A tech support scam becomes serious the moment a stranger can see your screen, steer your cursor, or watch you log in. The scam is rarely about fixing a device. It is about getting access to the accounts, payment tools, and personal data that sit behind the device.
The FTC says tech support scammers use popups, search results, calls, and messages to push people into giving remote access or paying for fake help. Microsoft says its real error messages never include phone numbers, and real Microsoft staff do not cold-call people to say there is a problem with a device. That means the recovery problem is not deciding whether the stranger sounded convincing. The recovery problem is closing every path the stranger may have opened.
Key idea: if a scammer controlled the device while you signed in somewhere important, treat the account and the device as part of the same incident.
First 15 minutes
Do the containment steps in this order. Speed matters more than perfect diagnosis.
| What happened | Do this first | Why |
|---|---|---|
| You only saw a popup and did not call or install anything | Close the browser or restart the device, then run a security check | You may have avoided the real compromise step |
| You called and let someone connect remotely | Disconnect the device from Wi-Fi or Ethernet immediately | That cuts the live session and reduces ongoing access |
| You signed in to email, banking, or shopping accounts while they watched | From a different clean device, change those passwords and revoke sessions | The attacker may have captured credentials or session access |
| You paid by card, wire, gift card, cash app, or crypto | Contact the payment provider or bank fraud team immediately | Some payment paths have short windows for dispute or recall |
- Disconnect the affected device from the internet.
- Stop the call, chat, or remote session.
- Use a different known-good device to secure email, banking, and shopping accounts.
- Preserve screenshots, phone numbers, receipts, remote-tool names, and any case numbers before cleaning up.
How this scam usually gets in
Many cases start with a fake alert about a suspicious purchase, a virus warning, or a browser page that claims the computer is locked. Others start with a phone-based vishing call or a search result that looks like official support. The storyline changes, but the sequence is usually the same: create urgency, establish authority, ask for remote access, then use that trust to reach accounts or money.
That is why scam cleanup has to go beyond removing one app. The caller may have convinced you to reveal passwords, approve prompts, expose card details, or install software that keeps working after the call ends. In incidents that started from fake account-help searches, the pattern can look very similar to fake customer-support scams on social platforms.
Do not: keep troubleshooting with the same stranger because they promise to undo the damage. Once the session is fraudulent, every extra minute gives them more to collect.
If you only saw a popup and did not engage
If you never called, never downloaded anything, and never entered credentials, you may have avoided the highest-risk stage. Microsoft recommends closing the browser or restarting the computer if a fake warning fills the screen or traps the browser. After that:
- Run your normal operating-system security scan.
- Check the browser for newly installed extensions you do not recognize.
- Review downloads for anything added at the time the popup appeared.
- Do not call the number in the warning, even after the browser is closed.
This is the best outcome because the attack may have stayed at the scare stage. Still, the lesson is operational: error messages from major vendors do not tell you to call a random number. If the page pushes phone support, it is part of the trap.
If you gave remote access or screen control
Once remote access was granted, stop thinking only about the app name. Think about everything the scammer could see while connected. That includes saved browser passwords, open email tabs, password-reset prompts, bank balances, and two-factor prompts arriving on the device.
- Uninstall the remote access tool if you can identify it.
- Check startup items, installed apps, browser extensions, and accessibility permissions for anything unfamiliar.
- If the device is behaving oddly, or if you cannot confidently explain what changed, move to a full rebuild or professional cleanup rather than a partial uninstall.
- If the device holds work accounts, tell your employer or IT team before reconnecting it to work systems.
Remote-access scams also create a spyware question. If the device shows new prompts, new profiles, unexplained slowness, or unknown apps, treat that as a device-compromise problem and use how to detect spyware as part of the cleanup path. The point is not to guess the exact malware family. The point is to decide whether the device is trustworthy enough to touch critical accounts again.
If you logged in to important accounts while they watched
This is where tech support scams spill into account-takeover risk. Even if the caller never explicitly asked for your password, they may have watched you enter it, captured a session cookie, or kept you on the line while security prompts arrived.
From a separate clean device, change passwords for the accounts that matter most first:
- Primary email inbox
- Banking and payment apps
- Retail accounts with saved cards
- Any password manager that was open or installed on the device
Then sign out of unknown sessions and review recovery settings. If the inbox was exposed, check forwarding rules and connected apps. If banking was exposed, move to the bank-account incident workflow so the payment side and the login side are handled together. If the whole compromise looks wider than one machine, use been hacked to work the control plane in the right order.
If you only do one thing: change the email password from a different device. Email resets often determine whether the rest of the recovery sticks.
If you paid the scammer
Payment type changes your next step. Do not wait until you finish every device check before calling the payment provider.
| Payment path | Immediate action | What to preserve |
|---|---|---|
| Credit or debit card | Call the issuer, report scam payment, ask about chargeback or replacement card | Receipt, merchant name, phone number, screenshots |
| Bank transfer or wire | Call the bank fraud team and ask whether a recall is still possible | Transfer ID, destination details, time sent |
| Gift cards | Keep the cards, receipts, and photos of the backs if available, then report quickly | Card numbers, store location, receipt |
| Crypto or Bitcoin ATM | Save wallet address and transaction details, then report immediately | Wallet address, exchange or ATM, amount, timestamps |
If the scammer talked you into moving money after a fake fraud warning, that is a different but related incident pattern. Use move your money to protect it for the bank-and-government impersonation version of the same pressure tactic.
Decide whether the device is trustworthy enough to keep
Some incidents end with a clean uninstall and a password reset. Others do not. Rebuilding the device is often the safer choice when:
- multiple unknown tools or extensions were installed
- the scammer had long remote control while you logged in to sensitive accounts
- the device still shows strange behavior after cleanup
- you cannot explain what the scammer changed
A rebuild is inconvenient, but uncertainty is expensive. If the device remains the weakest point, new credentials can be stolen again. That is why a half-cleaned machine should not be trusted with the same banking or email accounts that were already exposed.
Build a clean evidence packet and report it
Save evidence before you forget the details. That includes the popup, the number you called, the URL where you found the support number, the remote app name, payment receipts, and any follow-up messages. If a search result or sponsored listing started the incident, save that too.
- FTC fraud report: ReportFraud.ftc.gov
- Microsoft scam reporting: microsoft.com/reportascam
- FBI IC3 elder-fraud and internet-crime reporting: ic3.gov
Reporting will not instantly recover funds or erase the session history, but it creates a clean record and helps connect the same scam infrastructure across victims. That matters most when the scammer used real company names, spoofed numbers, or repeat payment instructions.
How to make the next attempt fail
The most durable defense is not recognizing every brand name a scammer might use. It is changing the verification habit that makes the scam work.
- Do not call support numbers found in popups.
- Do not trust support numbers in sponsored search results without verifying them on the real site.
- Keep important accounts off a device you do not trust.
- Use unique passwords and stronger authentication for email and financial accounts.
- Ignore anyone who says they can hack an account back faster for a fee. That is often a second scam, covered in do not hire a hacker.
Tech support scams succeed by collapsing three decisions into one moment: trust the stranger, grant device access, then accept the payment story. Recovery succeeds by pulling those decisions apart again. First restore device trust. Then restore account trust. Then deal with money movement and reporting.
That order matters because a password change on an untrusted device is fragile, and a payment dispute without a clean evidence trail is weaker than it needs to be. When the device is isolated, the control plane is secured, and the payment path is documented, the incident stops expanding.
The strategic question is simple: can this device still reset your life? If the answer might be yes, keep it away from email, banking, and saved credentials until you can answer with confidence.
The scammer's advantage is speed and confusion. Your advantage is sequence. Once you take back the sequence, the rest of the cleanup becomes work, not panic.