Fake refund overpayment scam

A caller or email claims to refund you for an expired subscription (often Norton, McAfee, Geek Squad, Best Buy). You log into your "bank account" remotely with their help (via AnyDesk or TeamViewer) and watch the refund process. In the screen-sharing session, the scammer manipulates the browser's local display to make it look like $5,000 was deposited instead of $50. They beg you to "send back the difference" or "they'll lose their job."

The deposit is not real. It's a Photoshop in your browser DOM, executed via the screen-sharing tool you installed at their request. When you wire or send Zelle for the "difference," that's real money leaving your real account.

Often the next call is an "FTC investigator" who wants to help recover the funds — for an upfront fee. The recovery scam compounds the loss.

• An unsolicited "refund" you weren't expecting.
• Caller installs remote-access software to "process the refund."
• They watch you log into your bank account.
• The refund appears to be much larger than expected.
• They ask you to send back the difference via wire, Zelle, or gift cards.
• They cry, beg, or claim they'll be fired if you don't help.
• A second "FTC" or "fraud team" call follows.

1. Refunds don't require remote access. No legitimate refund process needs you to install AnyDesk or TeamViewer.
2. Hang up. Call the company's real customer service through their website.
3. Check your actual bank account on a separate device, not the one the caller is sharing. The "refund" won't be there.
4. Real refunds for subscriptions go back to the original payment method automatically. You don't have to "log in to process" them.
5. Apply the rule: anyone asking you to log into your bank while they watch is committing fraud, full stop.

• Call your bank immediately. Wires can sometimes be recalled within hours.
• Disconnect your computer from the internet and uninstall any remote-access software the caller had you install.
• Run anti-malware or take the computer for professional cleaning.
• Change passwords for any account they could have seen during the screen-share.
• Report to the FTC, IC3, and your bank.
• Expect a follow-up "FTC investigator" or "recovery agent" call. It's the same operation. Don't engage.
• Tell a trusted family member. Don't isolate.

• Do not install remote-access software at the request of an unsolicited caller.
• Do not wire money to "return" any refund. Real refunds reverse automatically through the same method.
• Do not assume what you see on screen during a screen-share session is real.
• Do not continue communicating after you suspect — hang up and report.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.