorney's Office in New York City, I
mean, the bank fraud statutes that we have used for years and
years, those would apply to this conduct. The wire fraud
statutes would apply to this conduct, and as you pointed out in
terms of the kind of enterprises behind this, even the RICO
statute might apply to this statute, so there are old tools in
the prosecutors' tool chest that would apply, and there would
be some new ones, the Computer Fraud and Abuse Act, as well,
but the fact is, there are some bedrock criminal statutes that
can be used to really hold these people accountable.
Senator Tillis. Well, one final question, Chair, if I may.
The technology providers, in particular, I think, are at a
position where at least if--if I think the manner that was used
to get access to Mr. Schiller's computer--what sort of work is
Microsoft doing? I know you are not in the R&D department, but
what sort of work are you all doing to provide a warning--
because basically what you are doing is opening up the back
door to your computer, which is what allows some of these--not
all the scams, because some of them are just pure acting out on
the phone, but what sorts of additional layers of protection
are you providing? That is one question.
The other one, right now, with Windows 10 upgrade being
pervasive, a lot of people going through it, some of them going
through technical problems, my guess is a year from now we are
going to see an uptick in some of these scams because they are
ripe for it. There can be apparently legitimate reasons why you
need tech support while you are going through the upgrade. Mine
went fine, by the way, and mine is a relatively new computer,
but I think that we have to even have a heightened concern,
because there are tens of millions of Microsoft-based platforms
that are going to go through an upgrade over the next 12 to 14
months. What steps are you all taking to make sure that they do
not take advantage of this transition?
Mr. Finn. Well, one of the most significant features in
Windows 10 are some security capabilities, including that
Windows Defender is built into Windows-10, so that is a
capability that is going to help protect computer users in a
new way and a significant way, so that is the first thing I
would say.
I think the second thing is, we have seen some of these
scammers. I mean, it is all about winning over the trust of the
victim, so they are going to leverage the names of reputable
brands, like Microsoft, to win the trust, and then one of the
things they do that is particularly cunning is they do things
like what Mr. Schiller pointed out, ask Mr. Schiller to run
certain commands and then the screen looks to a non-technical
person like something is a miss, and one of those things is a
vent viewer, and that can show apparent error messages. Those
error messages are very benign, but they are actually very
useful for IT pros when it comes to troubleshooting, so they
are useful.
I will say that the people at the company are aware of what
criminals are doing and we are constantly trying to simplify
these things, but we recognize that the criminals will be
shrewd and cunning and we need to react, as well.
The Chairman. Thank you.
Senator Kaine.
Senator Kaine. Thank you, Madam Chairwoman, and thank you
to the witnesses for the testimony.
Mr. Finn, you mentioned in your testimony briefly that
Microsoft has a partnership with AARP that is focusing upon
some consumer education and I wondered if you might elaborate
on that a little bit more. Talk to us about that partnership.
Mr. Finn. Sure, Senator. We recognize that education is so
important, we are doing things with AARP. We have started to
have these scam jams where we bring people from the AARP--se
have senior Microsoft leaders there, too--to talk through the
issues, some of them--in the same way this hearing is shining a
light on the problem, we want to shine a light on it and then
give the tips, the tips like a Microsoft--Microsoft will never
make an unsolicited call to you. Tips like, do not click on a
pop-up that says your machine is infected. You know, if you
have a problem, contact support.microsoft.com. Contact
Microsoft's customer assistance if you have a problem. Contact
the customer assistance line of the computing manufacturer. We
want to make sure that seniors and others really can avoid this
sort of victimization that we hear so much about, and we are
doing these trainings in some of our retail stores around the
country, so there is a lot we know we have to do. I really
agree with the fellow witnesses that education is important and
we need to keep working on that.
Senator Kaine. Thank you.
Ms. Greisman, you were talking about the call centers and
maybe targeting some of the call centers, in particular, you
were talking about in India, but wherever they are. Are some of
these scams coming out of call centers that are not just
illegitimate, but do plenty of legitimate business, too, and
then this is just kind of like a little component of what is
going on in the call center?
Ms. Greisman. That is a good point. We do have a real
concern that in India and perhaps in other countries, there are
small pockets of operations in an otherwise larger call center
that is otherwise legitimate, whether they just have too much
extra capacity, too much extra bandwidth and are using it for
illegal purposes, but that is a real suspicion that we have.
Senator Kaine. You know, if that suspicion could reach an
appropriate level, you know, putting lists of call centers on,
you know, as you are doing commercial work and you want to do
work with call centers, and so many companies do, here are some
call centers that are under the subject of some active
investigation right now, it might warn American companies away
from using certain call centers. We should make it painful on
anybody who is trying to do legitimate business, make them
self-enforced and make sure that there is not illegitimate
business being conducted in that location, so that is just a
thought, and I will tell you, the last thing I want to say is
this to the Chair and Ranking Member. I am relatively new to
this Committee. You know, this Committee is making me a very
suspicious person.
I was not so suspicious when I got here, and I will just
tell you, I was just thinking of one today, I mean, literally
as we are having this hearing. Somebody came up to me the other
day and said, ``I send you e-mails all the time and you never
respond.'' Now, that is just not the way my office operates,
but I took his name and information and I went back and I said,
here is this senior citizen who says he sends us e-mails and we
do not respond. Well, we were able to track three instances. He
had sent us an e-mail and we had responded. We reached back out
to him. He acknowledged those, but, he said, ``No, but I have
sent you so many since then and you never respond.'' It looks
like what is happening is he is not sending e-mails to us but
some advocacy organization is maybe reaching out to him-----
Senator Donnelly. They are actually going to my office----
Senator Kaine [continuing]. and asking him to do e-mails,
but it may be that the advocacy organizations--I mean, it did
not occur to me. We were just talking. We are trying to figure
out, okay, good. We are responding to his e-mails. That is
great, so now we do not have a problem. Now I am sitting here
thinking, well, maybe this, ``advocacy organization'' does not
have anything to do with advocacy and maybe they are just
trying to get him, and maybe get some information from him and
say they are going to forward the e-mail to the Senate, but the
whole thing may be some information fishing operation, and I
did not think of it until during the middle of Mr. Schiller's
testimony.
I have got more work for my staff to do when I go back to
the office, so thank you for making me a suspicious person.
The Chairman. Thank you, Senator.
Senator Donnelly.
Senator Donnelly. Thank you, Madam Chair.
Mr. Finn, Indiana's Attorney General's Office has reported
48 complaints this past year related to tech support scams and
13 consumers falling victim to that. Microsoft--in your
testimony, you said it believes that this is one of the largest
forms of fraud against consumers in the United States. Can you
describe the scale of this problem from Microsoft's
perspective?
Mr. Finn. Sure, Senator. I think our indications are that
the quantity of people who have been harmed is really--way
exceeds the sort of numbers of just the people who complain.
The facts are that many people who have been victimized are too
embarrassed, too ashamed to come forward, so complaint
statistics alone are not the best indicator. In addition, a lot
of the people who have been victimized do not even know they
have been victims because they purchased something that they
thought was solving a problem, and, of course, it was not a
problem at all, but we also have data that tells us that it is
much, much larger. We believe that the number of people who are
harmed is 3.3 million people annually at a cost of $1.5
billion, so that is the full statistics.
I can tell you, Senator, that just in the State of
Indiana--I mentioned before that we can use big data and
analytics to see some things that you cannot just see through
anecdotal and individual complaint reports. In the State of
Indiana just in the last 90 days, from the top six companies
that we believe are criminal organizations stealing from
people, including many senior citizens around the country,
there have been 245,000 times--individual times--that
advertisements from these criminal organizations appeared to
Indiana--on the machines of Indiana residents.
Senator Donnelly. This is in a State with 6.6 million
people.
Mr. Finn. Right, and that is just ninety days, and that is
just on our search engine. The facts are that the complaints
are significant and we can use that, use that in criminal
cases, but the opportunity here, as I have said before, is that
if we harness the big data and analytic capability that
Microsoft's Digital Crimes Unit feels we must and that we are
sharing with law enforcement, we really have an opportunity, I
think, to do so much more in this space to protect people.
Senator Donnelly. Well, let me ask you about this. Another
woman from Indiana got a cold call and it said there was a
problem with your computer. She did not have a computer, so she
was able to deal with that, but for those who do, when that
call comes in, what are some of the things you can do to detect
that call, to deal with it, to handle it? What are some of the
best recommendations that you have?
Mr. Finn. Well, the first thing is, you get a call from
someone that is unsolicited talking about technical support,
hang up. That is the first thing. That is not a legitimate
effort to sell anything to you, so that is the most important
message, I think, to people if they get that phone call. Do not
continue it. Hang up.
We do know that people do sometimes have malicious software
on their machines and they may need help, and for that reason,
we really suggest to them they contact Microsoft. They contact
our customer support. They contact the manufacturer of the
computing device, contact their customer support, and the fact
is, there are hundreds, thousands of reputable companies who
provide technical support to people. The guidance is simply,
just as if you have a problem with your car and you want to go
find a mechanic, you are careful about what mechanic you go to.
You want to have someone you trust and you have heard is a good
mechanic, an honest one. I would say that the same thing goes
for finding help with your technical help.
Senator Donnelly. Well, let me ask you this. Back about a
year ago, in August 2014, I held a field hearing back in
Indiana on scams against seniors, and we have a great group in
our State, and I know other states do, too, the Senior Medicare
Patrol Program, to try to help seniors to avoid these kind of
things.
This would be to the whole panel. What is your best
recommendation, what you have found to be the most productive,
most helpful, in trying to warn seniors of what might be coming
down the line in terms of scams against them, what to look out
for, what to deal with.
Mr. Schiller, I want to thank you for being here, for
spending this time to be with us today, because your telling us
your situation that you found yourself in is going to help
someone else to not have to deal with that, and that is what
people from Maine do, is it not, Madam Chair?
The Chairman. Absolutely.
Senator Donnelly. Yes. If anybody would like to tell us,
hey, here is my best recommendation for our seniors as to how
to avoid these kind of things, and if one starts on their phone
or in their computer, what to do next. Ms. Greisman.
Ms. Greisman. Yes, thank you. What Mr. Finn said is
absolutely right. Hang up. Hang up and file a complaint with
whatever information you may have received.
The FTC has done a lot of research on how to best
communicate with older consumers, and that is what ``Pass It
On'' is really a product of, and what we found is that it is
important to empower seniors to assist their friends and
families and not to feel victimized or feel that they are, for
some reason, vulnerable. On the contrary, to make them feel
like they are in the best position to ward off a scam.
Senator Donnelly. Okay. Thank you very much.
Thank you, Madam Chair.
The Chairman. Thank you very much.
Senator Blumenthal.
Senator Blumenthal. Thank you, Madam Chair, and thanks for
holding this hearing. Thank you all for being here today.
I know a little bit about elder justice from my days as
Attorney General in the State of Connecticut and am very
pleased to see the FTC ably represented here today. Thank you
for all your good work.
I know from my own experience here in the Senate, as well,
the importance of fighting these scams and raising awareness,
as you have just said. I do not know how many times I have
said, hang up, or if it looks too good to be true, it probably
is. Why do you think--and I will pose this question to all of
the members of the panel--why do you think that hope continues
to spring eternal unrealistically and seniors continue to be
bedeviled and confused and misled and deceived by these kinds
of scams? Many of them seem obvious to us.
I proposed a bill, the Robert Matava bill with Senator
Ayotte, that seeks to combat this kind of fraud, named after a
World War II veteran, a Marine, who was himself horrifically
abused by elder fraud, and yet disbelief seems so difficult to
invoke. Why do you think it is?
Ms. Greisman. I wish I had a ready answer to that.
Certainly, some people are simply more open to contact with
total strangers than others. Some people will not do it at all.
There is not enough--in my view, there is not enough research
on the very issue that you raise so that we actually could be
better informed, and it would probably help us target our
educational materials in a better way. We have done a good deal
of research in this area, but more on victimization is needed.
Senator Blumenthal. It really is important to know, because
if you are going to target solutions, if you are going to try
to deal with human nature, perhaps the tools that the bad guys
use ought to be used more artfully or ingeniously by the good
guys to try to reach these very vulnerable seniors.
Ms. Greisman. The work that we have done with the AARP
Foundation, I think, does address several of the points you
raise, because that is one-on-one peer counseling and there is
data to suggest that that type of counseling makes it less
likely a person will be revictimized.
Senator Blumenthal. Mr. Finn, as a service provider, you
obviously bring to the table an important perspective as we
examine these kinds of fraud, and I was alarmed to learn that
some companies are, in fact, profiting from scam artists
purchasing fraudulent ads. In one instance, the FTC found that
since 2010, a network of scammers have paid Google more than a
million dollars for ads and for certain key terms.
I was pleased to see that Microsoft has been proactive in
removing and screening fraudulent tech support ads from your
Bing search platform, which I think is commendable, and I
wonder if you could explain why this issue persists in similar
platforms and what best practices you would recommend for other
providers.
Mr. Finn. Well, I can comment on we do at Microsoft, and we
do take affirmative steps to not allow criminals to use our
platform to harm people, and so, one of the ways we do that is
we invest in automated systems to monitor some of those
organizations. We invest in manual methods of seeing who are
the organizations advertising on Bing, and when we see that
they are doing things that are harmful, that are taking money
from people illegally, we kick them off, so that is one piece
that we do, Senator.
I think the other thing we do is, obviously, we have
invested in a lot of the education efforts with the AARP and
education that we do in our retail stores around the country. I
think the fact that we have a team like the Digital Crimes Unit
is a testament to how important we think it is as an industry
leader to protect people and make sure that technology is
something people can trust.
I think there are a number of things that we feel it is
important to do, and we know we have a lot more to do. We have
certainly reinvigorated the work in this space because the
complaints have increased by 60 percent in just the last eight
months. This is not a problem that is going away. It is getting
bigger. That is why we really need to do even more, and again,
why I am so appreciative of this Committee and Chairman Collins
for shining a light on the problem, because I think we all
agree more needs to be done to protect our seniors and other
people using computing devices in the country.
Senator Blumenthal. Thank you. Thank you all, and I join
your thanks to Senator Collins for having this hearing. Thank
you.
The Chairman. Thank you.
I am going to ask one final question of Mr. Finn and then
give my colleagues an opportunity for a final question, as
well. You have some fascinating data in the appendix to your
written testimony, and I would like to focus on one of the
charts. It is a little difficult to understand when you first
look at it, but it is really illuminating in terms of how big a
problem this is. Could you walk us through what it is we are
looking at just so everyone can understand how serious this
problem is.
Mr. Finn. Sure, and Chairman Collins, I just think it is--
this is a great opportunity, I hope, to illustrate the power of
data and analytics and visualization, because what you are
looking at is a map of the United States and you see lots of
colors, first of all, there. The resolution, you cannot really
distinguish too many, but there are six different colors, and
those colors represent the six top targets of our
investigations that we are working on with the State AGs and
with the FBI. They represent individual instances across the
United States where a user of a computing device clicked on one
of the ads of one of these six companies engaged in criminal
activity.
The taller the tower, so the higher the bar, indicates a
large volume in a particular location, but what you are really
seeing, 462,000 times over just a 90-day period, American
citizens clicked on the links of companies engaged in really
horrific, as you said, Chairman Collins, ruthless activity
designed to steal from people.
The power of--and as a former prosecutor, those are 462,000
attempted criminal acts, and it is probably the case that many,
many, many of these were converted into illegal gains that the
criminals took, where they basically took that money from
citizens of the country, and that is just 90 days on just Bing.
The Chairman. I am so glad that you gave us this chart,
because it really illustrates how explosive and widespread this
problem is. As you said, and I want to reemphasize it, you
found 462,000 clicks, and this is just in 90 days and just
targeting six companies. That is extraordinary, and you are one
company, one effort--granted, a large company, but to me, this
just cries out for a more aggressive approach by law
enforcement. I thought Senator McCaskill put it very well when
she said that if you had that pattern in robberies, law
enforcement would be all over it. Well, this is robbery, as
well, using technology, and it seems to me it deserves far more
attention.
I also wanted to point out your educational brochure that
you have done with AARP on how to avoid tech support scams. It
goes along with the FTC's efforts, and I think we need more of
the education, as well.
Let me just end my questions and comments with a personal
story that will show you that education alone cannot take care
of the problem. Last week, I received an e-mail from, it
appeared, my credit card company telling me that suspicious
activity had been detected and asking me to call a 1-800
number. Well, I am suspicious enough that I thought the e-mail
was fraudulent. It was not a 1-800 number. It was a regular
number. I called the number. They immediately asked me for my
Social Security number. Well, that was a big red flag, so I
said no and hung up. Well, guess what, it was legitimate.
It is extremely difficult to tell whether or not you are
dealing with a fraudulent situation, which this had all the
hallmarks of, an unsolicited e-mail, a number to call, and a
request for my Social Security number. That would be in your
brochures telling me to hang up. Yet, it turned out, even
though I had my credit card with me, that, somehow, someone had
gotten my credit card number.
What I did was call the number on the back of the card
rather than the number that was in the e-mail, but Mr.
Schiller, believe me, I will second what Senator Tillis said.
You are no dummy at all. You are a very intelligent individual,
and this can happen to any of us, even those of us who are very
wary of this situation, and that is why I think in the end, the
answer is more law enforcement actions, because that will not
only punish the criminals--and let us remember, that is what
they are, they are criminals--but it also will deter others
from perpetrating these frauds.
I very much appreciate all of the testimony today. I want
to give Senator McCaskill and Senator Tillis the opportunity
for another question or any comments that you want to make
before I close the hearing.
Senator McCaskill. I just appreciate everyone being here. I
certainly appreciate you, Mr. Schiller. There is nothing that
is harder than saying publicly, I have been had. You doing this
is a great service to your country and to other people who are
potential victims down the line, and we are all very proud of
you for doing it.
Thank you to Mr. Polivick for traveling here from Missouri.
I think I wish in some ways we could have someone from legal
services that would sit on this dais with us in lots of
hearings, because what you see every day is what we need to be
fighting for, and that is people who are working hard, playing
by the rules, having a hard time keeping their head above
water, and the last thing you need is some con artist, bottom
feeder scum trying to feed off their lives when they are having
a hard enough time keeping their head up, so I hope that legal
services is maintaining its fundraising. I know the government
funding has waned and waxed and mostly waned----
Mr. Polivick. Mostly waned.
Senator McCaskill. Mostly waned, especially in my State.
Mr. Polivick. Well, like our clients, the legal aid
programs are constantly playing catch up, you know, trying to
get enough funding to keep up with what needs to be done. Our
clients are not able to get caught up when they are dealing
with scams like this. It is just another blow that they cannot
stand.
Senator McCaskill. Thank you. Thank you, all of you, for
being here.
The Chairman. Thank you.
Senator Tillis.
Senator Tillis. Thank you, Madam Chair.
Just a quick question. Ms. Greisman, Mr. Finn's comments
about the kind of self-policing they are doing at least with
these six Internet presences raises a question. You get them
all the time if you are on the Internet. Your PC may be
infected, click this button, and it could actually either open
a door or get you to buy something you do not really need. At
what point--I mean, are the laws or the rules that we have on
the books now sufficient for us to go to a--we are just talking
about Bing searches. If you overlaid this diagram over the same
period of time with the Google engine, Yahoo!, and a number of
other search engines out there, the multiplier would be
astounding.
What could we do to make it an illegal act to even request
the kinds of ads that Microsoft have identified and taken down?
What more can we do on a proactive basis to reduce the flow of
actions that a Microsoft or a private sector company would even
have to deal with?
Ms. Greisman. I am not sure there is a simple answer to
that question. Certainly, ad screening. Microsoft is doing it.
We talked to a lot of other search engines out there and a lot
of other advertisers, network advertisers, about improving and
enhancing their ad screening techniques. I am not sure what
more could be done at that level.
Senator Tillis. The only other thing I will mention, you
know, when we have this discussion, we all think about the
desktop PC or the laptop, but the same problem occurs here or
the same pop-ups occur here. There are hundreds of millions of
devices that these--I like ``scum'' better than ``lowlife,'' by
the way, Senator McCaskill----
[Laughter.] [continuing.] that they are using to prey on
innocent, trusting people, but we need to make sure that the
FTC, the other government agencies are being innovative in
additional things that we may need to take action on to provide
you with more tools, and we certainly, because of the wealth of
expertise that a Microsoft and some of the top tier platform
providers have to offer, you need to be coming with us to tell
us what more we can do to enable you to provide products and
services that get after these people.
Thank you all for being here. Mr. Schiller, thank you.
Ms. Greisman. Thank you.
The Chairman. Thank you, Senator.
Committee members will have until Friday, October 30th, to
submit any additional questions for the record.
I want to again thank all of our witnesses today,
particularly my constituent, Mr. Schiller, who came from Peaks
Island to share his experience, but all of our witnesses were
extremely helpful.
I also want to thank Senator Tillis and, of course, my
Ranking Member, Senator McCaskill, and all of the other members
who participated in today's hearing, and I want to thank our
staff, which has done a great deal of work to put together a
whole series of hearings on what appear to be an endless number
of scams that are targeting our seniors.
We are going to continue our investigations, and I want to
second Senator Tillis' comment that if legislative changes are
needed to increase authority to go after these scammers or
create new laws that enable them to be prosecuted, we would
welcome your suggestions and would work closely with you. Thank
you very much for your testimony.
This concludes the hearing.
[Whereupon, at 3:57 p.m., the Committee was adjourned.]
=======================================================================
APPENDIX
=======================================================================
=======================================================================
Prepared Witness Statements
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
Statements for the Record
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]