Recognizing and Avoiding Tech Support Scams

Tech support scams represent one of the most pervasive fraud categories targeting US consumers, with the FTC reporting over $924 million in losses to tech support fraud in 2023. These schemes impersonate legitimate technology companies, government agencies, or cybersecurity firms to extract payments or remote system access from victims. This page covers the structural characteristics of tech support scams, their operational mechanics, the major scenario types, and the criteria used to distinguish legitimate support services from fraudulent ones — serving as a reference for consumers, researchers, and professionals navigating the home cybersecurity service landscape.

Definition and scope

Tech support scams are deceptive operations in which fraudulent actors falsely claim to represent a technology or security company, assert that the target's device has a critical problem, and then demand payment or remote access to resolve a fabricated issue. The Federal Trade Commission (FTC) classifies these under its fraud enforcement authority and treats them as violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts in commerce.

The scope of this fraud category extends across three primary impersonation targets:

  1. Technology companies — fraudsters claim affiliation with Microsoft, Apple, or Google to assert that a device has been compromised
  2. Internet service providers — callers pose as ISP security teams alerting users to unusual account activity
  3. Government agencies — less common but documented instances involve impersonating the Social Security Administration or IRS in conjunction with technology-related pretexts

The FBI's Internet Crime Complaint Center (IC3) separately categorizes tech support fraud in its annual reporting, noting that adults over age 60 account for nearly 50 percent of victims who report losses, based on 2023 IC3 data.

The distinction between tech support scams and related fraud types — such as phishing or ransomware — lies in the social engineering vector. Tech support scams rely predominantly on voice-based or pop-up-driven deception rather than malicious file delivery, though the two categories can overlap when remote access tools are deployed.

How it works

Tech support scams follow a recognizable operational sequence that the FTC and IC3 have documented across thousands of reported incidents:

  1. Initial contact or alert generation — The fraud begins through an unsolicited phone call, a browser-based pop-up or full-screen alert, a redirect from a compromised website, or a sponsored search result. Pop-up alerts commonly display fabricated error codes or "infection counts" and include a phone number.
  2. Authority establishment — The caller or chat agent claims employment at a named company (commonly Microsoft or Apple) and references the supposed error by a convincing but fabricated case number or event log entry.
  3. Urgency escalation — The victim is told that failure to act immediately will result in data loss, account suspension, or financial account exposure. This pressure is designed to bypass deliberate decision-making.
  4. Remote access request — The scammer directs the victim to download a legitimate remote access tool such as AnyDesk, TeamViewer, or Quick Assist. Once connected, the scammer can view files, install software, or access financial accounts.
  5. Payment extraction — Payment demands are made via gift cards, wire transfer, cryptocurrency, or peer-to-peer payment apps. The FTC's guidance on gift card scams notes that gift card payment demands are a reliable indicator of fraud across all scam categories.
  6. Secondary fraud — After initial payment, fraudsters may claim to have accidentally refunded too much money, initiating a second round of manipulation known as a "refund scam."

Common scenarios

Tech support scams manifest in four well-documented scenario types, each with distinct delivery mechanisms:

Pop-up alert scams — Browser windows or operating system overlays generate fake virus warnings with alarming language and a callback number. These pages frequently use full-screen mode or audio loops to create urgency. Microsoft's Digital Crimes Unit has publicly documented the use of its branding in this scenario type.

Cold-call scams — Callers claim to be from a technology company's support division, referencing Windows Event Viewer logs (which contain benign error entries on virtually all systems) as evidence of infection. The caller then follows the remote access sequence described above.

Search engine ad scams — Fraudulent support numbers appear in paid search placements for queries like "Microsoft support number" or "Apple help desk." The FTC's 2022 data spotlight identified business impersonation — including tech companies — as the leading impersonation fraud category by reported dollar loss.

Refund scams — Targeting individuals who have previously been victimized, these operations pose as recovery services or support companies offering refunds for prior fraudulent charges. They use the same remote access tools and payment redirection techniques as the initial fraud.

The contrast between pop-up and cold-call variants is operationally significant: pop-up scams require no data about the victim and operate at scale, while cold-call scams can be more targeted and involve purchased lead lists of prior fraud victims.

Decision boundaries

Distinguishing legitimate tech support from fraudulent contact involves applying specific structural criteria rather than relying on perceived professionalism or brand recognition. The FTC and CISA both publish formal guidance establishing these distinctions:

Legitimate support does not initiate contact. Microsoft, Apple, and Google do not proactively call consumers about device infections. Any unsolicited contact claiming to originate from these companies is fraudulent by structural definition.

Legitimate support does not accept gift cards as payment. No major technology company requests gift card, wire transfer, or cryptocurrency payment for support services.

Legitimate support does not request remote access as a precondition. While remote access tools are used in genuine support contexts, they are never the first step and are never initiated by the support company without explicit consumer-initiated request through verified channels.

Event Viewer errors are not indicators of infection. Windows Event Viewer logs contain informational and warning entries on all functioning systems. Referencing these logs as evidence of a specific infection is a documented scam technique.

For professionals and researchers assessing the scope of home cybersecurity service categories, tech support fraud intersects with remote access security, identity protection, and consumer financial harm — areas covered in the broader resource structure of this reference.

References

📜 3 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Home Cyber Listings Coverage spans installer networks, managed detection services, smart home security consultants, and compliance-adjacent... Home Cyber Directory: Purpose and Scope This page defines the directory's scope, establishes the criteria that govern which listings appear, and clarifies the... How to Use This Home Cyber Resource This page explains how the resource is organized, identifies the professional and consumer categories it serves, and...