I cant believe more people aren't pointing out how potentially dangerous what the TechCrunch author, Regardt van der Berg, did was. He gave a potential unknown attacker a beachhead inside the TechCentral network, even if only for a few minutes. That is long enough for someone to potentially have compromised other machines on the network.
The article says: "We have a spare PC in the TechCentral office that has been newly installed and that contains no personal information. I used this machine for the next part of the ploy. I installed the Support.me application and provided "John" with the access details.
At that point, regardless of what was done to that specific PC, they have to assume the attacker could compromise every machine on their network by exploits launched immediately from that machine in the background at all other computers on the network, like through potentially zero-day exploits such as for unpatched Microsoft issues relating to local workgroup file sharing or other services. They cant assume they knew everything the attackers were doing. That's why it's been said that firewalls, like some lollipops, are "crunchy on the outside and chewy in the middle". The article author does not say he re-imaged the PC either. Granted, his informative article that may help many other potential victims was maybe worth the risk, but he should at least make clear to his readership what those risks are and that he understood them and accepted them on behalf of helping his readership.
Contrast with what your setup, where the VM was on its own virtual LAN and so presumably could not get to other machines on your local network. And as a snapshotted VM, you can easily roll it back. Still, if you had installed software, how risky that was would also depend on the exact network configuration and how that VM's VLAN interacts with your gateway to the internet -- as in whether the VLAN to gateway interface via whatever virtualization software you were using was set up like guest networking with isolation from other guests. One mistake somewhere in configuration (or even with no mistakes and buggy virtualization software), and your production network could have been compromised. And as you said, there could be credentials on a test machine like SSH keys and such. You did the right thing by not installing anything.
Granted, it doesn't sound like these examples of scammers are doing internal network attacks, but you never can know for sure what they really intend...