Microsoft Tech Support Scam UK

Spot the three dominant Microsoft tech-support scam patterns in 2026 — cold calls, browser pop-ups, and the reverse ‘refund’ scam — with the single rule that defeats them all.

Last reviewed: 13 May 2026 · ScamSupport research

The one rule that defeats every Microsoft tech-support scam

Microsoft does not cold-call customers about computer infections, security warnings, or expired licences. It never has. Any unsolicited phone call claiming to be from Microsoft, Windows, or any Microsoft product team is a scam, full stop. Real Microsoft support is initiated by the customer through support.microsoft.com — never by Microsoft contacting you first.

The same applies to browser pop-ups: real Microsoft / Windows security warnings never include a phone number to call. If you see a full-screen alert with audio and a phone number, you are looking at a scam page, not a Windows alert.

Microsoft tech-support scams cost UK consumers tens of millions of pounds each year. Report Fraud’s tech-support scam category has grown steadily since 2020, with older adults disproportionately targeted. The mechanic is consistent: get remote-access to the victim’s computer (via AnyDesk, TeamViewer, UltraViewer or similar), then either install malware, drain online banking, or convince the victim to wire “refund” money for a fake refund overpayment.

Three Microsoft tech-support scam variants currently in circulation

Variant 1 — Cold call: “your computer is infected”

How it presents: An unsolicited phone call. The caller claims to be from “Microsoft Technical Department”, “Windows Security”, or sometimes “Microsoft’s partner in the UK”. They tell you your computer has been infected with malware / your Windows licence has expired / your IP address has been compromised. To “fix” the issue they need you to install a remote-access tool (typically AnyDesk, TeamViewer, UltraViewer) and grant them access.

Red flags:

  • Microsoft does not cold-call customers. Ever. Real Microsoft has no way to know your phone number or to identify your computer is infected. There is no monitoring mechanism that does this.
  • Requests to install AnyDesk / TeamViewer / UltraViewer / LogMeIn / Quick Assist. Once installed, the criminal has full control of your computer. Real Microsoft support uses its own Quick Assist within Windows or its own remote tools — never asks you to download an external third-party tool.
  • Reference to your Windows version or computer details. The caller may say things like “Your Windows 11 PC has been compromised”. They’re guessing — nearly all UK home computers are Windows. The reference is psychological, not based on real telemetry.
  • They will eventually ask you to open your online banking. Once remote access is established, the criminal either watches you enter credentials, screen-blocks while they transfer funds, or shows fake “refunded too much” figures to set up Variant 3 (the reverse refund scam).
  • Foreign accent + UK phone number. Spoofed caller ID combined with operators in lower-cost regions is the standard operating model. Not diagnostic on its own, but combined with other signals it’s consistent.

Variant 2 — Browser pop-up: “Windows Defender Security Alert”

How it presents: While browsing (often after clicking a suspicious link, watching streaming videos on a sketchy site, or visiting compromised sites), a full-screen browser pop-up appears: “WINDOWS DEFENDER SECURITY ALERT”. Audio plays, often a panicked voice or an alarm tone. The page lists a phone number and says “DO NOT shut down your computer — call Microsoft support immediately on 0800-XXX-XXXX”.

Red flags:

  • Windows Defender does not display security warnings in your web browser. Real Windows Defender alerts appear in the Windows notification area at the bottom right of the screen, not as a full-screen browser page.
  • Real Microsoft alerts never include a phone number. Microsoft does not display phone numbers in any security warning, ever.
  • The page tries to prevent you from closing it. Fake alert pages use full-screen API tricks, repeated alert pop-ups, or audio to discourage you from closing the tab. None of this is part of real Windows behaviour.
  • If you call the number, the script begins. The same remote-access install demand as Variant 1.
  • To close the page: press F11 to exit full-screen, then close the tab. If the page resists, press Ctrl+Alt+Delete and end the browser process. Restart the browser without restoring the previous session. The pop-up has no persistence beyond the page itself.

Variant 3 — Reverse ‘refund’ scam: “we refunded too much, please wire the difference back”

How it presents: Following a previous tech-support scam interaction (or sometimes as a standalone), the “Microsoft refund department” contacts you saying you’re entitled to a refund. They ask you to log in to your online banking to receive the refund. While remote-accessing, they manipulate the display to show a £5,000 refund instead of the £500 they claim to have intended. They then claim they’ve refunded too much and ask you to wire the difference (£4,500) to a foreign account or buy gift cards to repay.

Red flags:

  • Microsoft does not refund customers via remote-access banking sessions. Real refunds go through your original payment method automatically.
  • The displayed bank balance is manipulated, not real. Remote-access tools allow the criminal to show a doctored view of your banking page. The “extra refund” never existed; the money you’re asked to send is your own.
  • Foreign wire / gift cards / crypto are the diagnostic payment route. No legitimate refund-correction process uses these channels.
  • Urgency about “the supervisor losing his job”. Emotional manipulation is standard. The script invokes sympathy: “the supervisor will be sacked”, “I’ll personally have to repay it”.
  • The scam targets the elderly disproportionately. Variant 3 is among the highest-loss-per-victim scam patterns in UK reporting. Talk to older relatives about it specifically.

What real Microsoft support actually looks like

  1. Customer-initiated only. Real support starts at support.microsoft.com. Microsoft does not phone you out of the blue.
  2. No phone numbers in error messages. Real Windows / Microsoft 365 / Outlook errors never include “call this number” instructions. Real errors include an error code (e.g. 0x80070002) and a Microsoft documentation link.
  3. Real remote support uses Microsoft Quick Assist or Microsoft Remote Desktop. Not AnyDesk, TeamViewer, UltraViewer, or any external tool. If a “Microsoft technician” asks you to install something to give them access, it’s a scam.
  4. Real Microsoft never asks for your password. Genuine support resets passwords through documented workflows that don’t require you to disclose the current password.
  5. Real Microsoft never asks you to open your bank account. Refunds happen via the original payment method automatically; no banking access is needed.

What to do if a Microsoft tech-support scammer is on the line right now

  1. Hang up. Don’t engage, don’t challenge, don’t explain why you know. Just hang up.
  2. If they’re already remote-accessing your computer: disconnect the network cable, turn off Wi-Fi, or hold down the power button to force a shutdown. Speed matters — every second of remote access is a chance for further damage.
  3. Uninstall the remote-access tool. Go to Settings > Apps > Installed Apps and uninstall AnyDesk / TeamViewer / UltraViewer / Quick Assist (if installed by them) / anything you didn’t deliberately install yourself.
  4. Change your Microsoft account password at account.microsoft.com. Sign out all other sessions. Enable 2FA if it isn’t already on.
  5. Change your online banking passwords from a different device (your phone’s mobile data, not the affected computer’s Wi-Fi). Then enable banking-app push notifications for all transactions.
  6. Run a full antivirus scan. Windows Defender Full Scan, or your preferred AV. The criminal may have installed persistence tools to maintain access. If you’re unsure, ask a trusted local IT person.

If you’ve already sent money

  1. UK bank transfer: Call your bank’s fraud line immediately on the number on the back of your card. Use the PSR Claim Wizard. PSR Mandatory Reimbursement covers up to £85,000 within 5 working days for APP fraud, which includes tech-support scam losses.
  2. Card payment: Use the Chargeback & Section 75 Generator. Credit-card purchases £100–£30,000 are protected by Section 75.
  3. Gift cards / wire transfer / crypto: Report immediately to Report Fraud on 0300 123 2040. Some gift-card issuers (Apple, Google, Amazon, Steam) can sometimes freeze unredeemed cards if reported within hours. Recovery probability is otherwise low.
  4. If banking credentials were entered while remote-controlled: change them from a clean device immediately. Notify your bank so they can monitor for unauthorised transactions.
  5. Consider CIFAS Protective Registration — £25 for 2 years of credit-file protection if personal data (DOB, address, ID document numbers) was disclosed during the call.
  6. Report the scam to Microsoft at microsoft.com/reportascam. Microsoft’s security team uses these reports to action takedowns of fake support pages and pop-up campaigns.

Related scam guides

Use the Scam Message Scanner →