What makes this scam different

Most phishing emails want you to click a link. The Geek Squad scam wants you to call a phone number. There is rarely a link to click. The whole email is designed to look like a real receipt or invoice, with a "Customer Care" or "Cancellation" phone number prominently displayed. When you call, you get a polite-sounding "Geek Squad representative" (actually an offshore call center fronting for the scammer). The representative offers to refund the charge but says they need remote access to your computer to "process the refund." From there, you are guided into giving access via AnyDesk, TeamViewer, or UltraViewer. The "refund" then becomes a fake bank-transfer error that requires you to send money to "fix" it, often through gift cards, wire transfers, or cryptocurrency.

The reason this attack works: the email never asks for your password or card details. It feels safer than a regular phishing email. The trap is the phone call, which most people do not associate with phishing.

The 6 message variants in active rotation

1. Auto-renewal notice

"Thank you for renewing your Geek Squad subscription. Your card has been charged $499.99. If you did not authorize this renewal, please call 1-XXX-XXX-XXXX within 24 hours."

2. Three-year plan

"Your Geek Squad Tech Support Plan has been renewed for 3 years for $899.99. Cancellation can only be processed by calling our 24/7 helpline."

3. New device protection

"Confirmation: Your Geek Squad Smart Home Protection Plan is now active. $599 charged to card ending in [last 4 they made up]. Call to modify or cancel."

4. Best Buy purchase

"Your order for [some random electronics, $1,299] is being shipped from Best Buy. If you did not place this order, please call our verification team."

5. Antivirus renewal

"Your Geek Squad Antivirus subscription has been renewed. $349.99 charged." Often paired with Webroot or Norton branding for confusion.

6. The PDF attachment

"Please find your invoice attached." The PDF looks like a Best Buy / Geek Squad receipt with the fake support number embedded in the document. Bypasses URL-based phishing detection because there are no links in the email body.

How to spot the fake in 10 seconds

  • You don't have a Geek Squad subscription. If you cannot remember signing up, you did not sign up. Real Geek Squad receipts go to people who actually have the service.
  • Sender domain. Real Geek Squad / Best Buy emails come from @bestbuy.com or @emails.bestbuy.com. Anything else is fake (@geeksquad-billing.com, @bestbuy-renewal.net, free Gmail or Yahoo addresses, etc.).
  • Phone number prominently displayed. Real receipts do show a customer service number, but they don't put it in bold red text. If the only thing the email wants you to do is call, it is a scam.
  • Generic greeting. "Dear Customer" or no greeting at all.
  • Vague product name. "Geek Squad Tech Support Plan" or "Total Defense Protection" — no SKU, no real product details. Real Best Buy receipts have specific item descriptions.
  • Mismatched billing. The card last-4 shown does not match any card you actually have, or the amount is round-ish and high.

The right way to verify (don't call the number on the email)

  1. Check your actual bank/card statement. If there is no $399 charge, there is no charge. Done. Delete the email.
  2. Sign in to your Best Buy account at bestbuy.com by typing it. Check "My Orders" and "My Subscriptions." If you have a real Geek Squad plan, it will be visible.
  3. If you need to call Best Buy, use the number on the back of your Best Buy card or the number listed on bestbuy.com, NEVER the number in the email.
  4. Forward the email as phishing to abuse@bestbuy.com and to the FTC at reportfraud.ftc.gov.
  5. Delete and move on.

If you already called the number

What happened next determines what you need to do.

You called but didn't give remote access

Hang up. Your phone number is now on a "warm lead" list and you will get more scam calls. Block the number. Consider adding your number to the National Do Not Call Registry (US: donotcall.gov). You are otherwise unharmed.

You gave them remote access via AnyDesk, TeamViewer, or UltraViewer

  1. Disconnect from the internet immediately. Unplug ethernet, turn off Wi-Fi.
  2. Uninstall the remote-access software they had you install. AnyDesk, TeamViewer, UltraViewer, LogMeIn, Quick Assist — any of these.
  3. Run a full malware scan with Windows Defender or Malwarebytes. Scammers often leave a remote-access backdoor.
  4. Change every password for accounts you signed into recently. Use a different device for the password change (your phone if PC was compromised).
  5. If you typed your bank password while they watched the screen, call your bank to lock the account. Order new debit/credit cards.
  6. If they took control of your screen and you saw any "transfer" or "refund" happen on a fake bank webpage, it never actually happened. The scammer was just showing you a fake page. But your real account may also have been touched — check it from a clean device.

You sent money (gift cards, wire transfer, crypto)

Recovery odds are slim but not zero. Try these in order:

  1. Gift cards (Apple, Target, Google Play, etc.): Call the card issuer immediately. Some issuers can freeze the card if you call within 30 minutes. Have the card number and receipt ready.
  2. Wire transfer (bank, Western Union, MoneyGram): Call the sending bank or money service immediately and request a recall. Possible only if not yet picked up by the recipient.
  3. Cryptocurrency: Almost no recovery path. File a report with the FBI's IC3 at ic3.gov and with the exchange you used. Some exchanges freeze receiver accounts if reported fast enough.
  4. Cash mailed through USPS or FedEx: Postal Inspection Service can sometimes intercept packages in transit. File a report at the USPS Postal Inspection Service or call 1-877-876-2455.
  5. Report to reportfraud.ftc.gov and your state attorney general regardless. These reports feed law enforcement databases that eventually catch repeat call centers.

Why this scam targets older and rural users disproportionately

The Geek Squad invoice scam over-indexes on victims aged 55+ in suburban and rural US areas. Three reasons:

  • The "call to dispute" pattern feels normal to anyone who grew up with credit-card customer service before the web.
  • Older users are more likely to assume a billed charge is real and panic before checking.
  • Rural users are less likely to have an Apple Store or local IT person to verify with quickly, so the scam's "tech expert on the phone" sounds reasonable.

If you have a relative in this demographic, the single best gift you can give them this year is to install a browser-layer scanner on their computer and a call-screening app on their phone. The two together block 90% of the trap before it starts.

How browser-layer defense fits in

The email itself is hard to block because there are often no links. But many Geek Squad variants now include a "click here to cancel" link as well as a phone number. When clicked, those links go to a fake Best Buy / Geek Squad page that asks for login credentials, which then feed the call-center phase. A browser-layer scanner catches the fake page.

SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders. Its 550+ brand database includes Best Buy. Install SafeBrowz free — it is especially useful as a gift install for older relatives who are the primary target of this scam.

Frequently asked questions

Does Geek Squad really auto-renew subscriptions?

Yes, real Geek Squad / Best Buy Total Tech Support subscriptions can auto-renew, BUT only if you actually signed up. If you don't have an existing subscription, you cannot get a renewal email. If you are unsure, sign in to bestbuy.com and check Account → My Subscriptions. Anything not listed there is not real.

The phone number in the email starts with 1-800 or 1-888. Doesn't that mean it's official?

No. Toll-free numbers are cheap and easy to purchase. Scammers buy temporary 1-800 numbers all the time. The toll-free prefix only means the call is free for the caller, not that the recipient is legitimate.

The "Geek Squad agent" knew my name and address. How?

From data breaches. Your name and address are in many public breach datasets, available for a few dollars to anyone who wants them. The scammer reads from a list. Knowing your name and address does not mean they have a real relationship to your accounts.

They asked me to install something called "AnyDesk" or "TeamViewer." What does that do?

Those are legitimate remote-access tools used by real IT support. Scammers abuse them to take full control of your screen and keyboard. Once they have access, they can read your saved passwords, your browser history, your bank login. Anything they tell you they need it for is a lie. Real Geek Squad / Best Buy support never asks customers to install remote-access software.

They wanted me to pay in gift cards. Is that a clear scam sign?

Always. No legitimate company, government agency, or law enforcement asks for payment in gift cards. Not Apple, not Walmart, not Geek Squad, not the IRS, not the police. Gift cards are untraceable and unrefundable, which is exactly why scammers use them. If anyone on a phone call asks you to buy gift cards, it is a scam. Hang up.

I gave them remote access but didn't send money. Am I safe now that I uninstalled the software?

Probably mostly safe but not certain. While they had access, they may have installed a hidden backdoor or copied saved passwords from your browser. Run a full Malwarebytes scan. Change passwords for any account you opened during the session (email, banking, anything). Watch your bank statements for 30 days. If you used the same password elsewhere, change those too.

Related reading

Bottom line: The Geek Squad invoice scam works because the email looks safe. The trap is the phone call. Defense: never call a number in an email. Verify charges directly from your bank statement or the company's website you typed manually. And gift a browser-layer scanner to any older relative who might fall for this one.