There is also chance that something was dropped on the network drivers and often data can be deleted from those networks drives by domain connected computer (if that is being used, as I assume is the normal set-up in those environments). It is not only stupid, it is highly dangerous. It should never be done and as you say, this type of stunt should only done in VM, but I recommend only on VM using Linux or *BSD as host Os for added security (where it is possible to run the whole thing inside an choort for added security). It would also be more added security to have that computer on its own LAN (own gateway and so on) disconnected from every other computer in the house.
As for the VM, drop some extra viruses in it in zip files or something that might get the scammers to copy it to there own network and let it burn to the ground in the IT sense of the word. They at least are never going to call you back after that.
I have received this type of call, but I don't have zombie VM with Windows XP or a secure set-up at the moment. So I just hang up on them when they call me.