Trending Scam Investigation

How to Trace a Subscription-Renewal Scammer

The email looks like an invoice. It says your antivirus, your Geek Squad plan, or some subscription you barely remember has just auto-renewed for hundreds of dollars, and if you did not authorize it, you need to call the number shown to dispute the charge. There is no charge, there is no subscription, and the number does not reach customer support. It reaches a scam call center built to talk you into handing over remote access to your computer and then “refunding” you money you never paid. This guide explains exactly how the scam runs, why you must never call the number, the refund-overpayment trap that turns a fake refund into a real loss, where to report it, and how the callback number, the refund mule, and the operator behind it can be traced lawfully.

Never Call the Number Report the Right Way Since 2004
The NumberIs the Trap, Not Support
FTC + IC3Where to Report
The MuleIs the Traceable Lead
Since 2004Lawful Skip Tracing

The Short Version

A subscription-renewal scam starts with a fake invoice email or text claiming you were just charged for antivirus, a Geek Squad plan, or a service you do not use, and urging you to call a number to dispute it. Do not call. The number is the attack: the “agent” talks you into installing remote-access software, then fakes a refund that looks like they sent you too much by mistake and pressures you to repay the difference in gift cards, a wire, or cryptocurrency. If you only received the email, delete it and report it. If you called or gave access, disconnect the device, change passwords from a different device, and contact your bank at once. Report the fraud to the FTC at ReportFraud.ftc.gov and to the FBI Internet Crime Complaint Center at IC3.gov. Then comes the part the antivirus blogs skip: the callback number, the bank account that received your “repayment,” and the people who registered the fake refund page leave a real-world trail. People Locator Skip Tracing works that human trail lawfully, so your report and any claim point at a named person. Recovery is never guaranteed, and anyone promising to get your money back for an upfront fee is the second scam.

Watch: The Renewal-Scam Playbook

How the fake invoice works, and the lawful path to tracing it.

▶ Video Overview

How the Renewal Scam Actually Works

Every step is engineered to get you on the phone and onto your own computer.

The scam opens with a message designed to look like a routine billing notice. It might be an email with a logo and an “invoice number,” a text, or even a mailed-style PDF attachment, and it claims a subscription has renewed: antivirus protection from a brand like Norton or McAfee, a Best Buy Geek Squad plan, a cloud-storage tier, or a streaming service. The amount is large enough to alarm you but not so large that you assume it is a joke, often a few hundred dollars. The message says the charge will hit your card automatically and gives you a phone number to call if you want to cancel or dispute it, usually with a tight deadline so you act before you think.

That deadline is the whole point. There is no subscription and no pending charge. The invoice exists only to manufacture a reason for you to dial their number, because a call you place feels safe in a way that a call you receive does not. When you call, a polite “billing department” agent looks up your “account,” confirms the charge is queued, and offers to cancel it and process a refund. To do that, they say, they need to connect to your computer to “verify the cancellation” or “complete the refund form.” They walk you to a website and have you install a remote-access tool such as AnyDesk, TeamViewer, or UltraViewer. The moment you grant access, they can see your screen, move your mouse, type, and open your files. Some pretend to fix a problem while quietly searching for passwords, banking logins, and personal details. The renewal email was never the scam; it was the doorbell.

The Refund-Overpayment Reversal Trap

This is the move that turns a fake refund into a real loss.

Once the scammer has remote control, the most damaging version of this con is not stealing a password. It is the refund-reversal trick, and it works precisely because it makes the victim feel like the honest party. The agent says they will refund the renewal fee and asks you to log in to your online banking so they can “process the credit.” While they control the screen, they edit what you see, or they simply move money between your own accounts, so it looks as if a refund of, say, two hundred dollars was instead sent as two thousand. Then comes the act: the agent panics, claims they fat-fingered the amount and will be fired over the overpayment, and begs you to return the difference.

Because your account really does show a higher balance, the lie feels true. But the extra money is your own, shuffled from your savings into your checking, or a pending transfer that has not cleared. They will not let you simply wire it back to “the company,” because a normal reversal is traceable and recoverable. Instead they push you to repay in the channels they control: gift cards read aloud over the phone, a wire to a “branch manager,” a cash deposit into a cryptocurrency ATM, or a peer-to-peer payment app. Every one of those is fast, hard to reverse, and lands with a money mule. The instant the real money leaves your hands, the “overpayment” they were so worried about evaporates, because it was never an overpayment at all. Understanding this sequence matters for tracing it later, because the repayment is the step that creates a usable financial trail back to a real account holder.

How to Spot the Fake Renewal

If several of these fit, treat the message as a scam and do not call.

A Subscription You Never Bought

The invoice bills you for antivirus or a plan you do not recognize, or for a brand you have never had an account with.

Call This Number to Dispute

The only way to “cancel” is to phone a number in the message, often within a short deadline. Real billing lets you log in to your own account.

Install This to Get a Refund

The “agent” asks you to download AnyDesk, TeamViewer, or similar so they can connect. No real refund needs remote control of your device.

An “Accidental” Overpayment

They claim they refunded too much and need you to send the difference back. Your bank handles real reversals, not you by gift card.

Repay in Gift Cards or Crypto

You are told to fix the “mistake” with store gift cards, a wire, a crypto ATM, or a payment app. Legitimate companies never ask for that.

Secrecy and Pressure

The agent keeps you on the phone, tells you not to hang up or talk to your bank, and frames it as urgent so you cannot stop to verify.

If You Called or Gave Access

Move in this order. Containment first, then reporting, then attribution.

If you only received the email and never called, you are fine: do not click anything, delete it, and report it so it feeds enforcement. If you called, installed their software, or sent any money, treat the device and your accounts as compromised and work the steps below. The federal government’s own warning is blunt about this pattern, and the FTC consumer-protection guidance states plainly that a company asking for remote access to your computer to issue a refund is running a scam.

1

Cut the Connection

Disconnect the computer from the internet, then uninstall the remote-access tool and shut the machine down. This ends their live control while you act on a different, trusted device.

2

Secure Money and Logins

From a separate device, change your banking and email passwords, enable two-factor authentication, and call your bank’s fraud line to flag transfers, reverse what can be reversed, and watch the accounts.

3

Preserve the Evidence

Screenshot the email, the caller’s number, the website you were sent to, the remote-access tool, and every gift-card receipt, wire, or payment confirmation before anything is deleted.

4

Report and Then Trace

File with the FTC and the FBI IC3, give your bank and any gift-card issuer the details, and gather the identifiers, the number, the account, the site, that a lawful trace can work.

Where to Report It Every Channel

Report to all that apply. Each one does something the others cannot.

WhereWhat It DoesHow to Reach
FTCThe federal intake for fraud and tech-support scams. Your report shapes which operations enforcers target and powers consumer alerts.reportfraud.ftc.gov
FBI IC3The central federal channel for internet crime. Aggregates complaints into cases and supports investigations and seizures.ic3.gov
Your Bank or Card IssuerMay reverse a pending wire, dispute a card charge, or freeze accounts the scammer touched, and documents the money trail.Fraud department, in writing
Gift-Card IssuerIf you paid by gift card, the brand may freeze the remaining balance and record where it was redeemed.Card brand fraud line, immediately
State Attorney GeneralAdds your case to state consumer-protection and fraud actions against tech-support operations.Your state AG consumer division
The Brand ImpersonatedCompanies like Best Buy and antivirus makers track impersonation and can confirm the email was not theirs.Official site, abuse or fraud contact

Do not skip a channel because you assume one report changes nothing. Tech-support and refund scams are dismantled out of large numbers of detailed complaints that let investigators connect one phone number or one mule account to dozens of victims. Your report, with the exact number you called and the account you paid, may be the detail that links a cluster of cases together.

How the Scammer Gets Traced

Two trails run from this scam. Most advice only mentions one.

The infrastructure trail. The fake renewal email, the spoofed caller ID, and the call center itself are built to be slippery. The sending address is often a free or throwaway account, the phone number may be a spoofed or internet-routed line, and the call floor is frequently overseas. Be honest about the limits here: a spoofed number does not, on its own, hand you a name, and an offshore operator may be beyond any single victim’s reach. What the infrastructure still yields are leads. The domain behind a fake refund or renewal page has registration and hosting records. The remote-access session and the email headers carry technical breadcrumbs. The number you called can be checked against complaint databases where the same line has surfaced before, which is the kind of work behind our guide on identifying a scammer by phone number and a focused phone-scam caller investigation.

The money trail, and the people on it. This is the durable lane, and it is where People Locator Skip Tracing fits. The overpayment trap forces the scam to do one revealing thing: receive your money in the real world. Gift cards get redeemed by someone. A wire lands in a bank account opened by a real person. A crypto-ATM deposit cashes out to a registered account. A payment-app transfer routes to an identifiable handle. The recruiter who opened that account, the money mule who moved the funds, the person whose details sit behind a refund webpage, all of them have public-records footprints. Those identifiers, even partial ones, can be researched lawfully to surface a real name, address, and associates, which is the same work behind our guides on finding someone who scammed you and broader fraud investigation. A named, located individual is what turns a frustrating complaint into something a prosecutor, a bank’s fraud team, or a civil attorney can act on.

What to Gather Before a Trace

The more precise the identifiers, the better the odds a trace lands on a real person.

A trace is only as good as the raw material it starts from, so before you ask anyone to research this, pull everything into one dated folder. On the contact side, save the original renewal email with its full headers, the exact phone number you called and any number that called you, the website address you were directed to, the name of the remote-access tool, and any “agent” name, “case number,” or “company” they used. On the money side, record every gift-card brand, number, and PIN you read out, any wire details or “branch manager” name, the receiving account or wallet for a transfer, the crypto-ATM location and receipt, and the dates and amounts of each payment. Note how first contact happened and the time of each call. The receiving account, the redeemed gift card, and the registrant behind the refund page are the strongest threads, because they point at a real person rather than a disposable email. Keep the folder current, because you will reuse it for the FTC, IC3, your bank, and anyone helping you identify who was on the other end.

How People Locator Skip Tracing Helps

We work the human trail, lawfully, so your report and any claim point at a real person.

Scam Victims

Identify who received the money

Families

Help a relative who was targeted

Attorneys

Locate an identified mule

Fraud Teams

Tie an account to a real holder

Investigators

Add public-records depth

Anyone Owed

Find a person before pursuing them

This scam runs on the same rails as the broader tech-support and refund frauds, so the people behind it surface through the same lawful research that powers our full-spectrum skip tracing work. Send us what you have, even if it feels like nothing: the number you called, the account you paid, a “company” name, the website you were sent to, or the name on a wire. We research strictly for lawful, permissible purposes, we never promise a recovery we cannot control, and we tell you honestly what public records can and cannot show, including when a lead runs into a spoofed number or an offshore floor. For a legitimate matter, an initial locate typically comes back within 24 hours. This is general information and public-records research, not a consumer report; we are not a consumer reporting agency, and our work is not for credit, employment, or tenant decisions.

Don’t Get Hit Twice

Recovery scams hunt people who just lost money. Watch for these.

An Upfront Fee

Any “recovery” service that wants payment before it returns a cent is a scam. Legitimate help is not pay-to-unlock.

A Guarantee

“We will get one hundred percent back” is impossible to promise. Real outcomes depend on banks, enforcement, and the law.

They Found You

Unsolicited contact from a “recovery agent,” especially one who already knows you were scammed, is a major red flag.

Remote Access, Again

No legitimate firm needs to take control of your device or your bank login to help you. That is the original scam, repeated.

Fake Government Ties

Claims of being “approved by” or “working with” a federal agency to recover funds for a fee are not how agencies operate.

Pay in Gift Cards or Crypto

Being asked to send gift cards or cryptocurrency to “release” your recovered funds is the original con wearing a new hat.

What Tracing Realistically Achieves

Honest odds, and the legitimate paths an identification opens.

It would be dishonest to promise that tracing a renewal scammer gets your money back, and recovery is never guaranteed. The call center may sit overseas, the email may be untraceable, and some leads simply end. What an identification reliably does is change what is possible next. When the money trail points at a domestic money mule, a named, located person strengthens your IC3 and FTC complaints, gives your bank a concrete counterparty for a dispute, and can support a civil claim or a police report that scattered identifiers alone cannot.

The most realistic outcomes follow the leads that touch the real world. A redeemed gift card, a wire to a U.S. bank account, or a crypto-ATM cash-out points at a person an investigator or a court can actually reach, and that person is often a reused mule connected to other victims. Where a perpetrator or facilitator can be named and located, a civil claim becomes possible, and a thorough search for hidden assets tells you whether pursuing one is worth the effort before you spend a dollar on it. None of this is automatic, all of it improves with speed and clean documentation, and several tracks can run at once.

Our Commitment

We do not sell false hope or “guaranteed recovery.” We do the lawful research most advice skips: tracing the real people behind the callback numbers, mule accounts, and refund pages, so your reports and any civil action carry weight. Honest, permissible-purpose skip tracing since 2004.

People Locator Skip Tracing Investigation Team — investigators conducting skip tracing and public-records research since 2004, working lawful, investigative-grade sources for legitimate purposes only. Last reviewed 2026. This page is general information, not legal, financial, or tax advice.

Frequently Asked Questions

Is the subscription renewal email or invoice real?

Almost certainly not. These messages bill you for antivirus, a Geek Squad plan, or a service you do not use, and exist only to make you call the number shown. There is no charge and no subscription. A real provider lets you check billing by logging in to your own account, never by calling a number in a surprise invoice.

Why should I never call the number in the message?

The number is the trap, not a help line. The “billing agent” talks you into installing remote-access software, then fakes a refund and an overpayment to pressure you into sending real money in gift cards, a wire, or crypto. Calling is the first step of the scam, so do not call. Delete the message and report it instead.

What is the refund-overpayment reversal trick?

After taking remote control, the scammer pretends to refund you, then makes it look like they sent far too much by editing your screen or shuffling your own money between accounts. They beg you to return the difference in untraceable ways. The extra money was always yours, so once you repay, you are simply handing the scammer real funds.

I gave them remote access. What do I do right now?

Disconnect the device from the internet, uninstall the remote-access tool, and shut it down. From a different device, change your banking and email passwords, turn on two-factor authentication, and call your bank’s fraud line. Then preserve every screenshot and receipt and report the fraud. Treat the computer as compromised until it is fully checked.

Where do I report a subscription-renewal scam?

Report to the FTC at reportfraud.ftc.gov and to the FBI Internet Crime Complaint Center at ic3.gov. Also notify your bank or card issuer, any gift-card brand you paid, and your state attorney general. Each channel does something the others cannot, and detailed reports are what let investigators connect one number or account to many victims.

Can the scammer behind the number actually be traced?

Sometimes, and honestly not always. The phone number can be spoofed and the call center may be overseas, so those leads can dead-end. The durable thread is the money: a redeemed gift card, a wire to a real bank account, or a crypto cash-out points at a domestic money mule who can be researched lawfully through public records to surface a real name and location.

What does People Locator Skip Tracing actually do here?

We work the human trail, not your device. Using lawful public-records research and skip tracing, we help identify and locate the real people behind callback numbers, mule accounts, and refund webpages, producing a named, located person that strengthens your report and any civil claim. We do not take custody of funds, and we never promise recovery. This is public-records research, not a consumer report.

Can I get my money back, and are recovery services safe?

Recovery is never guaranteed, and outcomes depend on speed, your bank, and the law. Be very wary of any “recovery” service that contacts you first, charges an upfront fee, guarantees results, or wants remote access or more payment. That is the second scam aimed at people who already lost money. Legitimate help never requires pay-to-unlock.

Hit by a Renewal Scam? Start Tracing.

We trace the real people behind the callback numbers, mule accounts, and refund pages, lawfully, so your reports and any civil case carry weight. Contact us to get started.

Start Your Request →