Start with what the caller controlled, saw, installed, or charged. A fake virus warning by itself is not proof your device is infected. Remote access, payments, passwords, one-time codes, and exposed documents need faster action.
If more than one row applies, handle the highest-risk item first: remote access, money, passwords or codes, identity documents, then work or school systems.
Scroll sideways to see all columns.
| What happened | Do first | Check next |
|---|---|---|
| Only saw a pop-up or warning | Close it. Do not call the number. | Check only if you clicked, downloaded, or it keeps returning. |
| Called but shared nothing sensitive | End contact and do not call back. | Expect follow-up pressure by phone, email, or text. |
| Allowed remote access | Disconnect and use a trusted device for account changes. | List what was open: banking, email, files, photos, work apps. |
| Installed remote-access software | Remove it and restart the device. | Check apps, extensions, permissions, profiles, and startup items. |
| Typed a password or shared a code | Change that password from a trusted device. | Review sessions, recovery details, forwarding rules, and alerts. |
| Opened banking, email, files, or ID documents | Contact the account provider if financial or identity details were visible. | Check recent activity, settings, sharing, and connected devices. |
| Paid by card, PayPal, app, wire, gift card, Zelle, or crypto | Contact the payment provider through the official app, site, card, or statement. | Save receipts, transaction IDs, card details, wallet addresses, and dates. |
| Used a work or school device/account | Stop cleanup and contact IT. | Do not remove tools before they capture needed details. |
Use the closest match. Keep notes on what was open, typed, paid, installed, or changed.
If someone controlled your screen
Remote access changes the risk because the caller may have moved the mouse, watched sign-ins, opened windows, changed settings, installed tools, or viewed files. It can expose information, but it does not prove every file was copied.
Focus on what was actually open, unlocked, spoken aloud, or typed while the caller was connected:
- Banking, card, PayPal, payment app, crypto, shopping, or tax accounts.
- Email inboxes, password reset messages, security alerts, deleted mail, sent mail, and forwarding rules.
- Unlocked password managers, browser-saved passwords, app passwords, recovery email, recovery phone, and two-factor settings.
- Tax forms, IDs, Social Security numbers, account statements, private photos, and cloud files.
- Work or school email, VPNs, admin panels, shared drives, customer files, or internal systems.
Remove remote access and check what changed
Remote-access tools are used by real support teams, but they are risky when an unexpected caller, pop-up, invoice, or search result pushed you to install one.
End the session and do not reconnect
Close the session, hang up, and do not approve another connection request for a refund, cleanup, cancellation, or security check.
Remove the remote-access tool
Look for tools such as AnyDesk, TeamViewer, UltraViewer, Quick Assist, ScreenConnect, LogMeIn, or another app you do not normally use. These tools are not scams by themselves, but they should not remain installed after a suspicious session.
Review apps, extensions, profiles, permissions, and startup items
Check whether anything else was added while the caller had access.
Restart and scan
Restart the device and run trusted security software or the security tools built into the device.
Change exposed passwords from a trusted device
Start with email, banking, Apple, Microsoft, Google, password manager, payment apps, and any account that was open on screen.
Contact the provider when money or managed systems were involved
Use a known number, official app, official website, card, statement, or employer support channel.
If the device is managed by work or school, stop and contact IT. They may need logs or device details before anything is removed.
If money was paid
Contact the payment provider first. The bank, card issuer, payment app, wire company, gift card issuer, PayPal, or crypto platform controls the charge, transfer, dispute, card replacement, account lock, or transaction review options.
- Credit or debit card: call the issuer using the number on the card or statement. Ask about disputes, card replacement, recurring charges, and account monitoring.
- Gift card: keep the card and receipt, then contact the gift card issuer quickly. Do not send photos of the card to anyone else.
- Wire, bank transfer, Zelle, or payment app: contact the bank or app through the official app or website and ask what can be stopped, reviewed, or documented.
- PayPal or invoice platform: open the official app or website yourself and report the transaction there.
- Crypto: save the wallet address, transaction hash, amount, date, and platform. Be cautious with anyone promising guaranteed recovery.
If the caller says you were refunded too much, pause. Do not send money back, buy gift cards, move money to a safe account, or transfer funds while the caller is still guiding you.
If account or personal information was visible
Treat anything open, unlocked, copied, photographed, typed, or spoken aloud as possible exposure. Start with the accounts or documents that could cause account takeover, payment loss, or identity misuse.
- Banking or card screens: contact the financial provider and review recent, pending, and scheduled activity.
- Email inbox: check recovery settings, forwarding rules, deleted messages, sent messages, recent sign-ins, and connected apps.
- Password manager or browser passwords: change accounts that were visible, autofilled, or unlocked, and review connected devices.
- SSN, tax forms, IDs, or identity documents: use IdentityTheft.gov if identity theft or misuse applies.
- Cloud files, photos, or backups: check account sessions, sharing settings, recent activity, and unfamiliar devices.
Verify support outside the warning, invoice, or call
Do not use the phone number, link, chat window, invoice, search ad, or remote session to prove the support offer is real. Open the company's official site or app yourself, or use a known phone number from a card, statement, device settings, product packaging, or official support page.
Be careful with brand names in the warning. Microsoft, Apple, banks, antivirus companies, internet providers, payment apps, and remote-access tools can all be impersonated. The verification path matters more than the logo on the message.
What not to do now
- Do not call the same number back, even if the caller sounded professional.
- Do not reconnect remote access for a refund, cancellation, cleanup, or security check.
- Do not pay a recovery service that promises to get money back.
- Do not share more one-time codes, passwords, card numbers, bank details, or screenshots.
- Do not use the suspicious pop-up, invoice, email, chat, or search ad to verify the company.
- Do not wipe the device before saving payment evidence if you need to report or dispute the fraud, unless trusted support tells you to.
What to save before reporting
Save enough to explain what happened without posting private information publicly.
Caller and company details
Phone numbers, caller names, company names, websites, chat handles, email addresses, and search ads used.
Remote-access details
Tool name, session IDs if visible, screenshots, download names, and approximate connection times.
Payment proof
Receipts, transaction IDs, gift card receipts, gift card numbers, wallet addresses, invoice numbers, and dates.
Account and device changes
New apps, browser extensions, changed passwords, new recovery details, forwarding rules, unknown sign-ins, or security alerts.
What they saw or opened
Bank pages, email, password manager, tax files, cloud storage, photos, work apps, or personal documents.
Keep full SSNs, full card numbers, passwords, recovery codes, and private screenshots out of public forums or random helper chats.
Where to report or ask for help
Use the official path that matches what happened. Reporting is still useful even if money was not lost, but payment and account help should start with the provider that controls the account or transaction.
- FTC ReportFraud: consumer fraud, fake tech support, fake invoices, impersonation, and payment pressure.
- FBI IC3: internet-enabled crime or fraud, especially when remote access, wire transfers, crypto, or larger losses are involved.
- Bank, card issuer, payment app, wire company, gift card issuer, PayPal, or crypto platform: disputes, account locks, transaction review, card replacement, and records.
- Microsoft or Apple: account security or brand impersonation involving those accounts or devices.
- Remote-access provider: suspicious use of AnyDesk or another remote-access tool, if the provider offers an abuse or support channel.
- Work or school IT: any managed device, managed account, employer email, school login, VPN, or internal system.
- Local police or 911: threats, immediate danger, local theft, or someone trying to pick up cash, gold, cards, or devices in person.
FAQ
Is a fake virus pop-up proof my computer is infected?
No. A scary pop-up can be a web page designed to make you call. Close the browser or restart the device. If you downloaded something, installed software, or the warning returns outside the browser, check the device more closely.
Does Microsoft or Apple call about viruses?
Treat an unexpected call about a virus, hacked device, expired security software, or urgent account problem as suspicious. Use the official support page, device settings, app, or account portal instead of the number or chat in the warning.
What if I called but did not give access or pay?
End contact and do not call back. Review whether you shared a password, one-time code, payment detail, address, date of birth, or other private information. If you only talked and shared nothing sensitive, the main risk is follow-up pressure.
Should I reset the computer after a tech support scam?
Not always. Start by disconnecting remote access, removing the tool, scanning with trusted security software, and reviewing what changed. A reset may be appropriate if unknown software remains, access keeps returning, or trusted support recommends it.
What if the scammer saw my bank account?
Contact the bank using the official app, website, statement number, or card number. Tell them a scammer viewed the account during a remote-access session and ask what should be monitored, blocked, replaced, or documented.
Can I get money back after paying fake tech support?
It depends on the payment method, timing, and provider rules. Cards and some platforms may have dispute or replacement options. Gift cards, wires, payment apps, Zelle, and crypto can be harder. Do not pay anyone who promises guaranteed recovery.
Sources checked
Sources checked May 27, 2026. Use these official starting points when they match your situation; provider rules and reporting pages can change.
- FTC: How to spot, avoid, and report tech support scams
Fake pop-ups, fake support calls, remote-access pressure, payment methods, and FTC reporting.
- FTC: What to do if you were scammed
Provider-first payment steps and reporting paths by payment method.
- FTC: Avoiding and reporting gift card scams
Gift card payment warnings, issuer contact, and receipt/card evidence.
- FTC ReportFraud
Consumer fraud reports, including fake tech support and impersonation.
- FBI: Tech support scams
Remote-access risk, financial institution contact, password changes, evidence retention, and IC3 reporting.
- FBI IC3
Internet-enabled crime and fraud complaints.
- Microsoft: Protect yourself from tech support scams
Microsoft impersonation, fake warning messages, remote access, and official support boundaries.
- Apple: Recognize and avoid social engineering schemes
Apple impersonation, phony support calls, suspicious pop-ups, passwords, security codes, and official support channels.
- AnyDesk: How to avoid remote access scams
Remote-access scam patterns, ending sessions, password exposure, provider reporting, and the fact that legitimate remote-access tools can be misused.
- PayPal: Report fraud or unauthorized activity
PayPal unauthorized activity reporting, Resolution Center, card reporting, and account security steps.
- IdentityTheft.gov
Identity theft recovery planning when SSNs, IDs, tax files, or identity misuse are involved.