Fake Subscription Refund Callback Scam
Scammers claim a subscription was overcharged and offer a refund, then use a remote-access session or a fake overpayment to trick the target into sending money back.
Last reviewed: 5 July 2026
What this scam is
This scam disguises a theft attempt as good news: an unexpected refund. Rather than demanding money outright, it opens with the promise of receiving some, which lowers the target's guard far more effectively than a threat would. The pretext is almost always a subscription — streaming, antivirus, cloud storage, a magazine, or a similar recurring service — because these are common enough that an overcharge sounds plausible to almost anyone.
The scam typically escalates from a simple refund claim into either remote access to the target's device and bank account, or a staged 'overpayment' that the target is pressured to return. Both paths end the same way: money leaves the target's account and is very difficult to recover, while no genuine refund was ever processed.
This scheme is closely related to broader tech-support and overpayment scams but is specifically packaged around subscription billing, making it distinct from generic 'you have a refund waiting' scams because it references a plausible, recognisable recurring charge.
How it works
The approach begins with an email, text, or robocall stating that the recipient was charged twice, charged after cancelling, or overcharged for a subscription renewal, and providing a phone number or link to 'claim your refund.' The message often names a real, well-known service to increase credibility.
When the target calls or clicks through, the scammer asks for account or card details 'to confirm identity' and then requests that the target install a remote-desktop or screen-sharing application, claiming this is needed to process the refund directly. Once connected, the scammer either directs the target to open their online banking themselves while narrating false instructions, or takes control of the screen entirely.
The scammer then either transfers money out of the account while pretending to be issuing a refund, or manipulates an on-screen number to make it look as though far more than the promised refund has been deposited. The target is told this was an error and is pressured, sometimes with a fabricated story about the representative being penalised, to immediately send the 'excess' back through a wire transfer, gift cards, or a cryptocurrency payment. In reality, no refund occurred; only the target's own money moved, or nothing was ever transferred and the balance shown was falsified.
Why this scam works
The promise of a refund reframes the interaction as being in the target's favour, which lowers defensive instincts that would normally trigger around a stranger asking for remote access to a device or bank account. The fabricated urgency around an 'accidental overpayment' and the suggestion that an employee could get in trouble adds emotional pressure and time pressure simultaneously, pushing the target to act before pausing to verify anything independently.
A typical pattern
A target receives an email or text stating they were mistakenly overcharged for a subscription renewal and are due a refund, along with a phone number to call. When the target calls, a calm representative confirms the overcharge and, to 'process the refund quickly', asks the target to install a remote-access application so they can 'verify the account.' Once connected, the representative navigates to the target's online banking, types a refund amount into the transfer field rather than a genuine refund system, and deliberately enters a much larger figure than agreed. The representative then claims the refund was sent in error and asks the target to return the difference by gift card or wire transfer immediately, framing any delay as risking disciplinary action against the 'employee' who processed it.
Common red flags
- Unsolicited message claiming an overcharge you were not aware of
- Request to install remote-access or screen-sharing software
- Instruction to log into your own online banking while someone else watches or guides you
- A refund amount that appears larger than what was promised
- Pressure to return an 'overpayment' by gift card, wire transfer, or cryptocurrency
- Claims that a representative will be penalised unless you act immediately
- Refusal to provide a callable number you can verify independently
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
We detected a duplicate charge on your [Service] subscription. You are owed a refund of [amount]. Call [number] to claim it.
Your recent renewal was processed twice in error. Please contact our refund department at [number] within 24 hours.
Refund confirmation: [amount] will be returned to your account. To complete verification, please call [number] now.
Our system shows we accidentally sent you [larger amount] instead of [amount]. Please return the difference via [payment method] today.
Common variations
- Fake antivirus or software refund callback using the same remote-access-and-overpayment structure
- SMS with a link to a fake refund claim form that harvests card and banking details
- Robocall claiming an automated system detected a duplicate charge and offering a callback number
- Scammer poses as the subscription company's fraud department rather than billing support
- Refund claim followed by a request to pay a small 'processing fee' via gift card instead of remote access
How to verify before you act
Hang up and contact the subscription provider using a phone number or app found independently — never one provided in the refund message. Never install remote-access software at the request of someone who called or emailed unprompted, and never allow anyone you did not contact first to view or control your online banking session. A legitimate refund is issued directly to the original payment method without requiring you to log into your bank while someone watches or controls your screen.
Payment methods used
- Wire transfer
- Gift cards
- Cryptocurrency
- Remote-controlled bank transfer
Who is usually targeted
- Subscribers to widely used streaming, antivirus, or software services
- Older adults less familiar with remote-access software risks
- People who recently had a genuine billing question or dispute
- Anyone who welcomes an unexpected refund without independently verifying it
What to do immediately
- End the call or close the message immediately if asked to install remote-access software
- If remote access was already granted, disconnect the internet and shut down the device, then have it professionally checked before reconnecting
- Contact your bank immediately to freeze the account and reverse any transfers if money has already moved
- Change online banking passwords from a separate, uncompromised device
- Verify the claimed overcharge directly with the subscription provider using an independently found contact number
- Report the incident to your bank's fraud team and to national fraud reporting services
How to prevent it
- Never call a number provided in an unsolicited refund message; use the provider's official contact details instead
- Never install remote-access or screen-sharing software at the request of an unsolicited caller
- Treat any 'refund' request that requires you to log into your own bank while on a call as an active scam
- Be suspicious of any refund process that ends with you being asked to send money back
- Verify subscription charges directly through your bank or card statement, not through a third-party claim link
- Hang up immediately if pressure or urgency escalates during the call
- Warn family members, especially those less familiar with remote-access software, about this specific pattern
Evidence to preserve
- Recording or notes of the call, including the number that called or was provided
- Screenshots of the refund message and any linked claim form
- Name of any remote-access software the scammer asked you to install
- Bank statements showing any transfers made during or after the call
- Timeline of when the call occurred and when any money moved
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Can a real refund require me to install remote-access software?
No. Legitimate refunds are processed by the company internally and applied directly to your original payment method. No genuine refund process requires you to install screen-sharing software or let someone else operate your online banking.
The scammer showed a refund already in my account — was that real?
In most cases the number shown on screen was falsified, manipulated on your own banking display, or represents a transfer of your own money disguised as a deposit, not new money genuinely received. Contact your bank directly to check your actual, verified balance and transaction history.
What should I do if I already sent money back after a fake overpayment?
Contact your bank immediately to attempt a recall, especially if sent by wire transfer, and report the incident to the payment provider used and to national fraud authorities. Recovery is not guaranteed, particularly for gift cards or cryptocurrency, but reporting quickly improves the odds.