The most reliable way to recognize a tech support scam after a data breach is to remember one rule: legitimate companies do not contact you. Microsoft will not call your phone. Apple will not send you a pop-up telling you to dial a number. No real IT department will email you out of nowhere asking to remotely access your device. If contact is unsolicited, treat it as suspect — especially in the days and weeks following a breach notification.
The Betterment breach in January 2026 is a clear illustration: after hackers obtained customer data, they used it to send fake crypto scam notifications to actual Betterment users, making the messages appear credible because they arrived with real account details attached. This matters more now than it ever has. The United States recorded 3,332 data compromises in 2025 — a 79% increase over five years and the third consecutive year exceeding 3,000 incidents. Each of those breaches puts personal information on the dark web, where scammers purchase it in bulk to craft personalized attacks. This article covers the specific red flags of post-breach tech support fraud, explains how scammers convert stolen data into convincing impersonations, describes the most current scam scripts in use, and walks through what to do if you or someone you know has been targeted.
Table of Contents
- Why Do Data Breaches Make Tech Support Scams More Dangerous?
- What Does a Post-Breach Tech Support Scam Actually Look Like?
- How Do You Spot the Red Flags in Real Time?
- What Should You Do Immediately If You Suspect You’re Being Targeted?
- Who Is Most at Risk and Why Does It Matter?
- How Scammers Use Phishing Volume to Increase Their Odds
- What the Next Wave of Post-Breach Scams May Look Like
- Conclusion
- Frequently Asked Questions
Why Do Data Breaches Make Tech Support Scams More Dangerous?
When a database is stolen and sold, scammers do not just gain an email address. They gain your name, possibly your phone number, your account type, your employer, your approximate location, and sometimes your transaction history. That package of information allows them to construct what security researchers call spear phishing — targeted attacks that feel personal rather than generic. If a scammer calls you by your full name, references the bank you actually use, and mentions a breach you actually received notice about, the call carries a plausibility that a random cold call never could.
The mechanics of this pipeline are now well established. Breached records are sold on dark web marketplaces, often within days of a compromise. Fraud operators buy lists segmented by data type — email-only lists are cheap, but full profiles with phone numbers, account details, and breach context are premium. Those operators then run call centers or automated phishing campaigns that reference the breach directly, positioning themselves as helpers arriving just in time. The FTC documented this shift explicitly in its April 2025 consumer alert: scammers have updated their scripts from “you have a virus” to “your bank account was hacked,” using breach news as the entry point for their pitch.
What Does a Post-Breach Tech Support Scam Actually Look Like?
The contact usually arrives through one of three channels: a phone call, an email, or a browser pop-up. Phone calls may come from someone claiming to be from your bank’s fraud department, your internet provider’s security team, or the IT support desk of a company whose breach you saw in the news. Emails may appear to use company branding, reference your real account, and ask you to click a link or call a number. Pop-ups are triggered by malicious ads or compromised websites and typically display alarming warnings with a phone number prominently displayed. The newer script is worth understanding in specific terms. Rather than the older “your computer has a virus” approach, scammers now frequently tell victims their investment account, retirement fund, or bank account has been compromised and that they need to act immediately to protect their money.
The FTC flagged this pivot in 2025 as a deliberate evolution — it bypasses skepticism about computer problems and speaks directly to financial fear. The logical next step in that script is always a request to move money somewhere “safe,” whether that means wiring funds, buying gift cards, or transferring to a cryptocurrency wallet. However, if you receive what appears to be a breach notification via email from a company you do not have an account with, that is a separate but related scam — using breach anxiety to phish credentials for services you may actually use. Do not click links in any unsolicited security email regardless of how official it appears. If a company genuinely needs to contact you after a breach, it will not ask you to act through an email link. Go directly to the company’s website by typing it into your browser.
How Do You Spot the Red Flags in Real Time?
The Federal Trade Commission, FBI, Microsoft, and AARP have each documented consistent warning signs, and they largely agree. First: unsolicited contact is itself a red flag. Microsoft has stated explicitly that it does not contact users out of the blue about security problems. Apple has said the same. If someone initiates contact with you about your security, your device, or your accounts, that asymmetry alone should raise immediate suspicion. Second, watch for requests for remote access.
A scammer posing as a technician will ask to connect to your computer through tools like AnyDesk or TeamViewer. Once connected, they can steal stored passwords, install malware, or stage a fake “demonstration” of a nonexistent problem to justify payment for their fake service. No legitimate company’s support process begins with a cold call followed by a request for remote access to your machine. Third, examine sender addresses carefully. One documented pattern involves emails that claim to be from Microsoft security but are sent from personal accounts — an @aol.com or @gmail.com address hidden behind a display name that reads “Microsoft Support.” This mismatch is a reliable tell. Additionally, Microsoft and Apple do not attach image files to security alerts. If a security notification arrives as an image attachment rather than plain text, it is a scam.
What Should You Do Immediately If You Suspect You’re Being Targeted?
The first and most important step is to stop the interaction. If you are on the phone with someone who raised any of the red flags described above, hang up. If you have received an email, do not click any links and do not call any phone numbers listed in it. Navigate to the company’s official site yourself by typing the URL directly. This is not overcautious — it is the specific guidance the FTC provides, and the distinction between calling a number in an email versus calling one you looked up yourself is the difference between reaching a scammer and reaching an actual company. If you have already shared a password or allowed remote access, act quickly.
Change the password immediately, starting with email accounts since those can be used to reset every other password you have. Contact your bank if financial information was shared. Run a security scan on your device if remote access was granted. The FTC also recommends checking your credit reports and placing a fraud alert with the major bureaus if you believe personal information has been compromised further. Report what happened to the FTC at ReportFraud.ftc.gov. This is not merely a formality — aggregate reports allow the FTC to identify patterns and take enforcement action. The agency’s Impersonation Rule, which has been active since 2024, had already produced five enforcement cases and the shutdown of thirteen impersonation websites by April 2025.
Who Is Most at Risk and Why Does It Matter?
Older adults bear a disproportionate share of the losses. FTC data show that fraud losses among adults 60 and older quadrupled between 2020 and 2024, rising from roughly $600 million to $2.4 billion. Tech support scams are a significant driver of that number. The reasons are partly demographic — older adults are more likely to be unfamiliar with the idea that Microsoft would never cold-call them, and more likely to be home to answer the phone — but the scams themselves are also deliberately designed to exploit the concerns of that age group, particularly anxiety about financial accounts and retirement savings. This does not mean younger adults are not targeted. Post-breach spear phishing is distributed based on who appears in the stolen data, not based on age.
If your email address is in a breached database, you may receive a phishing email regardless of your age or technical sophistication. The difference is that the scripts targeting older adults tend to escalate more quickly to financial transfers, while those targeting younger adults may focus more on credential theft. The total cost across all demographics for tech support scams specifically exceeded $159 million in 2024, and that figure captures only reported losses. A warning worth stating plainly: loss figures from the FTC and FBI represent a fraction of actual losses, because most fraud goes unreported. Shame, confusion, and the belief that nothing can be done all suppress reporting rates. The real scale of the problem is almost certainly larger than any published statistic reflects.
How Scammers Use Phishing Volume to Increase Their Odds
The raw volume of phishing attacks creates a statistical advantage for scammers that individual vigilance alone cannot fully counter. APWG tracked more than one million phishing attacks in the first quarter of 2025 — the highest quarterly total in over a year. At that scale, even a very low success rate produces substantial revenue. A campaign targeting a list of 500,000 breach victims that converts at one-tenth of one percent still produces hundreds of victims.
Impersonation scams broadly — which include tech support fraud alongside bank impersonation and government impersonation — cost consumers $2.95 billion in 2024, according to the FTC. That figure underscores why these operations are so persistent. The profit margin on a successful tech support scam, particularly one that convinces a victim to wire money or transfer cryptocurrency, can be very high relative to the cost of running the campaign. Understanding this economic logic helps explain why the scripts and methods evolve continuously: scammers are responding to market pressures the same way any commercial operation would.
What the Next Wave of Post-Breach Scams May Look Like
The trajectory of tech support scams points toward more personalization, not less. As AI tools become more accessible, generating voice audio that sounds like a known contact, drafting emails that mimic someone’s actual writing style, or fabricating video of a recognizable figure becomes cheaper and easier. The Betterment case in early 2026 showed that scammers are already moving quickly to exploit breach data the moment it becomes available — the window between a breach and the first downstream scam attempt is shrinking.
Regulatory responses are active but operating at a different pace. The FTC’s Impersonation Rule represents a meaningful enforcement tool, and international coordination between law enforcement agencies has increased, but the geography of these operations — often operating across multiple jurisdictions — continues to limit how quickly cases can be built and shut down. The most durable protection for individual users remains behavioral: skepticism toward unsolicited contact, verification through official channels, and prompt reporting when something feels wrong.
Conclusion
Tech support scams that follow data breaches succeed because they exploit two things at once: the credibility that comes from knowing real personal information, and the urgency that follows a genuine security event. Scammers now buy breached data specifically to make their impersonation calls and emails more believable. The red flags — unsolicited contact, requests for remote access, instructions to move money, pop-up phone numbers, suspicious sender addresses — remain consistent even as the specific scripts evolve. Recognizing those signals before complying with any request is the single most effective defense available. If you receive any unsolicited communication about your accounts, your devices, or your security after a breach, stop and verify through a channel you initiate yourself.
Do not call the number in the email. Do not click the link in the pop-up. Do not grant remote access to anyone who contacted you first. Report suspicious contacts to the FTC at ReportFraud.ftc.gov. These steps are not complicated, but they require the discipline to pause when someone is deliberately creating urgency to prevent you from pausing.
Frequently Asked Questions
How do I know if the breach notification I received is real?
Real breach notifications do not ask you to click a link to “verify your account” or call a number to “protect your information.” They inform you of what happened and direct you to resources. If in doubt, go directly to the company’s official website by typing the address yourself and look for a security notice there.
Will Microsoft or Apple ever call me about a security problem?
No. Both Microsoft and Apple have stated explicitly that they do not initiate unsolicited calls to customers about security issues. Any call claiming to be from either company’s support team should be treated as a scam unless you placed the call yourself through an official number.
What should I do if I already gave a scammer remote access to my computer?
Disconnect from the internet immediately, then reconnect and run a full security scan with updated antivirus software. Change all passwords, starting with your primary email account. Contact your bank if any financial accounts may have been visible during the session. Consider consulting a professional IT service to assess whether anything was installed.
Are gift card payment requests always a scam?
Yes, in the context of resolving a security or tech support issue. No legitimate company, government agency, or utility will ask you to pay in gift cards. This method is used specifically because gift card payments are effectively irreversible and difficult to trace.
How do I report a tech support scam?
Report to the FTC at ReportFraud.ftc.gov. You can also report to the FBI’s Internet Crime Complaint Center at ic3.gov. If money was transferred, contact your bank immediately — some transfers can be reversed if reported quickly.
Why do these scams keep working if they’re so well documented?
The scripts evolve faster than public awareness campaigns can keep up, and the sheer volume of phishing attempts — over one million in a single quarter in 2025 — means scammers need only a tiny success rate to profit substantially. Personalization using breached data also makes attacks more convincing than generic fraud attempts.