Tech-Support Scams: 5 Variants and the Single Rule That Defeats Them All

A web page hijacks the victim's browser into full-screen mode, displays a fake "Windows locked due to unusual activity" warning with a phone number and Microsoft branding, and locks the victim out of normal navigation. The page is hosted on a legitimate Azure Blob Storage subdomain (or similar trusted host) to bypass URL-based detection. The phone number connects to a scam call center.

The r/Scams thread "Fake 'Windows locked due to unusual activity' full-screen scam" (117 upvotes) describes the textbook version. The author's screen suddenly switched to a full-screen "Windows Advanced options / Admin login" page that claimed: "Windows locked due to unusual activity. Asked for my Microsoft ID and password. Told me to call 'Windows Technical Support' at +1-888-977-1274 (toll-free). Warned not to shut down or restart the PC." The page was hosted on an Azure Blob Storage subdomain — a real Microsoft cloud service being abused to host the scam content, which made the URL look more legitimate to anyone who checked it. The author did not call. They closed the browser via Task Manager and ran a malware scan.

The community top reply (25 upvotes): "Open Task manager (Ctrl-Alt-Del) and end the Task. Check in Startup if something funny is listed. Do full malware scan." A second commenter noted: "They don't care. This has been around for more than a year now" — a reference to the slow pace at which Microsoft Azure responds to abuse reports for blob-storage-hosted scam pages. The scam is sticky precisely because the hosting infrastructure is legitimate; takedowns require Microsoft's abuse process, which can take days while the scam page continues to serve.

Kill the browser via Task Manager — never via the page's own buttons. The full-screen lockup is not a real Windows lock. The browser is being held in full-screen mode by a JavaScript trick; ending the browser process ends the page. On Windows: Ctrl+Alt+Delete → Task Manager → end the browser. On Mac: Command+Option+Esc → Force Quit. Then run a malware scan, in case the redirect installed any additional payload. Microsoft's Digital Crimes Unit takes down roughly 66,000 of these pages per year — and that's only the share it catches before the next batch spins up on the same Azure subdomain pool an hour later. The user-side defense is the only one that scales.

The full-screen lockup is the most visible variant because it is loud — full-screen mode, audio loop, urgent text. The next variant is quieter and arrives in your inbox.

An "auto-renewal" email lands in your inbox claiming a $300+ subscription has been renewed. You call the number to dispute. The scammer claims they will refund the charge and asks you to log into your bank to confirm receipt. They take remote control of your screen, manipulate the visible balance to make it appear the bank refunded too much, and demand the "overage" returned in gift cards or wire. Geek Squad was the most-impersonated company in FTC 2023 fraud data, with around 52,000 scam reports.

The FTC's consumer alert on the Geek Squad renewal scam describes the mechanic with unusual specificity: "Scammers take you to a spoofed website that looks real and tell you to enter your bank or credit card information to process the refund. After you do that, they claim there was an error in the amount entered and say they refunded you too much money, insisting you pay them back with gift cards, a wire transfer, a bank transfer, cryptocurrency, or a payment app." The "overage" is the entire scam. The scammer never actually refunded anything; they manipulated the on-screen view to make it look like a refund happened, often by overlaying the browser with their own fake banking interface or by editing the visible HTML of the bank page through their remote-access session.

The scale is large. Geek Squad has been the most-impersonated brand in FTC consumer fraud reports for multiple years running, with approximately 52,000 reports in 2023 alone. Norton, McAfee, Best Buy direct, and PayPal-themed renewal emails follow the same pattern. The emails are convincing: real Best Buy logos, real Geek Squad branding, plausible invoice numbers, real-looking subscription details. Older adults are the primary target — the FTC's October 2024 report found "consumers 60 and older were five times more likely to be victims of a tech support scam than people ages 18-59," with older consumers reporting "$175 million in losses to tech support scams in 2024."

So what stops it? Open a clean browser — not any link in the email — type the company's URL yourself (bestbuy.com, norton.com, mcafee.com, amazon.com, paypal.com), and check your subscriptions there. If the charge is real, your real account will show it. If it isn't there, the email is fake. Delete it, report it to the FTC at reportfraud.ftc.gov and to the impersonated company directly. Best Buy's own published guidance is identical: real Geek Squad renewal emails do not include a phone number. The presence of a phone number in a renewal email is itself the diagnostic.

The Geek Squad email scam pulls victims toward the scammer. The next variant flips the direction — the victim seeks out the scammer's number themselves, because Google surfaces it.

Victim has a legitimate tech problem and self-googles for help. The top result is a paid ad or SEO-poisoned page surfacing a fake "Microsoft support" number. The victim calls the number themselves — no inbound call, no pop-up, no email — which makes the engagement feel verified. The scammer then walks them through installing ConnectWise or AnyDesk for "diagnosis," and the rest of the script unfolds.

The r/Scams thread "ConnectWise scam for Microsoft Tech Support" (4 upvotes, but a high-quality victim post) describes the textbook self-googled version. The author was logged out of their Outlook account for too many failed attempts. They "researched online google a number to call Microsoft for help," called the number, and were told they had a "security breach." The scammer instructed them to download ConnectWise on their iPhone. The phone call lasted 34 minutes. The scammer asked the victim to access their bank accounts to check whether someone had been "successfully buying crypto" with their cards. The victim caught it — they noticed they were screen-sharing — and disconnected. They wrote, with the panic of someone who has just realized they were almost robbed: "How much do they have? How fast can they steal everything from me?"

"How much do they have? How fast can they steal everything from me?" — that single line, written by a victim mid-panic, is the moment every SEO-poisoned-search story arrives at if it doesn't get caught earlier. The fix is upstream of the search itself. Type the company's URL into your address bar (microsoft.com, apple.com, google.com), navigate from the home page to the support section, and use the contact methods listed there. Microsoft, Apple, Google, and Outlook all run official support pages with documented contact paths. The fact that a phone number appears at the top of Google does not mean Google has verified it — paid scam ads routinely outrank the legitimate company's own support page, and r/Scams' automod responses for `!techsupport`, `!refund`, and `!recovery` exist because the pattern is that common.

The reason this variant is so effective is the verification flip. In every other variant, the scammer initiates contact and the victim suspects "I didn't ask for this — why is it happening?" In the SEO-poisoned-search variant, the victim initiated contact themselves. They Googled it. They dialed the number. They believe they are the one driving the conversation. That self-initiated framing collapses the suspicion that protects victims in the inbound-call variants. Self-googled numbers are one of the most dangerous tech-support scam channels precisely because they feel safe.

The first three variants get the victim into the call. The fourth is what happens once they're on it.

After the intake call begins, the scammer walks the victim through installing or opening a remote-access tool: ConnectWise ScreenConnect on Windows or iPhone, AnyDesk, TeamViewer, or Microsoft Quick Assist (built into Windows). Once installed, the scammer can see the victim's screen and move the mouse on the victim's behalf. They typically use this access to drain bank accounts, install additional malware, or stage the fake-refund overpayment trick.

The r/techsupport thread "Friend temporarily fell for a tech support scam" (114 upvotes) captures the standard mechanic. The friend got a "computer locked" pop-up, called a Microsoft-branded support number, and let the scammer remote into his laptop. The scammer took him to the registry editor where it shows real-but-confusing system entries and tried to sell him an antivirus. He hung up, turned off Wi-Fi, and turned the laptop off. The author asked: "if he watched the guy remotely access his computer the whole time and the scammer never tried opening up any documents or anything, how likely is it that any files or personal information were taken?"

The top community reply (90 upvotes) is the canonical answer: "An attacker had full remote access to your friend's PC. They could have done anything. You will not know exactly what they did. The safest course of action is to assume the whole PC is compromised. Any sensitive data, passwords, cookies for logged in websites etc, are potentially exposed to the scammers. Possibly the PC is infected with malware. The correct response in that case is to format the PC and do a clean Os install. Change passwords on all online accounts and configure MFA." A second commenter, 34 upvotes: "If he saw someone access the pc. Fully format it. Reset all passwords for everything. I would only need seconds to take whatever I need or plant whatever I want without the person knowing once I gained access."

Microsoft Quick Assist deserves separate attention. Microsoft tracks the cybercriminal group behind much of the Quick Assist abuse as Storm-1811. Per Microsoft's June 2025 blog: "In April 2024, Microsoft Threat Intelligence observations highlighted Storm-1811, a cybercriminal group abusing Windows Quick Assist to impersonate IT support, primarily using voice phishing (vishing) rather than AI to manipulate victims into granting remote access." Microsoft now blocks "an average of 4,415 suspicious Quick Assist connections each day, accounting for about 5.46% of all connection attempts" — meaning roughly one in twenty Quick Assist sessions Microsoft sees is flagged as potentially malicious. Microsoft has built warning prompts into Quick Assist and is rolling out further detection, but the tool's legitimate use case (remote IT help for grandparents, etc.) means it cannot simply be disabled.

The friend who turned off Wi-Fi in the r/techsupport thread didn't avoid the worst because he was lucky — he avoided it because he stopped engaging within minutes. What he didn't avoid was the days of cleanup: the format, the OS reinstall, the password resets, the credit-freeze paperwork, the unanswered question of what exactly did they look at. That residue is the real cost of a remote-access scam, and the only way to skip it is to never grant access. Never install ConnectWise, AnyDesk, TeamViewer, or open Microsoft Quick Assist at the request of an inbound caller. Real Microsoft support — the kind you reach by typing microsoft.com yourself — does not require remote-access tools to resolve most issues, and never asks you to install one without you having proactively scheduled the appointment from your account. The tools themselves are legitimate. The request to install one at an inbound caller's direction is the diagnostic.

Remote access is the platform. The fifth variant is the most common monetization route once that platform is in place.

Once remote access is established, the scammer asks the victim to log into their bank account "to confirm a refund" or "to check for fraudulent activity." The victim enters credentials. The scammer then either (a) initiates Zelle/wire transfers from the victim's account directly while the victim watches, (b) uses the fake-refund "overpayment" mechanic to convince the victim they have been overpaid and demands repayment via gift cards, or (c) silently extracts saved passwords, browser cookies, and stored financial info for later use.

The clearest first-person account of this variant lives on r/Scams under the title "Microsoft Security Scam. What do I do now?" The author had just bought a new laptop. They pulled up Facebook for the first time, clicked a friend request, and a Microsoft Security Team pop-up appeared with a phone call coming through almost simultaneously. They called. They granted remote access. The agent ran what looked like diagnostic reports, then said the victim's IP address had been compromised and their phone was being listened to. He asked yes/no questions: "Do you use online banking? Do you pay your bills online?" Each answer narrowed the script toward the bank-drain phase.

The pivot came when the agent told the author her phone was compromised and she needed to call "another secure number." She did. The second agent began downloading a program that was visibly not from Microsoft — the install prompt was the moment her suspicion broke through. She questioned him. He told her if she wouldn't continue he would hang up and she could "find her own computer repair person." The threat-to-leave is part of the script. It weaponizes the victim's sunk cost — the 30 minutes already spent, the embarrassment of admitting suspicion. She hung up. She got out before the bank-drain phase started. Most of the people who reach this point in the script do not.

If the script has reached your bank-account login, what's left is damage-control. Disconnect the device from the internet immediately. Call your bank's fraud line on the number printed on the back of your debit card — never a number the agent provided. Place a fraud hold on every account. Change every banking password from a different, uncompromised device. Watch statements daily for 90+ days. Place a credit freeze with all three bureaus. The FBI's IC3 reports note that older Americans alone reported nearly $4.9 billion stolen through fraud in 2024, a 43% year-over-year increase, with tech-support and call-center fraud as the dominant categories driving that climb. Speed matters more than completeness — a fraud hold placed in the first ten minutes recovers more than a perfectly documented one placed in the first hour.