A Fake Microsoft Or Bank Agent Took Over Your Computer And Your Money
If a pop up warned you of a virus, or a caller claiming to be from Microsoft, Apple, your bank, or the IRS talked you into installing remote access software, you were targeted by a professional tech support scam. These operations run out of organized call centers and move fast. Petronella Technology Group handles recovery for individual victims, helps you stabilize devices and accounts, and coordinates with banks and law enforcement on fund recovery.
How Do Tech Support Scams Actually Work And Why Do They Fool Smart People?
Knowing the pattern removes some of the shame. These are professionally run scripts, refined on hundreds of thousands of prior victims.
Tech support scams begin with a pop up, a cold call, or a search ad that claims your device is infected or your account is compromised. The attacker talks you into installing remote access software (AnyDesk, TeamViewer, UltraViewer, or similar), then makes the problem look worse while demanding payment via wire transfer, gift card, cryptocurrency, or bank transfer. The pressure and time urgency are the product. Intelligent people fall for this every day because the social engineering is very well rehearsed.
Entry via fake alert. A full screen pop up on your computer claims Windows detected a virus, your bank account has been compromised, or your Apple ID is locked. It cannot be closed easily, and it includes a toll free phone number to "Microsoft", "Apple", or "your bank". The urgency is engineered.
Entry via cold call. A caller claiming to be from Microsoft, your bank's fraud department, the IRS, or a government agency says your computer or account has been flagged for suspicious activity. They already know your name and possibly the last four of your account number. The familiarity is also engineered.
Remote access installation. The scammer walks you through installing AnyDesk, LogMeIn, QuickAssist, TeamViewer, or another remote access tool. Once connected, they display fake system scans showing "infections" and dramatic looking command line output.
Fake problem, real fees. The scammer offers to clean the computer, protect the bank account, or remove the fraud hold, for a fee. Payment is demanded in gift cards (Apple, Google Play, Visa prepaid), wire transfer, or cryptocurrency. Often they persuade victims to move funds between their own accounts as a "safety measure" that is actually a transfer to the scammer.
Escalation and recurring extraction. Once the initial payment goes through, the scammer often maintains remote access for weeks or months, returning to extract more. Some victims have been drained over months before recognizing what was happening.
If any of this matches your experience, you are not alone and the response playbook below works.
What Are The First Five Actions After Realizing It Was A Tech Support Scam?
If the scammer still has remote access or you are still on the call, these actions come first.
Disconnect the device from the internet by pulling the network cable or turning off Wi-Fi. Do not power down; power-cycling can destroy forensic artifacts. Uninstall the remote access software the scammer installed, using a different clean device to research how. Call your bank or financial institution to halt any payment still in motion. Call (919) 348-4912 for triage.
Unplug the computer from the network or turn off Wi-Fi. Do not turn it off.
Hang up the phone. Do not say anything else to the scammer.
Call your bank using the number on the back of your card, not a number the scammer gave you.
Document what you saw, clicked, installed, and said. Screenshot anything still visible.
Call Petronella Technology Group at (919) 348-4912 for device cleanup and evidence work.
Leaving the computer on but disconnected keeps volatile evidence intact while cutting off the scammer's access. Do not try to close the remote access tool yourself while it is connected. The scammer can lock you out quickly.
If the scammer claimed to be from your bank and you discussed account details, call your real bank immediately using the number on your card or statement. Request a fraud freeze on the relevant accounts. Banks have seen this exact scam thousands of times and their fraud teams have playbooks ready.
How Do You Report A Tech Support Scam And Begin Financial Recovery?
Day one priority: protect remaining money, file reports, and start recovery on any funds that already moved.
File an FBI IC3 report at ic3.gov within the first twenty four hours. Call your bank, credit card issuer, or crypto exchange fraud team. File with the Federal Trade Commission at reportfraud.ftc.gov. For gift cards, contact the issuing retailer immediately. For wire transfers, see also our business email compromise recovery guide. Partial recovery is possible in some cases when reported within hours, but never guaranteed.
Contact all financial institutions. Not just the account the scammer targeted. Bank, credit union, investment accounts, credit cards, PayPal, Venmo, Zelle, Cash App, crypto exchanges. Request holds on suspicious recent activity and review pending transactions. Many institutions can reverse transactions if caught within hours.
Freeze your credit. Experian, Equifax, and TransUnion. Free and immediate. Blocks new credit opened in your name. Lift when you need to apply for credit legitimately.
Change passwords from a clean device. If the scammer had remote access, every password saved in your browsers or password manager is potentially compromised. Use a phone or another computer the scammer never touched. Prioritize email, banking, and any account with stored payment methods.
Turn on MFA everywhere. Authenticator app or hardware security key. Do not rely on SMS alone because SIM swap is sometimes the follow on attack.
Report to FBI IC3. ic3.gov. Include scammer phone numbers, websites, email addresses, any software they had you install, the full payment chain, and the approximate times of contact.
Report to FTC. reportfraud.ftc.gov. Consumer fraud intake that feeds into multi agency investigations.
Call local police. In person at your local station. Request a case number. Many banks and insurers require a police report number for fraud reimbursement decisions.
Report to the retailer if gift cards were involved. Apple (apple.com/gift-card-scams), Google Play, Amazon, Target, and others have fraud lines. If the cards have not been redeemed yet, a fast report can freeze the balance.
What Does A Full Tech Support Scam Engagement Include After The First Day?
Week one focuses on forensic cleanup of compromised devices, structured recovery of any movable funds, and hardening against follow on attacks.
Device forensics to identify every piece of software the scammer installed or modified. Remote access eradication. Account audit across email, banking, cloud, and social to check for unauthorized access and inbox rules. Where crypto was involved, on-chain tracing and exchange coordination. A documented case narrative for your bank, insurance, or legal counsel. Ongoing monitoring for a defined period if helpful.
Device forensic examination. The scammer likely installed remote access software and may have installed additional persistence tools, keyloggers, or clipboard hijackers. Even after uninstalling the visible remote access tool, hidden components can remain. Petronella Technology Group examines the device, preserves evidence, and either hardens or factory resets as appropriate.
Crypto tracing if funds moved to wallet. If the scammer had you purchase cryptocurrency and send to their wallet, on chain tracing can sometimes follow the funds to a regulated exchange where a law enforcement subpoena can freeze the account. Recovery rates vary. See our crypto forensics page.
Wire fund recovery. FBI IC3 Recovery Asset Team, your bank's fraud team, and in some cases the receiving bank's compliance team can coordinate on freezes and reversals. Timing is critical. Most successful recoveries happen within seventy two hours of the wire.
Identity theft monitoring. Consider a paid monitoring service for at least twelve months. Scammers often sell or reuse personal data collected during the scam, so downstream fraud attempts are common months later.
Home network review. If the scammer guided you to network configuration changes, or if they accessed other devices on your network while connected, those devices need review too. A home network audit by Petronella Technology Group or a similar firm catches configuration changes that could remain exploitable.
Support system. Tell one or two trusted people. The shame keeps many victims silent through repeated scams. Breaking that silence is part of recovery.
Petronella's Role In Tech Support Scam Recovery
Device Forensic Cleanup
Examine the compromised device for remote access tools, keyloggers, and persistence. Clean, harden, or reset as needed. Preserve evidence.
Account Hardening
Walk through password resets, MFA enablement, browser cleanup, and stored credential purges across all accounts that may have been exposed.
Fund Recovery Coordination
Work with your bank's fraud team, FBI IC3 Recovery Asset Team, crypto exchange compliance teams, and retailer fraud lines to maximize recovery odds on any payments that went through.
Crypto Tracing
On chain analysis of stolen funds through intermediary wallets, mixers, and bridges to identify points where law enforcement can act.
Evidence Preservation
Forensically sound capture of scammer phone numbers, websites, software, email addresses, and all payment records. Chain of custody for legal action.
Home Network And Device Ecosystem
Check other devices on the network, router configuration, DNS settings, and any smart home systems the scammer may have accessed.
What Does A Tech Support Scam Survivor Do To Prevent A Second Incident?
Once the immediate recovery is done, the most valuable thing you can do is make sure the same pattern cannot succeed on you or the people you love a second time.
Install a reputable password manager and rotate reused passwords. Enable hardware-based MFA on every important account. Treat every unsolicited call or pop up about a device issue as a scam until proven otherwise. Bookmark only real support URLs for the platforms you use. Microsoft, Apple, Google, and Amazon do not cold-call customers about device infections. Ever.
No legitimate company will ask you to install remote access software over an unsolicited call. Not Microsoft, not Apple, not your bank, not the IRS, not Amazon, not any federal agency. This is the single most valuable rule to internalize. Any request to install a remote connection tool from someone who called you first is a scam. Hang up.
Pop ups cannot scan your computer. A webpage cannot actually detect a virus on your machine or find that your account is locked. Any pop up that tells you to call a number is illegitimate. Close the browser or force quit if the page will not close.
Verify through official channels. If you are worried the alert might be real, call your bank or the service using the number on your card, your monthly statement, or the official website. Never use a number given to you by a suspicious alert or caller.
Install and keep current reputable endpoint protection. Windows Defender built in is reasonable for most home users if kept current. Third party options include Microsoft Defender for Business, SentinelOne, and CrowdStrike Falcon Go. For older adults, a professionally managed endpoint makes sense.
Use a password manager and MFA. 1Password, Bitwarden, Dashlane. Unique passwords everywhere, authenticator app or hardware key MFA on every sensitive account.
Talk to the older adults in your life. Tech support scams disproportionately target older adults. A short, non judgmental conversation about the specific pattern of this scam, with the "no legitimate company will ever" framing, reduces future risk. Include extended family members. The scam moves through relationship networks.
Add a trusted person to financial accounts. Many banks offer a trusted contact designation that lets the bank flag suspicious activity to a designated relative or friend without changing account ownership. Useful for older adults living independently.
Tech Support Scam Questions
Will I get my money back?
Sometimes, partially. Depends on payment method, how fast reports are filed, and destination. Wire transfers within seventy two hours have decent recovery odds through FBI IC3. Gift cards are usually lost. Crypto is traced and sometimes partially recovered when funds reach a regulated exchange.
Is my computer still compromised?
Possibly. A forensic examination is the only way to know. If the scammer had remote access, assume additional persistence mechanisms may be present. Reset or forensic cleanup before you resume sensitive use.
Do I need to buy a new computer?
Usually no. A factory reset combined with clean OS reinstall and careful restoration of personal files from backup is typically sufficient. We help with this.
Should I keep paying for the "protection service" they sold me?
No. Cancel any recurring charges from the scammer immediately. Dispute with your credit card company if applicable. Cancel any credit card they had access to.
Will my insurance cover the loss?
Some homeowners and umbrella policies now include cyber riders covering fraud. Bank accounts generally do not reimburse authorized transactions, but banks sometimes make exceptions for documented tech support scams, especially for older adult victims. Check your coverage and ask your agent.
What if the scammer keeps calling back?
Block numbers, register on the Do Not Call Registry, and consider changing your number if harassment persists. Report repeat contact attempts to FBI IC3 as part of your ongoing case record.
Is this a crime I can prosecute?
Yes. Wire fraud, computer fraud, and access device fraud statutes all apply. Most tech support scam operators are overseas, which complicates individual prosecution, but FBI IC3 aggregates reports and pursues organized operations. Your report helps the pattern investigation.
Helping An Older Adult Who Was Scammed
A few practical suggestions for adult children, neighbors, or caregivers who discover that someone they love has been hit.
The first thing to do is suspend judgment. Tech support scams work because they are engineered by professionals who exploit normal human impulses (urgency, trust in authority, desire to fix a problem). Intelligent people in their thirties fall for these. People in their seventies fall for them at higher rates because of a separate age related factor called age related susceptibility to authority framing, which is real neuroscience and not an indictment of anyone's intellect.
Coming in with "how could you have been so careless" closes the conversation. Coming in with "these people are professional criminals, let me help you take the next steps" opens it. Most older adults are deeply embarrassed and afraid of losing independence. The best thing you can do is partner with them on the recovery without taking over.
Practically, offer to make the calls together. Offer to drive them to the bank or to the police station. Offer to sit with them while the computer is examined. Involve one or two other family members so the load is shared and the person does not feel isolated.
Also think about prevention going forward. Adult Protective Services in your county can be a resource for ongoing support. A professionally managed device, with monitoring software that alerts a trusted family member to suspicious activity, reduces the chance of a repeat. Petronella Technology Group offers a service tier specifically for older adult family members that handles this in a dignified way without treating anyone as incapable.
Finally, consider whether the scam event signals a larger change in your loved one's situation. If the scam worked because of cognitive or isolation issues, those issues need their own response. That conversation is best had with a geriatric care manager or a trusted physician, not invented by family in the aftermath of a financial crisis.
Common Tech Support Scam Scripts
Scammers rotate through a small number of proven playbooks. Recognizing yours helps you explain what happened to investigators and understand what follow on risks to watch for.
The Microsoft security alert. A pop up claiming Windows detected a virus, often accompanied by a loud audio loop warning you not to restart. The pop up provides a toll free number for "Microsoft Support". When you call, a scripted agent walks you through installing remote access software to "clean the infection". Almost always ends with a charge for "security software" or a year of "support". Sometimes escalates to banking takeover.
The Apple or iCloud lock. A pop up or SMS claiming your Apple ID has been locked or your iCloud account compromised. Scammer posing as Apple Support guides you through password resets and MFA code handoffs that actually transfer the account to them. Often used to steal cryptocurrency wallets synced through Apple accounts.
The bank fraud department call. Inbound call claiming to be your bank's fraud department. They already know your name and some account information (usually from a previous data breach). They warn of unauthorized activity and instruct you to move money to a "safe" account that is actually theirs. Combined with fake remote access installation in many cases.
The Amazon or Netflix subscription hold. Email or text claiming a recurring payment failed. Clicking the provided link installs malware or harvests credentials. Sometimes combined with a follow up call from "fraud department" when the victim disputes the charge.
The IRS or Social Security threat. Aggressive call claiming you owe back taxes or that your Social Security number has been suspended. Threatens arrest. Demands payment via gift cards or wire. IRS and Social Security Administration never initiate contact this way. Ever. Hang up.
The refund scam. A twist on the above. Email claiming a software subscription is renewing for hundreds of dollars, with a number to call to cancel. Call leads to a scammer who "accidentally refunds" too much and requests the overage back in gift cards. Common variant: scammer takes remote access, opens the victim's online banking, and appears to transfer an excess refund by actually moving the victim's own money between their accounts.
All of these rely on the same core mechanism: creating urgency and authority that overrides careful thinking. Recognizing the pattern is half the defense.
Typical Findings On A Compromised Device
When we examine a device after a tech support scam, the findings are often more concerning than the victim expected.
Remote access tools still installed. AnyDesk, TeamViewer, LogMeIn, Splashtop, and QuickAssist are common. Victims often uninstall the main application but miss the persistent service or scheduled task the scammer configured.
Additional persistence mechanisms. In some cases we find scheduled tasks that re download and install the remote access tool if it is removed. Startup entries, registry run keys, and WMI subscriptions are all techniques we have seen used.
Info stealer malware. Clipboard hijackers that watch for cryptocurrency addresses and swap them mid copy. Browser password dumpers. Keyloggers. These are sometimes installed in addition to the visible remote access tool.
Modified browser configurations. Malicious extensions installed, homepage changed to a search engine the scammer monetizes, bookmarks pointing to phishing sites. Some scammers leave these specifically to facilitate follow on attacks.
Modified hosts file or DNS settings. In some cases the scammer modifies the hosts file or sets up a custom DNS server so that banking and email sites redirect to phishing copies. This can persist even after visible cleanup.
Cryptocurrency wallet software. If the victim did not previously have Exodus, MetaMask, Coinbase Wallet, or similar installed, its presence is a sign the scammer wanted it there for fund movement.
Additional user accounts. Local administrator accounts created by the scammer so they can return even if the primary password is changed.
Logged in session tokens. Browser sessions still authenticated to sensitive accounts, allowing account takeover without password knowledge.
This is why we recommend device forensic examination rather than assuming a visible cleanup is enough. The visible cleanup is the tip of a larger iceberg in many cases.
Related Recovery Guides
Get Your Computer Clean And Your Accounts Locked Down
Call Petronella Technology Group at (919) 348-4912. Twenty plus years in Raleigh. BBB A+ since 2003. We have seen this scam thousands of times and we know how to help you recover.