When It Really Is a Virus, the Panic Costs More Than the Malware

Marta Lane · Updated February 14, 2026 · 6 min read

You ran a scan and something came back. Or your computer is doing the cluster of things that points to a real infection: pop-up ads on sites that never had them, a homepage you didn't choose, security settings switched off by themselves, messages in your sent folder you never wrote.

The urge is to fix it this minute. Slow down. What this episode costs you is mostly decided by your next few moves, and the expensive moves are the hurried ones: logging into the bank "to check if everything is okay," calling the number on a warning screen, wiping the machine that holds the only copy of your photos. The virus starts the damage. Panic finishes it.

The FBI's complaint files show what that looks like in dollars. In the first half of 2023 alone, Americans filed 19,000 complaints about tech-support scams, reporting estimated losses of over $542 million. Almost half of the victims were over 60, and they carried 66% of the losses. In the worst version, which the FBI calls the "Phantom Hacker" scam, people emptied savings and retirement accounts while moving the money to "protect" it. Most of those cases began with a fake alarm rather than a real virus. The alarm alone was enough. Fear did the work the malware couldn't. When the infection is real, the same hurried moves cost just as much.

So the playbook below is an order, with the scan as one step in it. The order is the protection.

The same ten minutes, two ways — from the article’s FBI/FTC-sourced playbook.

First, make sure it's actually malware

One slow afternoon is no infection. We've walked through this before in It's probably not a virus: most "my computer has a virus" panics turn out to be something else, and a lone pop-up with a phone number on it is the scam, start to finish. Begin there if you're unsure.

A real infection shows up as a cluster of signs arriving together. The FTC's list: pop-ups where none should be, a browser that redirects you to sites you didn't pick, new toolbars you didn't install, security tools that won't turn on, messages going out under your name. If that's your machine, keep reading in order.

Step 1: Take it off the internet

Turn off Wi-Fi, or pull the network cable. CISA, the federal cybersecurity agency, puts this first for a home computer: with the connection cut, an attacker can no longer reach your personal files, change them, or use your machine to attack other people. Ten seconds, and the situation stops getting worse.

Step 2: The three things not to do yet

Each of these feels like a rescue in the moment. All three hand the attacker more.

Don't log into accounts on the infected machine. The FTC's first instruction for a suspected infection is to immediately stop entering usernames, passwords, or card numbers on it — no banking, no shopping, no email. If the infection records typing, every login you "check" hands over one more account.
Don't call, and don't pay. Real security warnings never ask you to call a phone number — the FTC is flat about that. Whoever answers will ask for remote access, a fee, gift cards, a wire, or crypto. That person is the scam, no matter what your screen looks like.
Don't wipe or reinstall yet. Reinstalling the system erases everything on the machine, CISA notes — your files and programs included. Done in a hurry, it completes the data loss the virus only threatened. And don't plug your backup drive into the infected computer "to save things quickly": that can carry the problem onto the one clean copy you own.

Step 3: Update, scan, remove

Now the step most guides treat as the whole answer. Use a security program from a company you can name and look up — never one a pop-up just offered you. Update it first so it knows the newest threats, then run a full scan and let it quarantine or delete what it finds — the FTC's and CISA's shared instruction. If the program needs the internet to update, reconnect just for that, and stay away from your accounts until the scan is done.

On a Windows computer there is also a deeper built-in option: Microsoft Defender's offline scan restarts the machine and checks it before Windows fully loads, where stubborn malware has a harder time hiding or defending itself.

Step 4: Change your passwords — on a different device

Use your phone on cellular data, or another computer, and change the email password first, because email resets everything else. Then the bank and any account with a card attached. CISA's recovery advice assumes the worst here: passwords used during the infection may already be compromised. Turn on two-factor authentication wherever it's offered, so a stolen password alone opens nothing.

Why a different device: a new password typed on a watched keyboard is captured exactly like the old one. While you're there, check bank statements for charges you don't recognize and the email sent folder for messages you didn't write.

When to stop and hand it over

A reputable scan is the sensible limit of do-it-yourself. Manual removal — registry edits, hand-deleting system files, recipes from forums — is where non-experts turn an infection into real data loss. If the scan can't fix it, or the machine still misbehaves after, the FTC suggests three doors: the device's manufacturer (a warranty may cover it), a tech-support company you know, trust, and called yourself, or a knowledgeable friend or family member. The number you found on your own beats any number that found you.

And if a "support" line already got money or remote access from you, report it at ReportFraud.ftc.gov and ic3.gov — reports are how these operations get shut down.

The order, on one card

Confirm it's a real cluster of signs, not one slow day.
Take the machine off the internet.
Touch no accounts, call no number, pay no one, wipe nothing.
Update a reputable scanner. Run a full scan. Remove what it finds.
From a clean device: new passwords (email first), two-factor on, statements checked.
Beyond a scan, get help you chose yourself.

A computer can be cleaned or replaced. Money wired to a "safety" account and passwords typed on a watched keyboard are much harder to claw back. I've read enough of these FBI files to believe the scammers' real product is panic; decline to supply it, and most of the loss never happens. If someone in your family is the type to grab the phone the moment the screen turns red, send them this page before that day comes.

Sources: FBI Internet Crime Complaint Center, PSA I-091223-PSA, "Phantom Hacker" Scams Target Senior Citizens; FTC, Malware: How To Protect Against, Detect, and Remove It; FTC, How To Spot, Avoid, and Report Tech Support Scams; FTC, What To Do if You Were Scammed; CISA, Recovering from Viruses, Worms, and Trojan Horses; Microsoft, Virus and Threat Protection in the Windows Security App.