A document with a two-path fork diagram showing one verified route and one scam route.

Tech Support Scams: What They Actually Are Now, and How to Stop Them

By Tom Reardon

The FBI’s 2025 Internet Crime Complaint Center report recorded 47,794 complaints tied to tech support fraud, with about $2.13 billion in reported losses. Among victims 60 and older, tech and customer support scams alone produced more than $1 billion in losses from about 21,000 complaints.

Here’s the thing the headline numbers don’t show: the “tech support scam” label covers a family of related frauds that have almost nothing in common with the fake virus pop-ups most people picture. Modern versions blend impersonation, remote access, and payment fraud into a sequence that can unfold over hours or days. Some start with a browser lock screen. Some start with a fake invoice. Some start with a phone call from someone claiming to be your bank’s fraud department. They all end the same way.

I spent over 20 years working in product and operations at major identity protection providers. I’ve seen how these scams are constructed and I’ve watched how the industry responds to them. This article is the honest version of what you need to know.

What These Scams Actually Look Like

Tech support scams now have six common entry points, and most people are only aware of one or two of them.

The browser pop-up (the one most people know)

A full-screen warning appears. It says your computer is infected. It makes an alarming sound. It tells you not to close the browser and to call a number immediately, usually one labeled “Microsoft Support” or “Apple Security.” The page may loop dialog boxes that are difficult to close, which reinforces the panic the scammer is counting on.

The number goes to a call center. The script convinces you to install a remote access tool like AnyDesk, TeamViewer, or LogMeIn. From there, the scammer claims to find infections, unauthorized accounts, or evidence of criminal activity on your machine. Eventually, they present a bill for “repairs” ranging from $70 to several hundred dollars. Or they pivot to the next phase.

The fake renewal or refund email

An email arrives claiming you’ve been charged $299 for a Geek Squad plan, a Norton subscription, or a McAfee renewal you didn’t order. It looks official. It has a logo, an invoice number, and an urgent cancellation deadline. The number to call goes to a scammer.

Once you’re on the phone, the script shifts. They’ll offer to process your refund through remote access to your computer. The “refund” involves a fake screen that appears to show too much money transferred to your account. They then pressure you to “return” the overpayment through gift cards, a wire transfer, or a payment app.

FTC data from 2023 show Best Buy and Geek Squad were the most impersonated company in consumer fraud reports, with about 52,000 reports that year. Microsoft impersonation scams generated about $60 million in reported consumer losses in the same period.

The fake customer service search result

You search for the support number of a software company, a bank, or a subscription service. The top result is a sponsored ad that looks completely legitimate. It has the company’s branding, a phone number, and professional copy.

The number goes to a scammer.

Academic research published through the 2018 Web Conference documented more than 9,000 scam domains and 2,400 support domains in a single study, and found that scammers consistently got their pages to rank in both organic and paid search results. IC3 explicitly warns consumers about this: a phone number from a search result, even a sponsored one, is not verification that you’ve reached the real company.

The unsolicited phone call

A call arrives from “Microsoft,” “Apple,” your internet provider, or an antivirus company. They say they’ve detected virus activity from your computer on their servers, or that your security subscription has expired. The goal, again, is remote access.

The social media reply or direct message

You post a complaint about a product or service on social media. A reply or DM arrives within minutes offering to help, sometimes from an account with the company’s name and logo. The conversation moves to phone, and the phone goes to a scammer.

The phantom hacker

This is the most financially damaging variant. It starts as tech support. A scammer convinces a victim they’ve been hacked and gains remote access to the computer. Then a second person calls, posing as the victim’s bank or brokerage security team, and explains that hackers have also compromised the financial accounts. A third contact, sometimes posing as a government official or a “federal recovery agent,” tells the victim to move funds to a “safe” account for protection.

The victim watches their computer screen while the “bank security” representative explains that the money needs to move immediately. The scammer is watching the same screen remotely. The “safe account” belongs to the criminal.

The FBI issued an alert on this sequence in 2023 and has continued to flag it in annual IC3 reporting. It’s called phantom hacker fraud because the intrusion is invented, but the financial loss is real.

The Mechanics Under the Hood

Across all these variants, the underlying structure is strikingly consistent. The scammer manufactures urgency. Then they seek controlled communication, usually by getting the victim to call a number or stay on the phone. Then they seek either remote access or direct financial engagement. Then they reframe ordinary system behavior as proof of a problem. Then they direct the victim to a hard-to-reverse payment path.

The “diagnostics” deserve a word. In a large field study published through the 2017 NDSS symposium, researchers analyzed actual scam calls and found that scammers regularly used Windows utilities like Event Viewer, stopped services or drivers, and netstat output as fake evidence of infection. These are completely ordinary parts of a functioning Windows system. A scammer points to the logged errors in Event Viewer and says they’re proof of malware. They’re not.

The same study found that legitimate remote support tools were used in 60% of observed scam sessions (LogMeIn Rescue), 21% (Citrix GoToAssist), 12% (TeamViewer), and 7% (other tools including AnyDesk). The tools themselves are legitimate products. The scammers abuse them.

The payment demands in that study averaged around $290, with packages ranging from $70 to $1,000. The average call reached a pricing pitch in about 17 minutes. These are not opportunistic operations. They’re scripted, practiced, and structured.

The Red Flags That Actually Matter

Legitimate tech companies won’t contact you out of the blue to tell you your device has a problem. Real security pop-ups don’t tell you to call a phone number. Government agencies and law enforcement don’t tell people to move money to protect it, use gift cards, buy gold, or hand cash to a courier.

Those three facts eliminate most tech support scams before they can do damage. The problems come from the cases that are harder to recognize. Here’s the practical list.

The five highest-priority signals

  1. Unsolicited contact about your device or account. Doesn’t matter if it’s a pop-up, a call, or an email. If you didn’t initiate the interaction and someone is telling you there’s a problem, treat it as suspect until you independently verify.
  2. Any pop-up, email, or text with a support number. Don’t call the number in the message. Find the company’s real number yourself, from the official website or the back of a card.
  3. A request to install remote access software. AnyDesk, TeamViewer, ScreenConnect, UltraViewer, LogMeIn. If someone you didn’t call asks you to install any of these, stop.
  4. Any instruction to log into your bank or brokerage while a support agent is connected. No legitimate technical support process requires this.
  5. Payment in gift cards, cryptocurrency, wire transfer, payment apps, cash, or gold. These are not the payment methods of legitimate businesses. They are the payment methods of scammers, because they’re difficult or impossible to reverse.

Some subtler ones worth knowing

  • Pressure to keep the matter secret from family, your bank, or local branch staff. Real support agents don’t care if you tell your spouse. Scammers need isolation to work.
  • Any script involving an accidental overpayment. You don’t owe money to a company that made a deposit to your account. The “overpayment refund” setup is a scam mechanic, not a business practice.
  • A scammer who stays on the phone with you while you go to the store, ATM, or postal service. The call that doesn’t let you hang up is a control tactic.

If You Already Paid

Time is the variable that matters most. For some payment methods, a fast dispute or reversal request still has a chance. For others, especially cryptocurrency and wired funds, recovery becomes much harder once the transaction clears.

Here’s the correct order.

Step 1: Stop the access and stop the payments

If you gave someone remote access, shut down or restart the computer to end the session. Then stop all further payments. If a scammer is still on the phone, hang up.

Step 2: Contact the payment provider immediately

The right contact depends on how you paid.

  • Credit or debit card: Call the issuer and report it as a fraudulent charge.
  • Unauthorized bank withdrawal: Contact the bank and ask for a reversal.
  • Wire transfer (Western Union, MoneyGram, bank wire): Contact the company immediately. Speed is critical here.
  • Payment app (PayPal, Cash App, Zelle): Report the fraudulent transaction in the app and also contact your linked bank or card.
  • Gift cards: Call the issuer and ask for a refund. Some issuers can block an unused card balance.
  • Cryptocurrency: Contact the exchange, though the FTC warns crypto payments are typically not reversible.
  • Mailed cash through USPS: Contact the U.S. Postal Inspection Service and request a package intercept.

Step 3: Secure your accounts

Change any passwords the scammer may have seen while they had remote access, and change them everywhere you reused them. Turn on multifactor authentication on your financial accounts and email.

Step 4: Clean the device

Run security software and consider having the computer professionally cleaned if you’re not sure what was installed during the remote session.

Step 5: Place a credit freeze or fraud alert if personal data was exposed

If the scammer saw your Social Security number, account numbers, or passwords while connected, a credit freeze at all three bureaus (Equifax, Experian, and TransUnion) prevents new accounts from being opened in your name. The freezes are free and don’t affect your credit score. A one-year fraud alert can be placed by contacting any one bureau, which then notifies the other two. Our guide to freezing your credit walks through the process at each bureau.

Step 6: Expect follow-on contact

The FBI warns that victim information is often shared among criminal operators. After a tech support scam, anyone promising to help you recover your money for a fee is running a second scam. Any caller claiming to offer a refund for the original incident should be treated the same way you’d treat the original call.

Where to Report

Report to all of these, not just one. Each channel does something different.

Channel Use it for Practical note
FTC ReportFraud.ftc.gov Consumer fraud reporting, pattern sharing, civil enforcement support Report even if you only spotted the scam and didn’t pay. Include the brand impersonated, phone numbers and URLs used, payment method, and whether remote access was granted.
FBI / IC3 Criminal and intelligence referral; time-sensitive financial recovery referrals Save or print your complaint when you submit it. IC3 does not email you a copy. Include transaction details, URLs, email headers, and any screenshots preserved offline.
State attorney general State consumer-protection mediation or enforcement Many AG offices mediate complaints and may open investigations. Find your state’s portal at NAAG.org.
Bank, card issuer, or payment app Chargeback, reversal, fraud hold, account protection This is where the reversal process starts and it’s time-sensitive. If the institution doesn’t respond adequately, escalate to the CFPB at consumerfinance.gov.
Credit bureaus Fraud alert or freeze; later disputes Contact all three bureaus for a freeze. One bureau can place a one-year fraud alert and notify the other two. Pull your reports at AnnualCreditReport.com.

Prevention: What Actually Works

The single most protective thing you can do is break the scammer’s routing logic. They need you to use the phone number or link they provided. Don’t.

When you need support for a product or service, go directly to the official website or app. Use a number from your account records, the original product packaging, or a receipt you received when you purchased the product. “I found the number on Google” is not verification. As IC3 and academic research both document, sponsored search results and look-alike sites are a core distribution channel for these scams.

The FTC’s two summary heuristics are actually useful: legitimate tech companies don’t contact you out of the blue about a problem with your device, and real security pop-ups don’t ask you to call a phone number. If the contact violates either of those, it’s fraudulent.

On the technical side: keep security software current. Consider ad-blocking software, which IC3 specifically recommends to reduce pop-up and malvertising exposure. Learn how to force-quit a frozen browser (on Windows, Alt+F4 or Task Manager; on Mac, Command+Option+Escape) so your response to a browser lock screen doesn’t have to be calling the number on screen.

For organizations, the prevention implications run in both directions. Prominently publishing official support routes in apps, websites, invoices, and packaging reduces the surface area scammers can exploit. Training employees that no legitimate support process involves moving money to a “safe” account or paying by gift card closes another gap. And for brands that get impersonated frequently, monitoring for fraudulent search ads and fake customer-service pages is now a real part of brand protection.

The Scale, and What It Tells You

Combined tech support and government impersonation fraud (the two are often part of the same sequence) produced more than 80,000 complaints and over $2.9 billion in losses in 2025 IC3 data. These are not fringe operations. The 2017 NDSS study estimated the average scam call center had about 11 agents. The networks are organized, scripted, and persistent.

Enforcement is real but not yet adequate to the scale. The FTC returned more than $25.5 million to about 736,000 consumers harmed by Restoro and Reimage in a settlement announced in early 2025. The FBI described a Noida, India-based call center network taken down in December 2025 after defrauding more than 600 U.S. victims of nearly $49 million. A San Diego elder fraud case in the same report described more than 500 victims with losses exceeding $40 million.

Individual cases from FBI reporting illustrate what the dollar figures mean in practice. A Maine couple lost $1.1 million after a pop-up led them to install remote software and move funds into cryptocurrency for “safekeeping.” A New Hampshire resident lost about $1 million after a fake hack warning and a remote-desktop session.

The scale matters because it shapes how you should think about your own exposure. This isn’t a niche scam hitting an unusually vulnerable population. It’s one of the highest-volume fraud categories in the United States, by both count and dollars, affecting people across age groups and income levels.

The pop-up isn’t the scam. The routing logic is. Break it, and the rest of the script falls apart.

If someone in your family is at higher risk, particularly an older parent, the dynamics shift somewhat. The guide to protecting an aging parent from scams covers why the standard awareness advice falls short and what actually reduces losses.

Tom Reardon spent over 20 years in product and operations at major identity protection providers. He writes at MyScamGuide.com to give consumers the honest picture the industry’s marketing never did.

Recommended resources: