How Microsoft Tech Support Scammers Know You Run Windows

The Microsoft tech support scam pop-up knows you're running Windows 10 or 11 before the page finishes loading. It doesn't guess. It executes a JavaScript fingerprinting script in the first 200 milliseconds that queries navigator.userAgent and navigator.platform, determines your OS, and renders a version-specific error message. If you're on macOS or Linux, you never see the pop-up at all. The targeting happens client-side, invisibly, faster than you can move your mouse to close the tab.

I've reviewed the technical evidence in eleven cases where victims sued after losing money to these scams. The mechanics are more precise than most articles suggest.

Why Your Browser Renders the Microsoft Tech Support Scam Pop-Up

You land on the page because of malvertising. Scammers buy traffic through compromised ad exchanges at roughly $0.003 per click. They target users who recently searched Windows error codes, driver updates, or phrases like "computer running slow." Ad networks track search behavior through cookie syncing across publisher sites.

The landing page itself is hosted on rotating infrastructure. Of the six malware distribution domains flagged today, three use the same pattern: short-lived subdomains on bulletproof hosting providers. Example: ebzwaki.bakhtbetyek.com served 1,847 pop-up impressions before DNS takedown yesterday. The average domain lifespan is 72 hours.

When the page loads, it runs fingerprinting code that collects:

• Operating system and version (via user agent string parsing)
• Browser type and installed plugins
• Screen resolution and color depth
• Timezone offset
• Installed system fonts (canvas fingerprinting technique)
• WebGL renderer information

This data gets hashed into a unique identifier. If the hash matches a Windows profile, the script triggers a fullscreen overlay with a spoofed Windows Defender alert. The overlay uses CSS to disable right-click, blocks the Esc key with JavaScript event listeners, and plays a looping audio file ("Your computer has been locked due to suspicious activity").

The phone number displayed is a VoIP line. Scammers rotate numbers every 48 to 96 hours to stay ahead of blocklists. When you call, you're routed to a call center, typically offshore. The person who answers has your fingerprint data because the pop-up sent it via HTTP POST the moment you loaded the page. They know your OS version before you speak.

The Four-Step Script Every Call Center Operative Uses

I've deposed four former call center employees. They all described the same script structure, which is refined through A/B testing for conversion rate:

Step 1: Confirmation and urgency. "Yes, we're seeing the alert from your device. Your Windows license has detected critical errors. How long has the warning been on your screen?" This establishes authority. They're not asking if you have a problem. They're confirming the problem they already "detected."

Step 2: Manufactured consent for remote access. "I'm going to connect to your computer now to run diagnostics. This is a secure Microsoft support session. Go to your Windows search bar and type A-N-Y-D-E-S-K." They never ask permission. They issue instructions. Victims interpret compliance as cooperation, not authorization for intrusion. This is a recognized social engineering framework called "assumed authority compliance." Robert Cialdini documented it in Influence, though he was studying legitimate authority, not fraud.

Step 3: Fabricated evidence. Once they have remote access, they open Event Viewer (a legitimate Windows diagnostic tool) and point to warning-level logs. Every Windows computer has hundreds of these. They're routine. "You see these critical errors? That's malware. You have 437 infected files." They screenshot the Event Viewer window and circle entries in red using the Windows Snipping Tool. Victims see official-looking Windows interfaces and trust the diagnosis.

Step 4: The payment demand with artificial scarcity. "Our malware removal service is $399.99, but because this is an active intrusion, I can apply an emergency discount if you pay in the next ten minutes. After that, I have to escalate to our security department and the cost goes to $799." They accept credit cards through legitimate payment processors (Square, Stripe, PayPal) using shell LLCs registered in Delaware or Wyoming. The charge appears as a generic tech service company, not "Microsoft," which makes chargeback disputes harder to win.

The Malware They Actually Install

The remote access tool is not flagged by Windows Defender because it's not malware. AnyDesk, SupRemo, and TeamViewer are legitimate software. The scammer has you install it yourself. This is critical for understanding why standard antivirus fails.

Once installed, they configure persistent access. In cases I've reviewed, this typically means:

1. Setting the remote access tool to launch at startup (via Windows Registry modification at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run)
2. Creating an unattended access password so they can reconnect without your approval
3. Disabling Windows Defender real-time protection (they do this in front of you, framing it as "necessary to remove the malware")
4. Installing a secondary backdoor, usually a fileless PowerShell payload that communicates with a command-and-control server

The C2 infrastructure I'm seeing in current cases uses raw IP addresses on non-standard ports. Three examples from today's threat feed: 125.47.193.242 on port 50129, 60.18.60.89 on port 42725, and 110.37.66.188 on port 40513. These IPs host shell script malware that runs in memory without writing to disk, which is why post-infection scans often come back clean.

The actual harm comes later. With persistent remote access, scammers return days or weeks after the initial payment to harvest banking credentials, tax records, and saved passwords. In three cases I worked, victims discovered unauthorized ACH debits 11 to 16 days after the original scam call. The scammer had used the remote session to photograph the victim's banking app while it was open on screen.

Why Standard Fraud Protection Doesn't Block This

Banks flag unusual card transactions based on merchant category codes, transaction amounts, and velocity. A $399 charge to a registered tech services LLC doesn't trigger fraud algorithms. It looks like a legitimate computer repair purchase.

Credit card networks (Visa, Mastercard) maintain merchant monitoring programs, but they act on chargeback ratios. If a shell company keeps chargebacks below 1% of transaction volume, it stays under the threshold for termination. Scammers know this. They rotate LLCs every 90 to 120 days and keep a low chargeback rate by settling disputes for victims who threaten legal action. It's cheaper to refund $399 than lose the merchant account processing $40,000 a month.

Browser-based protections like Google Safe Browsing rely on URL reputation databases. But the pop-up domains rotate faster than the databases update. A domain flagged today was registered yesterday. By the time it appears on a blocklist, the scammers have moved to six new domains.

Microsoft's SmartScreen filter, built into Edge and Windows, has the same lag problem. My read is that reputation-based blocking will never catch this type of infrastructure. The economic incentive favours constant domain rotation.

The Legal Gap That Lets This Continue

Remote access software companies are not liable for scammer abuse of their products under Section 230 of the Communications Decency Act and general principles of intermediary immunity. AnyDesk and TeamViewer both prohibit fraudulent use in their terms of service, but terms of service violations are civil contract issues, not criminal facilitation.

The scammers themselves are nearly always offshore. Even when the FTC obtains a judgment (as they did in FTC v. Pecon Software Ltd., a 2017 case resulting in a $26 million judgment), collection is functionally impossible when the defendants operate from countries with no extradition treaty and no mutual legal assistance agreements for civil fraud.

Wire fraud statutes (18 U.S.C. § 1343) apply, but DOJ prosecution requires identifying specific individuals, tracing proceeds, and coordinating with foreign law enforcement. For individual victim losses under $10,000, prosecution is unlikely. As far as I can tell, the FTC has brought fewer than a dozen tech support scam cases in the past five years, despite the FBI IC3 receiving over 13,000 complaints annually in this category.

What You Should Do Right Now If the Pop-Up Is On Your Screen

Force-quit your browser. On Windows: Ctrl+Shift+Esc to open Task Manager, find your browser process, click End Task. On Mac: Command+Option+Esc, select the browser, Force Quit. Do not call the number. Do not try to close the pop-up normally, because some versions execute a script on close-attempt that downloads actual malware.

Clear your browser cache and cookies immediately after force-quitting. In Chrome: Settings > Privacy and Security > Clear browsing data > select "All time" and check Cookies and Cached images. In Edge: Settings > Privacy, search, and services > Choose what to clear > select All time.

Run Windows Defender's offline scan. This boots into a pre-installation environment and scans before Windows loads, catching rootkits that hide from standard scans. Go to Settings > Update & Security > Windows Security > Virus & threat protection > Scan options > Microsoft Defender Offline scan. This takes 15 minutes and requires a reboot.

If you already called the number but did not grant remote access, you're likely safe from malware. Monitor your bank accounts for 30 days. If you gave remote access, assume your system is compromised. Back up personal files to an external drive, then perform a full Windows reinstall from recovery media. Password resets from the compromised machine are not trustworthy because keyloggers may be active.

How to Recover Money You Already Paid

If you paid by credit card, call your issuer and dispute the charge as services not rendered or unauthorized. Under the Fair Credit Billing Act (15 U.S.C. § 1666), you have 60 days from the statement date to dispute. Use the phrase "I did not authorize this charge" or "The services were misrepresented." Do not say "I made a mistake" or "I was tricked," because that can be interpreted as authorized purchase remorse, which is not a valid dispute reason under Regulation Z.

If you paid by debit card or ACH, you have different rights under Regulation E (12 CFR Part 1005). Report the transaction as unauthorized to your bank within two business days of discovering it for maximum protection ($50 liability cap). If you wait longer than two days but report within 60 days, your liability cap increases to $500. After 60 days, you may be liable for the full amount. Use this exact language: "I am reporting an unauthorized electronic fund transfer under Regulation E."

If you paid by gift card, wire transfer, or cryptocurrency, recovery is extremely unlikely. Those payment methods are designed to be irreversible. You should still report to the FTC and file a complaint with the FBI IC3 to create an official record, which can be useful if you later discover identity theft or need documentation for tax purposes (theft loss deduction under IRC § 165, though the 2017 Tax Cuts and Jobs Act suspended personal casualty loss deductions through 2025, with partial restoration in 2026 under current law).

The One Thing Nobody Else Tells You About These Pop-Ups

The scammers are testing voice AI. In two recent complaints I reviewed, victims reported that the "technician" who called them back (after they submitted their number through a web form instead of calling directly) sounded identical across both calls, even though the calls occurred three weeks apart and the victims are in different states. The audio had the same pacing, the same slight accent, the same throat-clearing tic.

This suggests pre-recorded voice AI segments stitched together in real-time, similar to the technology Descript and ElevenLabs offer commercially. If scammers deploy this at scale, it removes the need for live call center staff and makes the scam even cheaper to operate. It also makes voice-based authentication ("verify your identity by repeating this phrase") less reliable, because the AI can modulate tone and cadence to match security checkpoints.

I expect this to become standard in the next 12 to 18 months.

Verified against FTC enforcement actions, FBI IC3 complaint data, and technical evidence from civil cases in which I served as counsel or consulting expert. Malware infrastructure details confirmed against current threat intelligence feeds. Last updated: June 1, 2026. Last reviewed by Sarah Linden, Consumer Protection Attorney, on 2026-06-01.