Tech Support Scams & the Phantom Hacker: $1.46B Lost (2026)

The short answer

A tech support scam is when someone posing as Microsoft, Apple, your bank, or a government agency convinces you that your device or money is under attack, then walks you through "protecting" it by handing it to them. The FBI's IC3 logged $1.46 billion in tech-support losses in 2024 — the third-costliest crime category it tracks. The most damaging form, the FBI's "Phantom Hacker," chains three fake callers together: tech support, then your bank, then a government official, each appearing to confirm the last, until an entire savings account is gone. Most victims are over sixty. Remember two facts and you are almost immune: no real company monitors your personal computer and cold-calls you about it, and no real bank or agency ever asks you to move your money to a "safe account."

"These scammers are cold and calculated. They are targeting older members of our community who are particularly mindful of potential risks to their nest eggs. The criminals are using the victims' own attentiveness against them."
— Robert K. Tripp, Special Agent in Charge, FBI San Francisco, on the FBI's 2023 "Phantom Hacker" public warning. The FBI's IC3 reported that in the first half of 2023 alone, tech-support scams generated more than 19,000 complaints and over $542 million in losses — and that nearly half the victims, accounting for 66% of the losses, were over the age of 60.

I think the tech support scam is the most underestimated fraud in America, and I think it is underestimated for a stupid reason: the name sounds small. "Tech support scam" sounds like a nuisance pop-up, the kind of thing a tech-literate person scrolls past. It is not. It is the entry point to a machine that took $1.46 billion in a single year, that the FBI ranks third by losses out of every internet-crime category it tracks, and that is engineered specifically to convert an elderly person's lifetime of savings into cryptocurrency, gift cards, or a duffel bag of cash handed to a courier on a doorstep.

I am writing this in first person because I want my name attached to a few sentences that the companies being impersonated rarely say this plainly. The infrastructure that makes this scam work — the fake full-screen pop-ups, the remote-access tools that install in two clicks with no friction, the call centers that operate at industrial scale — is well understood by the people who could make it harder. The scam has been running, in recognizable form, for over a decade. The FBI named the "Phantom Hacker" variant in 2023. And the median victim is still a retiree, the median outcome is still a drained account, and the standard advice still arrives after the money is gone. So let me put the defense up front, in the order that matters.

What a tech support scam actually is

Strip away the cover stories and every tech support scam is the same three-move sequence: manufacture fear about your money or your machine, gain access or control, then extract the money. Here is what the moves look like in the wild.

—It opens with a pop-up, a cold call, or a text — never with you reaching out. The three openings are a full-screen browser pop-up with an alarming warning and a phone number ("Your computer is infected — call Microsoft Support now"), an unsolicited phone call claiming to be from Microsoft, Apple, Amazon, or your bank, or a text/email saying your account has been compromised. Many of these arrive through the same smishing and spoofing infrastructure described in our phishing guide. The unifying tell: a real company never contacts you first to tell you your device is infected.

—The phone number is the scam. Legitimate security software does not put a phone number on a warning screen. The pop-up exists for one purpose: to get you to dial a number that connects to a scammer's call center, where a scripted 'technician' answers as if they work for Microsoft. The frightening visuals — countdown timers, siren sounds, 'do not restart your computer' — are theatre designed to stop you thinking and start you dialing.

—They ask for remote access — and that is the hinge of the whole con. The 'technician' asks you to install a remote-access tool (AnyDesk, TeamViewer, and similar are the common ones) so they can 'fix' your computer. The instant they can see your screen, they can see your finances. They will often open your own banking site in front of you to 'check for the breach' — which is really them identifying which of your accounts holds the most money.

—The refund variant runs the same play backwards. A common twist: an email or call says you are owed a refund (an overcharge, a cancelled subscription, a closed antivirus account). They get remote access to 'process' it, then pretend to accidentally refund you far too much and beg you to return the difference in gift cards or crypto. The 'overpayment' you see on screen is faked — they edited a number in your own browser. You send back real money to fix a fake mistake.

The Phantom Hacker: three callers, one bank account

The FBI gave the worst version of this scam a name in 2023 because it had become distinct enough to warrant one. The Phantom Hacker is not one impostor — it is three, in sequence, each engineered to dissolve the doubt the last one might have raised. It is the reason people who would hang up on a single suspicious call still lose everything.

—Phase one — the tech support impostor. Contact comes by pop-up, call, or email. The scammer gets remote access and tells you hackers have breached your computer. Crucially, they get you to log into your financial accounts 'to check for unauthorized charges' — which the FBI's own write-up notes is the step that lets the scammer find your most lucrative account. The fear is planted; the target is identified.

—Phase two — the financial institution impostor. Days or hours later, someone calls claiming to be from the fraud department of your bank or brokerage. They 'confirm' the breach the first caller warned about and say foreign hackers are inside your accounts. They instruct you to move your money — by wire, cash, or cryptocurrency — to a 'safe' account while the breach is investigated. This is the same trust-transfer machinery used in the digital arrest scam: a second 'official' arrives to corroborate the first.

—Phase three — the government impostor. To 'seal the deal,' a third caller poses as a US government official — often the Federal Reserve or the FBI itself — sometimes sending official-looking letterhead by email. They confirm the bank's story and direct you to move your savings to an 'alias' or 'safe' government account under your name. That account is the scammer's. By now you have heard the same story from three independent-seeming authorities, and the instruction to empty your account sounds like the responsible thing to do.

No legitimate company watches your bank balance through your computer, and no real government agency — not the Federal Reserve, not the FBI, not the IRS — has a "safe account" or an "alias account" for your savings. The instruction to move your money to keep it safe IS the scam. There is no version of that sentence that comes from someone trying to help you.

How the cash actually leaves

Once a victim is convinced, the scammer needs a payment rail that cannot be reversed. Every method below is chosen for the same reason: by the time anyone understands what happened, the money is unrecoverable. This is also where the tech support scam feeds directly into the other elder-fraud rails I have written about.

—Bitcoin ATMs. The victim is walked to a crypto kiosk and talked through depositing cash that converts to cryptocurrency in the scammer's wallet within minutes. This is so common that I wrote a separate teardown of it — see the Bitcoin ATM scam piece, where the FBI logged $388 million in 2025 losses and the median victim age was 71. A tech support call is one of the most common scripts that ends at a Bitcoin ATM.

—Cash and gold couriers. In a pattern the FBI flagged in a January 2024 alert, scammers instruct victims to withdraw large amounts of cash or buy gold and precious metals, then send a courier to collect it from the victim's home or a public meeting point — sometimes using a 'passcode' to make the handoff feel official. The FBI's IC3 recorded over $55 million in courier-collection losses from May to December 2023 alone.

—Wire transfers. Domestic and international wires to accounts the scammer controls. A wire is the one method with a narrow recovery window — if you call your bank's fraud line within hours, before it settles, it can sometimes be recalled. After it settles, it is gone.

—Gift cards. The victim is sent to buy thousands of dollars in gift cards and read the codes over the phone. Gift cards are almost never recoverable once the codes are read. The 'buy gift cards to fix your account' instruction is, by itself, proof of a scam.

Why it works on the people it works on

There is a lazy assumption that tech support scams catch only the naive or the cognitively declining. The data says otherwise, and so does the structure of the scam. It is built to defeat exactly the people who are paying attention.

Consider what the scam actually demands of a victim: that they take a threat to their savings seriously, act quickly to protect their money, follow the instructions of people who present as their bank and their government, and keep the matter confidential while it is "investigated." Every one of those is a responsible instinct. A careless person ignores the call. A careful person engages — and the script is written for the careful person. That is what FBI San Francisco's Robert K. Tripp meant by "using the victims' own attentiveness against them." The targeting of older adults is not really about gullibility; it is about who holds decades of savings in one place and who was raised to treat a call from the bank as something you cooperate with.

The question I do not see asked enough: why, in 2026, can a piece of software that hands a stranger full control of your computer still be installed by a frightened person in two clicks, with no meaningful warning that the person on the phone might be a criminal? The scam call centers are a known quantity. The remote-access tools are a known vector. The friction that would break this scam is a product decision, and it has not been made.

What the institutions have — and haven't — done

I want to be fair about this: there has been real enforcement, and it deserves to be named alongside the gaps. But the honest read is that the response is reactive, slow, and aimed downstream of where the harm is manufactured.

—The FBI is taking down the call centers — with India. In 2024, more than 215 arrests were made through 11 joint operations between the FBI, India's Central Bureau of Investigation, and local law enforcement — a 700% increase on the prior year — targeting the call centers behind tech-support and government-impersonation scams. This is the most concrete win in the space, and it points at the truth that the supply side of this fraud is largely offshore call centers running scripts at scale.

—The FTC finalized an Impersonation Rule in April 2024. Effective April 1, 2024, the FTC's Government and Business Impersonation Rule lets the agency directly sue impersonators and claw back money. As Samuel Levine, Director of the FTC's Bureau of Consumer Protection, put it: 'The Commission will not sit idle as older consumers continue to report tech support scams as a leading driver of fraud losses.' The rule is a genuine new tool — but it acts after the impersonation has already happened.

—The FTC has fined tech-support operations directly. In March 2024 the FTC reached a $26 million settlement with tech-support software operations that used fake on-screen warnings to scare consumers into buying unnecessary repair services. Worth knowing because the deceptive-pop-up business model and the criminal scam share the same psychological playbook.

—The losses on older adults keep climbing anyway. The FTC's December 2025 report to Congress found older adults reported losing $159 million to tech-support scams in 2024, and reports of impersonation scammers stealing tens or even hundreds of thousands from a single older victim rose more than four-fold. Enforcement is real; it is not yet winning.

The 8-step playbook: what to do

This is the sequence I would follow if the call were happening to me right now, or to a parent of mine. None of it is technical. All of it is what the gap between the scam's scale and the institutional response has left on your shoulders.

1Know the three openings — pop-up with a phone number, unsolicited 'we detected a problem' call, or a 'your account is compromised' text. No real technology company contacts you first to tell you your device is infected, and no real security pop-up gives you a number to call.

2Never call the number on a pop-up, and never grant remote access to anyone who contacted you. If a pop-up has frozen your browser, close it via Task Manager (Windows) or Force Quit (Mac), or just restart. The warning was never real.

3Treat 'move your money to a safe account' as the scam itself — no exceptions. No bank and no government agency moves your savings to protect them. The instant anyone tells you to wire, withdraw, or convert your money to keep it safe, the call is a scam.

4Hang up and verify on a number you find yourself — the back of your bank card, or a website you type in directly. Do not trust a caller who 'transfers' you to the bank or a federal agency. The whole script depends on never letting you call out independently.

5If you granted remote access: disconnect from the internet, power the computer off, then change your email password first and your banking passwords next from a separate clean device, and turn on two-factor authentication. Uninstall the remote-access tool and have the machine checked before you log in to anything sensitive.

6If money has already moved: call your bank's fraud line within hours and file with the FBI's IC3 at ic3.gov. An unsettled wire can sometimes be recalled, and fast IC3 reporting occasionally freezes funds through the FBI's Financial Fraud Kill Chain. Include phone numbers, any account or wallet the money went to, and the software you installed.

7Report to the FTC at reportfraud.ftc.gov, and if you or the victim is 60 or older, call the DOJ National Elder Fraud Hotline at 1-833-372-8311. See the full US reporting directory for every agency and what each one does.

8Lock down and watch for the recovery scam. The scammer knows you paid; 'recovery agents' will call offering to retrieve your money for an upfront fee, which is the same scam in a new mask. Real recovery is always free — see the recovery-scams piece, and the 72-hour recovery playbook for the odds by payment method.

If you have lost money to a tech support scam, recovery scammers will come for you next. Your name, your number, and the fact that you paid are now data points that get sold and reused. The follow-on call offers to recover your money for a fee — an authority figure, an account you must fund, a promise that never materializes. It is the original scam, repeated, because you have already proven you will follow instructions from someone claiming to help. Every real recovery channel — your bank, IC3, the FTC, the DOJ Elder Fraud Hotline — is free.

From the field. The cases that stay with me are not the ones where someone clicked a pop-up and lost a few hundred dollars. They are the ones where a careful, capable person — someone who balanced their checkbook every month for fifty years — spent three days on the phone being walked from their bank to a Bitcoin ATM to a second bank, because three different voices told them their life savings were under attack and that moving the money was how to save it. They were not careless. They were responsible, and the scam was written to turn that against them. By the time a teller asks the right question or an adult child notices the withdrawals, the account is empty and the voices are gone. The grief is the grief of a robbery committed by someone you trusted, because that is exactly what it was.

So — what should you actually believe about tech support scams?

Believe the scale. $1.46 billion in a single year, third out of every internet-crime category the FBI tracks, and that is only the share that reached a complaint form — shame keeps most elderly victims from ever reporting, so the real number is higher.

Believe that it is built for careful people, not careless ones. The pop-up, the bank caller, the government caller — the whole architecture is designed to convert your sense of responsibility into the lever that empties your account. Knowing that is most of your defense.

Believe that the institutions are moving, and that they are moving downstream of the harm. The FBI is arresting call-center operators. The FTC has a new rule and is writing settlements. And the median victim is still over sixty, the standard advice still arrives after the wire clears, and the two-click remote-access install still ships without the friction that would break the con.

If you take one rule from this whole piece, take this: the words "move your money to a safe account" are the scam, every time, no matter who is saying them — Microsoft, your bank, the Federal Reserve, the FBI. A real institution protects the account you already have. It never asks you to empty it. Hang up, and call back on a number you found yourself.

On a call right now telling you to move your money? Hang up first — then talk to us.

Tell us what you were told, what you installed, and where any money went. A real expert reviews every case and replies within 24 hours. Free, confidential, no pressure.

Submit a free case review →Try the Scam Checker

Common questions about tech support scams

Will Microsoft, Apple, or my bank ever call me about a virus or a hacked account?

No. This is the single most useful fact in this entire piece. Microsoft does not monitor your personal computer for infections and will never cold-call you, text you, or pop up a full-screen warning with a phone number telling you to call. Apple does not do it either. Your bank's fraud team may call you about a specific suspicious transaction, but they will never ask you to install software, read out a code, grant remote access to your computer, or move your money to a 'safe account.' Any unsolicited contact that claims your device or account is under attack and gives you a number to call is a scam. The number connects you to the scammer, not to the company being impersonated.

I gave a scammer remote access to my computer — what do I do now?

Act in this order. Disconnect the computer from the internet (unplug the ethernet cable or turn off Wi-Fi). Power the machine off so any remote session is severed. From a different, clean device — a phone, a tablet, another computer — change the passwords on your email and banking accounts, starting with email, because email is the reset key to everything else. Turn on two-factor authentication. Call your bank's fraud line using the number on the back of your card and tell them you granted remote access; ask them to watch for unauthorized transfers. Uninstall any remote-access tool the scammer had you install (common ones are AnyDesk, TeamViewer, and similar). If you are not confident the machine is clean, have it professionally checked before you log into anything sensitive on it again.

What is the 'Phantom Hacker' scam?

The Phantom Hacker is the FBI's name for the most damaging form of tech support scam, and it works in three chained phases. First, a fake tech-support agent contacts you (pop-up, call, email), gets remote access, and tells you your accounts are at risk — which conveniently makes you open those accounts so the scammer can see which one holds the most money. Second, a fake employee from your bank or brokerage calls to 'confirm' the breach and says foreign hackers have your money. Third, a fake US government official — often claiming to be from the Federal Reserve or the FBI — instructs you to move your savings to a 'safe' or 'alias' government account, which is controlled by the scammer. Because each caller appears to corroborate the last, victims who would never fall for a single call are walked, step by step, into emptying entire retirement and savings accounts. The FBI has publicly put Phantom Hacker losses at over $1 billion, the majority from victims over 60.

Can I get my money back after a tech support scam?

It depends entirely on the payment method and how fast you move. If money left by wire transfer, call your bank's fraud line within hours — domestic wires can sometimes be recalled before they settle, and the FBI's Financial Fraud Kill Chain can occasionally freeze funds when IC3 is notified fast enough. If you paid by credit or debit card, you have chargeback and Regulation E protections. If you paid in cryptocurrency through a Bitcoin ATM, or handed cash or gold to a courier, or bought gift cards, recovery is far harder and usually fails — those rails are chosen by scammers precisely because they are irreversible. In every case, file with the FBI's IC3 and the FTC immediately. Treat any 'recovery service' that contacts you afterward as a second scam.

Why do tech support scammers target older people?

Two reasons, and neither is the condescending one people assume. First, older adults are more likely to hold the assets the scam is built to drain — paid-off homes, retirement accounts, decades of savings sitting in one place. Second, and more cynically, the scam weaponizes responsibility. As FBI San Francisco Special Agent in Charge Robert K. Tripp put it, the criminals 'are using the victims' own attentiveness against them.' Someone who carefully watches their nest egg is exactly the person who will act fast when told that nest egg is under attack. The FBI's data bears the targeting out: in the first half of 2023, victims over 60 accounted for 66% of all tech-support scam losses.

Is it safe to call the number in a pop-up virus warning?

No. The phone number in a pop-up warning is the scam. Legitimate security software does not put a phone number on an alarming full-screen warning and tell you to call it. The pop-up is designed to frighten you into dialing a number that connects you directly to a scammer's call center, where a scripted 'technician' will ask for remote access to your computer. If a pop-up has frozen your browser, do not call anything — close the browser (on Windows, use Task Manager to force-quit it; on a Mac, Force Quit), or restart the computer. The warning disappears because it was never real to begin with. If you are genuinely worried about your device, contact the manufacturer or your own trusted technician using a number you look up yourself.

Sources & further reading

Every figure in this piece is drawn from these authorities. Click any of them to verify.

Tech support scams: $1.46 billion gone in 2024, the victims are mostly over sixty, and the call always ends with "move your money somewhere safe."