Tech Support Scam: How to Spot Fake Microsoft/Apple Calls and Popups (2026 Guide)

Fake Microsoft tech support scam popup warning on a laptop screen
A real "your computer has a virus" call or popup is always fake — here's exactly how to tell.
Think you're being scammed right now? Don't panic — a real, verified IT Cares technician can check your system and confirm what's real, same-day.
Get Verified Help →

A tech support call or popup is a scam if it came to you unsolicited — Microsoft, Apple, Google, and real IT support companies including IT Cares never cold-call about a virus on your computer, never trigger a popup demanding you call a number, and never ask for remote access or gift-card, wire, or crypto payment before you've contacted them first.

Tech support fraud costs Canadians and Americans hundreds of millions of dollars every year, and the people running it are convincing: professional-sounding voices, fake but realistic-looking error messages, and official-sounding names like "Microsoft Certified Support" or "Windows Security Center." IT Cares is a real, working remote computer repair company — we know exactly how these scams operate, because we hear about them from new customers every single week, and because our own technicians run legitimate remote sessions all day, every day. This guide breaks down precisely how the scam script works, the concrete red flags that give it away every time, and what a real remote repair session looks like side by side with a fake one — so you never have to guess again.

What we see from the front lines

In 2026, roughly 1 in 6 new customers who call IT Cares for virus removal or a system checkup tell our technicians they were first approached by someone claiming to be "Microsoft Support," "Apple Security," or a similar impersonation. Not one of our real technicians has ever reached out to a customer unsolicited — every legitimate IT Cares session starts because the customer called or booked us first.

The Classic Tech Support Scam Script: How It Works, Step by Step

Nearly every tech support scam — whether it starts with a phone call or a browser popup — follows the same five-stage script. Recognizing the pattern is often enough to spot it in the first ten seconds.

Step 1 — The Unsolicited Contact

It always starts the same way: you did not reach out first. Either your phone rings out of nowhere with a caller claiming to be from "Windows Support," "Apple Security," or your internet provider, or a browser tab suddenly fills your screen with a loud alarm sound and a message like "Windows Defender has detected a virus — do not close this window." Some versions arrive as a text message or email claiming your antivirus subscription (often "Norton" or "McAfee" or "Geek Squad") is about to renew for an unexpected amount, with a number to call to "cancel." In every version, the defining feature is the same: the contact originated from them, not from you.

Step 2 — Manufactured Urgency and Fear

Once they have your attention, the script shifts immediately into panic mode. You'll hear phrases like "hackers are inside your computer right now," "your banking information has already been compromised," or "if you close this window your files will be permanently deleted." The goal is simple: a frightened person makes worse decisions and skips the step where they'd normally stop and verify. Legitimate companies never use this kind of pressure — a real technician can wait five minutes while you think it over.

Step 3 — The "Proof" Trick

To make the fake infection feel real, scammers rely on a handful of theatrical tricks. The most common: asking you to open Event Viewer (a built-in Windows tool that logs routine system events) and pointing at ordinary warnings and errors — which exist on every healthy Windows computer — as "evidence" of a severe infection. Another version runs a fake "scan" inside the browser popup that always reports hundreds or thousands of infected files, no matter what's actually on your machine. Some will have you type assoc into Command Prompt and claim a normal, meaningless line of output is proof your files have been "encrypted by ransomware." None of these actually diagnose anything.

Step 4 — The Remote Access Request

Once you're frightened, the scammer asks you to install remote access software — usually AnyDesk, TeamViewer, or Windows Quick Assist — from a link they text or read out to you, then to share the session code that appears on your screen. These are legitimate tools used every day by real IT companies, which is exactly why scammers rely on them: the software itself isn't malicious, but handing control to a stranger who lied about who they are absolutely is. Once connected, they may pretend to "clean" your system while actually disabling your real antivirus, installing an actual keylogger or remote-access trojan, or simply browsing for financial information and saved passwords.

Step 5 — The Payment Demand

The final stage is collecting money, and the payment method itself is one of the clearest scam signals of all. Scammers ask for gift cards (Google Play, Apple, Amazon, Steam — read the numbers off the back over the phone), a wire transfer, or cryptocurrency — all payment methods that are essentially impossible to reverse or trace. A common variant is the "refund" scam: the scammer fakes a refund of, say, $1,000 into what looks like your bank account (it's actually a screen trick, not real money) and then insists you accidentally received too much and must send back the difference by gift card or wire immediately — you end up sending real money for a refund that never happened.

Already gave a scammer access?

Our technicians perform a full remote clean-bill-of-health scan — checking for leftover malware, new accounts, and hidden remote-access tools scammers install. Same-day, from $119.99, flat rate disclosed before we connect.

Book a Clean-Up Scan → 1 (888) 711-9428
🇨🇦 Serving all of Canada · ⭐ 5★ Google reviews · ✅ No fix, no fee

Common Names and Variants Scammers Impersonate

The script above gets dressed up in different costumes depending on who the scammer claims to be. Knowing the most common variants makes them instantly recognizable.

The Fake Microsoft Call

The caller claims to be from "Microsoft," "Windows Technical Department," or "Microsoft Certified Partner," saying your computer has sent error reports indicating a serious infection or that your Windows license has been compromised. Microsoft does not make unsolicited phone calls to consumers about computer problems, ever. Microsoft's own official guidance states it will never proactively call you about a security issue.

The Fake Apple / iCloud Call or Text

A call, text, or popup claims your Apple ID or iCloud account has been "locked due to suspicious activity" and provides a number to call, or a link that opens a fake Apple-branded page asking you to "verify" your Apple ID password. Apple does not cold-call customers about account security, and will never ask for your password over the phone or through a link sent via text.

The Fake Antivirus Renewal Invoice

An email or popup designed to look like a Norton, McAfee, or "Geek Squad" renewal receipt for $300-$500 arrives, with a "customer service" number to call if you didn't authorize the charge. Calling that number connects you directly to a scammer running the same script — there was never a real charge.

The Browser Lockscreen ("Security Center") Scam

You land on an ordinary website and a full-screen popup appears — often with a blaring siren sound — styled to look like an official "Windows Defender Security Center" or "McAfee Alert," claiming your computer is infected and that you must call a toll-free number immediately. The tab may resist closing or trigger repeated "leave page?" prompts. This is a webpage, not your actual antivirus software, and it cannot detect anything real about your computer.

The Fake Bank Fraud Text

A text message claims suspicious activity was detected on your bank or credit card account and provides a number to call "to confirm it wasn't you." The number connects to a scammer, sometimes posing as your bank and sometimes pivoting into the tech support script, asking to remote into your computer "to secure your account."

12 Red Flags That Mean You're Being Scammed — Right Now

If two or more of these apply to what's happening on your screen or phone call at this moment, you are almost certainly dealing with a scam.

1. They Contacted You First

This is the single biggest tell. A legitimate company — Microsoft, Apple, your ISP, or IT Cares — does not call, text, email, or pop up a warning about a virus on your computer unless you reached out to them first. If the contact originated from them, stop right there.

2. They Claim to Represent "Windows Support," "Apple Security," or Your ISP

Microsoft, Apple, and internet providers do not operate a proactive, unsolicited "we noticed a problem with your device" phone department. Any caller using these names to explain why they're contacting you out of the blue is misrepresenting who they are.

3. A Popup or Screen Won't Let You Close It

A genuine security warning from your actual antivirus software never behaves like a hostage situation. If a browser tab locks up, plays an alarm sound, or repeatedly reopens when you try to close it, it's a webpage designed to trap you — not a real system alert.

4. There's a Phone Number Built Into the Warning

Real Windows and macOS error messages never include a phone number to call. Any "virus detected" message that comes with a toll-free number to dial is, without exception, a scam.

5. They Create Panic With Urgent, Scary Language

"Act now or lose everything," "hackers are in your system right now," "your identity has already been stolen" — this kind of pressure exists purely to stop you from pausing to verify. A legitimate technician has no reason to rush you.

6. They Ask You to "Prove" Infection Using Event Viewer or Command Prompt

Pointing at routine Windows logs or harmless command output and calling it proof of hacking is a well-known scam trick. These logs contain normal entries on every computer, infected or not.

7. They Ask You to Download Remote Access Software From a Link They Send

Being asked to install AnyDesk, TeamViewer, or similar software from a link sent during an unsolicited call is a major red flag — even though the software itself is legitimate and widely used by real IT companies.

8. They Want to Be Paid in Gift Cards

No legitimate company — not Microsoft, not Apple, not IT Cares, not your bank — ever accepts payment in Google Play, Apple, Amazon, or Steam gift cards. This payment method exists in scams because it is nearly untraceable and irreversible.

9. They Ask for Wire Transfer, Cryptocurrency, or a Money Transfer App

Similarly, no real support interaction ends with a request to wire money, buy crypto at an ATM, or send funds through a peer-to-peer payment app to a stranger. These are the payment rails of fraud, not IT support.

10. They Get Defensive or Aggressive When You Ask Questions

A real technician welcomes questions and explains their actions calmly. A scammer, when asked to slow down, verify their identity, or let you call back on a number you look up yourself, typically becomes pushy, evasive, or hangs up.

11. Caller ID Is Spoofed or the Script Feels Rehearsed

Caller ID showing a familiar area code or even "Microsoft" as the name means nothing — this information is trivially faked. A scripted, robotic delivery that doesn't adapt naturally to your specific questions is also a strong signal you're talking to a call-center scam operation rather than a real support agent.

12. They Ask for Banking Login "To Verify a Refund"

No legitimate refund process — from Microsoft, Apple, or IT Cares — ever requires you to log into your online banking while someone watches, or to read out a one-time passcode sent to your phone. This is how the "accidental refund" scam variant steals money directly from your account.

The simple rule

If it came to you unsolicited, if it's rushing you, or if it wants gift cards, wire transfer, or crypto — hang up or close the tab. There is no legitimate scenario where all three of those things happen together.

Why Smart, Careful People Fall for This

Falling for a tech support scam is not about being gullible or "bad with computers." These operations are run by organized call centers using professional scripts refined over thousands of calls, specifically engineered to exploit normal human responses: the instinct to trust an authority figure, the panic response to a perceived emergency, and the social pressure to comply with someone who sounds confident and official. Older adults are targeted disproportionately not because they're less capable, but because scammers specifically buy call lists aimed at that demographic and count on politeness making it harder to hang up mid-sentence.

The technical "proof" tricks work precisely because most people have never had a reason to open Event Viewer before — it looks alarming purely because it's unfamiliar, not because anything is wrong. Understanding the script in advance is the single most effective defense, because the moment you recognize the pattern, the fear response the scammer is relying on simply doesn't happen. That's the entire purpose of this guide.

Not sure if a call or popup you got was real?

Call IT Cares directly on our published number below — never the number given to you by a caller or popup — and a certified technician will help you verify it, free of pressure.

Legitimate Remote Support vs. a Scam Session — Side by Side

The technology used in a real IT Cares remote session and a scam session can look identical on the surface — both may use AnyDesk. The difference is entirely in who initiates contact, what's disclosed up front, and how payment works. Here's the direct comparison:

Aspect Legitimate Repair (IT Cares) Tech Support Scam
Who contacts whom first You call or book us online They call or pop up on your screen
Price Flat rate disclosed before the session ($119.99–$149.99 CAD) Hidden until you're already panicked, or invented on the spot
Software used AnyDesk, opened and approved by you Often the same software, but installed under pressure from a link they send
What you see Every action, live, on your own screen, at your pace Same visibility, but they work fast and talk over your questions
Payment method Credit card, Stripe, or e-transfer only Gift cards, wire transfer, or cryptocurrency
Urgency None — you set the schedule Manufactured panic: "act now or lose everything"
Verifiability Real Canadian company, physical Montréal address, public reviews Untraceable, spoofed caller ID, invented company names
Ending the session You close it anytime, no consequence, no pushback May resist disconnecting or threaten consequences if you try

How an IT Cares session actually works

  • You call 1 (888) 711-9428 or book online first
  • We quote a flat price before connecting anything
  • You download AnyDesk and read us the session code — not the other way around
  • You watch the entire session on your own screen
  • You can close the connection at any second, no questions asked
  • Payment is by credit card or Stripe, after the work is done

How a scam session actually works

  • They call or pop up first, out of nowhere
  • Price is never mentioned until you're already connected
  • They send you a link to install remote software
  • They move fast and talk over your questions
  • They resist or delay when you try to disconnect
  • Payment demanded before anything is "fixed," via gift cards or wire

For a deeper breakdown of exactly how encryption, session limits, and technician access controls work on a legitimate remote session, see our full guide: Is Remote Computer Repair Safe? It covers the same AnyDesk technology from the security side, in more technical detail.

What To Do If You're Being Scammed Right Now

If you're currently on the phone with a suspected scammer, looking at a locked browser tab, or realize a stranger is currently connected to your computer, work through these steps in order.

1

Hang up or close the popup

Hang up or close the browser tab immediately. Do not call any phone number shown in the call or popup — even if it looks official.

2

Disconnect the internet

If someone is currently connected to your computer, disconnect from the internet right now. Unplug the ethernet cable or turn off Wi-Fi — this cuts their access instantly.

3

Force-close remote access software

Open Task Manager (Ctrl+Shift+Esc), find AnyDesk, TeamViewer, or Quick Assist, and click End Task.

4

Run a full malware scan

Restart your computer, then run a full scan with Windows Defender or Malwarebytes to check for malware left behind.

5

Change your passwords from a clean device

From a different, clean device — your phone or another computer — change the passwords for your email, online banking, and any account the scammer may have seen.

6

Turn on two-factor authentication

Turn on two-factor authentication on your email and banking accounts if it isn't already active.

7

Check your bank and card statements

Check your bank and credit card statements for unauthorized charges. Call your bank's fraud line immediately if you gave any card or account details.

8

Call the retailer if you paid by gift card

If you paid with a gift card, call the retailer's customer service line right away. Some retailers can freeze the balance if you report it within hours.

9

Report the scam

Report the incident to the Canadian Anti-Fraud Centre (1-888-495-8501) or, in the US, the FTC at reportfraud.ftc.gov, and file a report with local police for a reference number your bank may require.

10

Get a professional clean-bill-of-health scan

Have a professional confirm your computer is fully clean. IT Cares offers same-day remote malware scans starting at $119.99 — call 1 (888) 711-9428.

Already Went Through It? We'll Confirm You're Clean.

IT Cares performs a full remote audit after a tech support scam — checking for leftover remote-access tools, new user accounts, disabled antivirus, and hidden malware. Transparent, flat-rate, same-day.

If You Already Gave a Scammer Remote Access: The Full Cleanup

Beyond the immediate crisis steps above, a thorough cleanup after a tech support scam should cover a few things the ten-minute version doesn't have time for:

If any of this feels like more than you want to tackle alone, that's exactly the kind of session IT Cares' remote support exists for — the difference being you're the one calling us, on your schedule, with the price disclosed before we touch anything.

How to Verify a Real Support Call Is Legitimate

If you're ever unsure whether a call, email, or invoice is real, these checks take less than five minutes and settle it definitively:

  1. Hang up and call back yourself. Look up the company's official number from their real website or a bill you already have — never the number given to you during the call or in the popup — and call that number instead.
  2. Ask who specifically is calling and why. A legitimate company can tell you which service plan, order, or account triggered the call. A scammer relies on vague claims like "we detected a problem" with no specifics.
  3. Check whether you actually have an active relationship with them. If you've never purchased antivirus software from "Norton" or don't have a Geek Squad membership, an invoice or renewal call claiming otherwise is automatically fake.
  4. Search the phone number online. A quick search of the exact number that called you often turns up existing scam reports from other people.
  5. Never trust caller ID alone. Caller ID names and numbers are trivially spoofed and prove nothing about who is actually calling.
  6. Verify a real technician's identity mid-session. A legitimate IT Cares technician will always confirm your name, the service you booked, and the price already quoted — before asking to connect. If any of that doesn't match what you arranged, stop and call us back on 1 (888) 711-9428 directly.

Frequently Asked Questions

Does Microsoft (or Apple) actually call people about viruses? +

No. Microsoft, Apple, Google, and legitimate IT providers — including IT Cares — never initiate a phone call, popup, or email telling you that your computer has a virus. Every legitimate contact happens because you reached out first: by calling a published number, opening a support chat, or booking an appointment on the company's real website. If you receive a call or see a popup claiming otherwise, it is a scam, without exception.

Can scammers still see my screen after I hang up the phone? +

If you only spoke on the phone and never installed anything or clicked a link, hanging up ends the interaction completely — they have no access to your device. However, if you already installed remote access software (AnyDesk, TeamViewer, Quick Assist) and let them connect, hanging up the phone alone does not disconnect that session. You need to close the remote access program itself (or force it closed via Task Manager) and disconnect your internet to be sure access is cut off.

How do I get my money back after a tech support scam? +

Recovery depends on how you paid. Credit card charges can often be disputed with your bank as fraud — call the number on the back of your card immediately. Gift card payments can sometimes be frozen if you call the retailer within hours of purchase, but funds already redeemed are usually unrecoverable. Wire transfers and cryptocurrency payments are the hardest to reverse and are rarely recovered. In every case, report the incident to your bank, the Canadian Anti-Fraud Centre (or the FTC in the US), and local police — even if the money isn't recovered, the report can help freeze related accounts and supports broader investigations.

Is remote computer repair itself safe, or is it always a risk? +

Legitimate remote computer repair is safe when you initiate the contact and the company is verifiable. Services like IT Cares use AnyDesk with 256-bit AES encryption, disclose flat pricing before any session starts, and only maintain access while the session window stays open — closing it ends access immediately, with no way to reconnect without your explicit approval. The risk isn't the technology itself; it's who's on the other end and how the contact started. See our full guide on whether remote computer repair is safe for the complete breakdown.

What's the real difference between an IT Cares remote session and a scam? +

You call IT Cares first (or book online) — we never cold-call you. We quote a flat price before connecting. You initiate and approve the AnyDesk session, watch every action on your own screen, and can close it at any second. Payment is by credit card or Stripe only — never gift cards, wire transfer, or crypto. A scammer reverses every one of these: they contact you first, hide the price until you're panicked, and demand untraceable payment.

Can a popup alone infect my computer just by me seeing it, without clicking anything? +

Simply viewing a fake "your computer has a virus" popup does not usually infect your device on its own — the danger comes from what you do next. Clicking the popup, calling the number, downloading the "fix" it offers, or installing remote access software is how scammers actually gain access or install malware. If a popup or tab won't close, use Task Manager to force-close the browser rather than clicking anything inside it, or restart your computer.

What should I do if I'm on the phone with a suspected scammer right now? +

Hang up. Do not provide any information, do not follow any instructions to open programs, and do not call back any number they gave you. If you want to verify whether you have a legitimate issue, look up the official support number yourself from the company's real website (not from the call or a popup) and contact them separately.

Should I pay if they threaten to lock my files or say I owe money? +

No. Legitimate companies do not threaten to lock your files or demand immediate payment over the phone to "restore access." These are pressure tactics designed to bypass your judgment. If you're an existing IT Cares customer and have a real invoice question, verify it by calling our published number directly — 1 (888) 711-9428 — rather than any number provided by an unsolicited caller.

Comments (3)

RP
Robert P., Ottawa
June 2, 2026

My mother almost fell for this exact script last month — the Event Viewer trick specifically. Sent her this article and now she knows to just hang up. Wish this existed years ago.

JT
Julie T., Montreal
June 5, 2026

Had one of those loud browser lockscreen popups happen to me at work. Closed it with Task Manager like this article says instead of calling the number. Turned out to be nothing since I never called or clicked anything.

DK
Daniel K., Calgary
June 9, 2026

Called IT Cares after hanging up on a fake "Microsoft" caller just to double check my computer was fine. Technician confirmed everything was clean and explained exactly why the call was fake. Appreciated that they didn't try to scare me into buying anything extra.

Leave a Comment

Verify Now