Tech-Support Scam Investigation

How to Identify and Locate a Tech-Support Scammer

A fake Microsoft or Apple warning, a panicked phone call, a “technician” who needed remote access to your computer, and then money sent by gift card, wire, or cryptocurrency. Tech-support scams are engineered to move you fast and leave you feeling foolish, but they are not as anonymous as they look. Most advice ends at “hang up and report it.” This guide goes further: how the popup, cold-call, and refund cons actually work, the exact steps to take right now, and the lawful public-records research that can turn a phone number, a payment, a remote-session ID, or a US bank account into a real person or company, so your police report, your bank dispute, and any civil claim have something to point at.

Identify the Person or Entity Report the Right Way Since 2004
Act FastDisconnect and Document
FTC + IC3Where to Report
The PersonTraced, Not Just the Popup
Since 2004Lawful Skip Tracing

The Short Version

If a tech-support scam just hit you, move in this order: disconnect the device from the internet and uninstall any remote-access tool they had you install, such as AnyDesk or TeamViewer; from a different, clean device change the passwords for your email, bank, and anything you accessed during the call, and turn on two-factor authentication; then call your bank or card issuer right away to flag or reverse the payment, and if you paid by gift card, contact the card brand at once with the numbers. After that, file with the Federal Trade Commission and the FBI Internet Crime Complaint Center. The caller may be overseas, but the scam leaves identifiers that touch the United States, including the payment trail, the phone number, the remote-session log, and, in refund scams, a real US bank account. People Locator Skip Tracing works the side most pages skip: lawfully researching those identifiers to point toward the person or company behind them, so your report and any claim carry more weight.

Watch: Finding a Tech-Support Scammer

What to do first, and the lawful path to identifying who is behind it.

▶ Video Overview

How a Tech-Support Scam Actually Works

Three variants, one goal: get control of your device or your money.

A tech-support scam is a confidence trick that uses fear of a “hacked” or “infected” computer to get a stranger onto your phone, then onto your screen, and finally into your wallet. The popup is only the hook. The real damage happens during the call, when a calm, professional-sounding “technician” walks you through installing remote-access software and then runs the rest of the con while you watch. Microsoft, Apple, Google, Norton, and McAfee do not put phone numbers in security warnings, so any browser alert with a number to call is, by itself, the tell.

The popup variant. You land on a malicious page, often through a mistyped address or a poisoned ad, and the screen locks into a full-screen warning that copies the real brand’s logo, colors, and error-code style. It shouts that your computer is blocked or your files are about to be deleted, sometimes with an alarm sound on a loop that you cannot mute, and it shows a toll-free number to call “Microsoft” or “Apple support.” There is no virus. The popup is just a web page designed to panic you into dialing.

The cold-call variant. Here the scammer calls you, claiming to be from a software or security company that “detected a problem” on your machine. To prove it, they have you open Windows Event Viewer, a normal system log full of harmless warnings, and they point at routine entries as “proof” of a serious infection. Then comes the request to install AnyDesk, TeamViewer, or a similar tool so they can “fix” it, which hands them full control.

The refund and overpayment variant. This one targets people who were scammed before, or who once paid for “tech support,” with a message that the company is “closing” or “owes you a refund.” They take remote control to “process” it, then stage a fake overpayment: they move money between your own accounts, or edit the HTML on your screen so the bank page appears to show that they sent far more than promised, claiming they wired you several thousand instead of a few hundred. Embarrassed and confused, you are pressured to “return the difference” in gift cards, wire transfer, or cryptocurrency, methods chosen because they are fast and hard to reverse.

Red Flags and How the Con Unfolds

If several of these fit, treat it as a scam and stop immediately.

A Number in the Warning

A popup or alert that tells you to call a phone number for Microsoft, Apple, or a security brand is always fake. Real warnings never include a support line.

Asked to Install Remote Access

Any request to download AnyDesk, TeamViewer, or “support” software so they can connect is the moment the scam takes your computer.

“Proof” From Event Viewer

Pointing at normal Windows log entries as evidence of a virus is a scripted trick, not a diagnosis.

Pay by Gift Card or Crypto

Being told to buy gift cards, wire money, or send cryptocurrency for a “fix” or to “return a refund” is a certainty of fraud. No real company is paid this way.

The Overpayment “Mistake”

A refund that suddenly shows far too much, followed by panic to send the extra back, is a staged screen, not a real transfer.

Pressure and Secrecy

Urgency, threats that your accounts will be drained if you hang up, and being told not to tell your bank are all designed to keep you compliant and silent.

What to Do Right Now

If you are in it or just out of it, work these in order.

The first priority is to cut their access and lock down your accounts, because a scammer who had remote control may have planted tools, viewed saved passwords, or set up a way back in. Then preserve evidence and report. File with the Federal Trade Commission, which is the federal intake for tech-support fraud, and with the FBI Internet Crime Complaint Center, whose complaints feed investigations and asset-recovery efforts. The official FTC tech-support scam guidance walks through spotting, avoiding, and reporting these cons in plain language.

1

Disconnect and Remove Remote Tools

Turn off Wi-Fi or unplug the network cable, then uninstall AnyDesk, TeamViewer, or any program they had you add. If unsure, have a trusted technician check the device before using it again.

2

Change Passwords From a Clean Device

Using a phone or computer they never touched, change your email, banking, and any other passwords you used during the call, and switch on two-factor authentication everywhere it is offered.

3

Contact Your Bank and Card Issuer

Call the fraud department to flag, reverse, or stop payments. For gift cards, call the card brand right away with the card numbers; some can freeze the balance if you act quickly.

4

Save Evidence, Then Report

Screenshot the popup, the number, the chat, the remote-session app, and every payment receipt. File with the FTC and the FBI IC3, and report to local police, especially if an older adult was targeted.

What Identifiers Exist Even When the Caller Is Overseas

The scammer may be abroad, but the scam touches the United States in places you can document.

It is true that many tech-support call centers operate from overseas; studies of these scams have geolocated the large majority of the addresses behind them outside the United States. That fact discourages a lot of victims from even trying to find out who did this. But “the caller is in another country” is not the same as “there is nothing to trace.” A tech-support scam has to collect money and run software, and both of those leave threads, several of which lead to people and accounts inside the United States.

Before you decide nothing can be found, pull these identifiers into one place. The more of them you have, the more there is to research:

The payment trail

This is usually the strongest thread. Wire transfers name a receiving bank and account holder. Gift cards carry serial and redemption records that show where and when they were drained. Cryptocurrency moves across a public ledger to wallets and, eventually, exchanges. In the refund and overpayment variant especially, the money is often routed through a real US bank account in a real name, the money mule who lets the operation cash out, and that account holder is a domestic, identifiable person.

The phone number and caller ID

The number on the popup, the number that called you, or the callback number you were given can be researched. Even spoofed and voice-over-internet numbers are tied to providers, registration data, and reuse patterns across other complaints.

The email, domain, and remote-session ID

The address that sent a “receipt” or “refund,” the website the popup served from, and the connection ID or log from the remote-access tool all carry registration and account details that can be lawfully examined.

How Lawful Research Turns Identifiers Into a Real Person or Entity

The lane most “scam help” pages skip entirely.

Most articles about tech-support scams stop at “hang up and report it.” That advice is correct and necessary, but it leaves the victim with no answer to the question they actually have: who did this, and is there anything I can do to them? This is where lawful public-records research and skip tracing come in, and where People Locator Skip Tracing works. We do not hack, we do not pretext, and we do not access anything we are not legally permitted to. We take the identifiers you already have and run them through investigative-grade public-records sources for a lawful, permissible purpose, the same approach behind our work on fraud investigation generally.

On the money side, a domestic receiving account, the mule in a refund scam, is often the single most productive thread, because a US bank account is opened in a name tied to an address, a phone, and associates that public records can surface. A phone number can be developed the way we describe in our guide to identifying a scammer by phone number, and a number used in a calling con can be worked through a focused phone-scam caller investigation. An email or username opens its own paths, covered in our walkthrough on finding someone by an email address. When you have a name but no idea where the person is, that is the core problem our pages on finding the person who scammed you and the broader playbook for tracking down someone who scammed you were built to solve.

A named, located individual or company changes what is possible. It gives the FTC and FBI complaints a concrete subject instead of an anonymous “overseas caller.” It gives your bank’s fraud team and any payment dispute something specific to act on. And it is the prerequisite for a civil claim, since you cannot sue or pursue a judgment against someone you cannot name and serve. We are honest about the limits, too: sometimes the trail ends at a foreign call center with no domestic handle, and we will tell you that rather than sell false hope.

Common Advice vs. What Actually Identifies the Scammer

Reporting matters. So does working the trail the reports rely on.

ApproachWhat It DoesWhat It Leaves Out
Close the popup, hang upStops the immediate attack and prevents more loss.Does nothing to identify or locate who was behind it.
Run an antivirus scanCleans malware the session may have left on the device.Tells you nothing about the person, the account, or the payment.
File with FTC and IC3Feeds federal investigations and possible asset recovery.Rarely produces a direct answer to the individual victim, and is stronger when a subject can be named.
Dispute the paymentMay reverse a card charge or flag a wire or gift card.Banks act faster with a documented recipient and identifiers.
Lawful skip tracing People LocatorResearches the phone, email, account, and payment trail to point toward a real person or entity.Cannot promise a name in every case, and never takes custody of funds.

These are not competing choices; they work together. Close the attack, clean the device, dispute the payment, and report, then add the research layer that gives every one of those steps a concrete subject to point at. The strongest cases run all of them at once.

Who This Helps

We trace the people and accounts behind the scam, lawfully, so your case has something to point at.

Scam Victims

Identify who took the money

Families

Help an elderly relative who was targeted

Attorneys

Locate a named mule or facilitator

Caregivers

Document what happened for the bank

Fraud Teams

Tie a payment to a real account-holder

Anyone Owed

Find a person before pursuing them

Send us what you have, even if it feels like nothing: a callback number, a “refund” email, the name on a wire, a gift-card receipt, a remote-session ID, or the website the popup came from. We work strictly for lawful, permissible purposes, we never promise an outcome we cannot control, and we tell you honestly what the records can and cannot show. For a legitimate matter, an initial locate typically comes back within 24 hours.

If an Older Relative Was Targeted

Tech-support scams hit seniors hardest, and the response should fit that.

Older adults are far more likely to lose large sums to imposter scams than younger people, and tech-support cons are a leading driver of those losses. The reasons are practical: seniors are more likely to be home and answer an unknown call, more likely to take an official-looking warning at face value, and more likely to have savings worth draining. The scammers know all of this and use it.

If a parent or grandparent has been hit, lead with reassurance, not blame. Shame is the emotion the con relies on, and it keeps victims from telling anyone until far more is gone. Sit with them, gather what they have, and make the calls together: the bank, the gift-card brands, the FTC, the FBI IC3, and local police, who often coordinate elder-fraud cases. Watch for signs the same operation is circling back, because victims are frequently re-targeted, sometimes by a fake “recovery” service that claims it can get the money back for an upfront fee. That is a second scam; legitimate help never charges to “unlock” funds. Where there is a domestic payment to research, an identified recipient gives a family, a bank, and a prosecutor something real to act on.

Our Commitment

We do not sell false hope or “guaranteed recovery.” We do the lawful research most pages skip: tracing the phone numbers, emails, accounts, and payment trails behind tech-support scams to point toward the real person or entity, so your reports and any claim carry weight. Honest, permissible-purpose skip tracing since 2004.

People Locator Skip Tracing Investigation Team — investigators conducting skip tracing and public-records research since 2004, working lawful, investigative-grade sources for legitimate purposes only. Last reviewed 2026. This page is general information, not legal, financial, or tax advice.

Frequently Asked Questions

Can a tech-support scammer really be identified if they are overseas?

Sometimes, yes, and even when the caller is abroad the scam usually touches the United States. Wire and gift-card records, a domestic bank account used to cash out, phone numbers, emails, and remote-session logs are all identifiers that can be researched lawfully. We cannot promise a name in every case, but “overseas caller” is not the same as “nothing to trace.”

What should I do first if I just gave a scammer remote access?

Disconnect the device from the internet and uninstall the remote-access tool, such as AnyDesk or TeamViewer. From a separate, clean device, change your email and banking passwords and turn on two-factor authentication. Then call your bank or card issuer to flag the payment, and report to the FTC and the FBI Internet Crime Complaint Center.

I paid with gift cards. Is that money gone?

Act fast and it is not always gone. Contact the gift-card brand immediately with the card numbers; some can freeze a balance that has not been fully drained. Either way, save the cards and receipts, because the serial and redemption records are evidence and can be part of the research trail. Report it to the FTC as well.

How does the refund or overpayment version work?

The scammer claims they owe you a refund, takes remote control, and stages a fake overpayment by moving money between your own accounts or editing what your bank page appears to show. They then pressure you to “return the difference” in gift cards, a wire, or cryptocurrency. No real refund requires you to send money back this way.

Where exactly should I report a tech-support scam?

File with the Federal Trade Commission at reportfraud.ftc.gov and with the FBI Internet Crime Complaint Center at ic3.gov. Also notify your bank or card issuer, any gift-card brand involved, and local police, especially if an older adult was targeted. Each channel does something the others cannot.

What does People Locator Skip Tracing actually do on a case like this?

We work the human trail. Using lawful public-records research and skip tracing, we take identifiers like a phone number, email, callback number, the name on a wire, or a payment receipt and develop them toward a real person or company. A named, located subject strengthens your reports and any civil claim. We do not take custody of funds or promise recovery.

Microsoft or Apple popped up a warning with a number. Is that legitimate?

No. Microsoft, Apple, Google, and the major security brands never put a phone number in a security warning. A browser alert that locks your screen, plays an alarm, and tells you to call a number is a scam page designed to panic you into dialing. Close the browser; do not call.

Is it too late if this happened weeks or months ago?

Not necessarily. Reporting is still worthwhile, and many identifiers remain researchable long after the loss, especially a domestic bank account, a phone number, or an email. Identifying a recipient can support a bank dispute, a police report, or a civil claim. Acting sooner is always better, but an older case is far from worthless.

Hit by a Tech-Support Scam? Find Out Who.

We research the phone numbers, emails, accounts, and payment trails behind tech-support scams, lawfully, so your reports and any claim have a real person or entity to point at. Contact us to get started.

Start Your Request →