[HOOKEDSCAMS]
michael@hookedscams:~$ man tech-support

Tech support

A scary popup or invoice email convinces you your computer or account is compromised. The 'support' agent is the actual attacker, and they want remote access.

also known as: fake renewal, Norton scam, Geek Squad scam, Microsoft support scam, refund scam

what it is

Tech-support scams are the most retiree-targeted scam category in the U.S. The hook can come through several different channels, but they all funnel to the same place: you on the phone with a "technician" who wants remote access to your computer.

how they reach you

  • The browser popup. You're browsing, often after clicking a sketchy ad or a typo'd URL. A fullscreen popup appears, sometimes with audio, claiming Microsoft / Apple / Norton / your bank has detected a virus. It includes a phone number to call.
  • The fake-renewal email. "Your Norton / McAfee / Geek Squad / Best Buy subscription will auto-renew for $399 / $499 / $599. To cancel, call this number." The dollar amount is high on purpose, it's designed to provoke a call before you check the email's actual sender domain.
  • The "iCloud / Apple ID locked" SMS. Smishing variant. A link, a phone number, or both. Calling the number puts you with the "technician".
  • The cold call from "Microsoft" / "Apple" / "your ISP". Often with a spoofed caller ID. They claim your computer is sending out malware or has been "flagged on the network".
  • Search-engine poisoning. You Google "Norton support phone number" or "Roku activation help" and click a result that's actually an ad or a fake site. The number on it goes straight to the operator.
  • A physical mailer. A printed renewal notice that looks like a real invoice, sometimes addressed to "Account Holder". Same template, just analog. More common with older targets.
  • A robocall voicemail. "Your computer has a virus. Press 1 to speak to a technician."
  • A "your account has been compromised" push notification on a hijacked browser. Clicking takes you to a popup with a phone number.

What they share: a piece of urgent-feeling bad news, a phone number to call (not a website to visit), and a dollar amount or threat designed to get you on the line before you can verify anything.

how it works after the hook

  1. The "technician". Often friendly, often with a script. They ask you to install AnyDesk, UltraViewer, TeamViewer, Zoho Assist, or similar.
  2. The remote-access session. While they have your screen, they'll open Command Prompt, run netstat, tree, or tasklist to make scary-looking output appear. They will narrate this as "evidence" of compromise.
  3. The pivot to your bank. They tell you they're going to refund the subscription. They'll ask you to log into your bank to receive it. Then they'll either:
    • Edit the page in your browser (using devtools or HTML edits) to make it look like they sent you too much, then ask you to send the difference back via gift cards, wire, or crypto.
    • Initiate a transfer between your own accounts to make a balance look inflated.
    • Quietly install a remote-access tool that survives the call so they can come back later.
  4. The gift-card ask. This is where most victims realize. "To return the overpayment, please go to Target and buy $2,500 in Apple gift cards. We can't use a wire, bank policy."

the keep-you-on-the-line tactic

Tech-support scams don't have an "off-platform pivot" the way romance and employment scams do, there is no platform to pivot off of. They have something operationally identical: they will not let you off the phone.

The "technician" will keep you on the line continuously while you:

  • Drive to a store
  • Buy gift cards
  • Read off the gift-card numbers and PINs
  • Or initiate a wire / crypto transfer at a Bitcoin kiosk

The reason is the same as the off-platform pivot in other scams. As long as you're on the phone with them, you can't:

  • Hang up and call your real bank's fraud line
  • Step away and Google whether this is a known scam
  • Talk to your spouse, your kids, your pharmacist, or anyone who might break the spell
  • Notice that the dollar amounts and the urgency don't make sense

If a "technician" or "fraud agent" insists you stay on the line, especially while you go to a store, an ATM, or a crypto kiosk, that's the scam in motion. It is always safe to hang up. Real institutions encourage you to verify by calling them back at the official number on your card, on a real invoice, or on the company's website.

red flags

  • A popup with a phone number, audio, or any claim that your machine is infected. Real OS warnings never include a phone number.
  • An invoice from "Norton", "Geek Squad", "McAfee", or "Microsoft" for a service you don't remember subscribing to. Check the sending address, they're almost always on weird domains like @norton-billing.us or @geeksquad-support.com.
  • The invoice email asks you to call (not click), that's the tell. Real cancellations happen in the company's web portal.
  • Any "technician" asks for AnyDesk, UltraViewer, TeamViewer, Zoho Assist, or similar.
  • They ask you to log into your bank "to receive a refund". Banks do not require you to log in for an inbound credit.
  • They insist you stay on the line while you drive to a store, go to an ATM, or visit a Bitcoin kiosk. (See keep-you-on-the-line tactic above, this is the operational equivalent of the off-platform pivot in social scams.)
  • Any request involving gift cards, wire transfers, cash in an envelope mailed to a stranger, or crypto. None of these are how a refund works. Ever.

what to do during a popup

  • Don't call the number.
  • Don't click anywhere inside the popup. Even the "X" in the popup window can be part of the trap.
  • Press Alt+F4 (Windows) or Cmd+W / Cmd+Q (Mac) to close the browser tab or window.
  • If the browser has gone fullscreen and you can't escape, force-quit the browser entirely (Ctrl+Shift+Esc on Windows → end task; or hold the power button).
  • Reopen the browser. Decline any "restore previous session" prompt.

what to do if you let them in

  • Disconnect the computer from the internet immediately. Pull the ethernet, turn off Wi-Fi, or unplug the modem.
  • Uninstall remote-access tools. AnyDesk, UltraViewer, TeamViewer, Zoho Assist, Splashtop, ScreenConnect, anything you don't recognize.
  • Change your bank passwords from a different device (your phone over cellular, not the compromised computer).
  • Call your bank from the number on the back of your card. Tell them what happened. If you sent any money or gift cards, freeze accounts and dispute charges.
  • Run a full antivirus scan with Malwarebytes or Windows Defender. If you're not sure the machine is clean, take it to a real local computer shop. Or wipe it and reinstall.
  • Report.
    • IC3 (FBI), especially if money moved.
    • FTC, even if no money moved.
    • Your bank, card issuer, and gift-card issuer (Apple, Target, eBay, etc. all have fraud lines).

protecting older relatives

This is the scam category that hurts the elderly the most. Worth doing now, before something happens:

  • Bookmark their bank login. They should never search for it.
  • Walk them through what real Microsoft / Apple support looks like (it does not call you, ever).
  • Set a household rule: "Any popup with a phone number, you call me first."
  • Consider freezing their credit at all three bureaus.

the bottom line

Microsoft, Apple, Google, Amazon, Norton, McAfee, and Geek Squad will never call you, will never ask you to install AnyDesk, and will never ask you to refund anything via gift card. Anyone claiming to is the scam.

← all scam types