Quick answer: Disconnect the device from the internet immediately, then uninstall the remote tool such as AnyDesk or TeamViewer. From a clean device, change your email password first, then banking, then any reused passwords. Check your email for hidden forwarding rules and delete them. If the scammer had real control, a full wipe and reinstall is the only way to be sure.

The phone call usually starts with "we've detected a problem with your computer." Someone friendly, patient, sounding official. They ask you to install AnyDesk or TeamViewer so they can "fix it." A few clicks later, a stranger is driving your screen. By the time the gut feeling kicks in, they have already been inside. If that just happened to you, this is the order to work through. Move quickly and don't argue with the voice on the phone.

I see the aftermath of these on the bench regularly. The good news is that fast, methodical action limits the damage. The honest news is that a remote-access session is a serious compromise, and "uninstall the app and you're fine" is rarely the whole story. Here is what actually needs to happen.

Step One: Cut the Connection Now

While the remote session is live, the scammer is still working. Kill the link first.

Do this immediately

Take the device offline

Turn off Wi-Fi, unplug the network cable, or flip the device to flight mode. Whatever is fastest. This severs the scammer's control instantly, even if their software is still installed. If they have frozen your screen with a fake message, hold the power button to force a shutdown.

Do not reconnect because they ask you to. A common move is to call back claiming the "fix failed" and they need back in. That is the scam continuing. Stay offline until the device is sorted.

What They Could Have Reached

It helps to know what you are cleaning up. During a remote session, a scammer can reach far more than most people expect. Assume the worst and work backwards.

All of it
Saved browser passwords, live banking sessions, your email, your files.
If it was on that screen, treat it as exposed.
  • Saved browser passwords and logged-in sessions. If your browser remembers your banking, email or shopping logins, the scammer could open them without needing a password at all.
  • Your email. Reading, sending, and quietly setting up forwarding rules so they keep getting copies of your messages, including verification codes.
  • Banking that was open or auto-logged-in. Any session that did not require a fresh login was theirs to use.
  • Hidden software. A second remote tool, a keylogger, or other malware installed as a backdoor so they can return after you disconnect.
  • Files and photos. Copied off in seconds if they wanted them.

Step Two: Remove the Remote Tool

Still offline, uninstall the program they had you install. On Windows, open Settings, then Apps, find AnyDesk, TeamViewer, or whatever it was called, and uninstall it. On a Mac, drag the app to the trash and remove its leftover support files.

Removing the obvious tool is step one, not the finish line. Scammers routinely install a second, hidden remote tool or a keylogger as a backup. Uninstalling the app you can see does not prove the machine is clean. This is exactly why a proper scan, or a wipe, comes later.

Step Three: Clean Your Credentials, In Order

This is the part that contains the damage. Do every bit of it from a different device you trust is clean, a phone or another computer, never the machine that was just controlled. If malware is still running on the compromised device, anything you type into it goes straight to the scammer.

  1. Email first. Change the password and sign out all sessions. Email is the master key that resets everything else. If it is a Gmail account, our Gmail recovery guide walks through every setting that needs checking.
  2. Delete any forwarding rules and filters. In your email settings, look under forwarding, filters and rules. Scammers add a quiet rule that copies your incoming mail, including bank codes and reset links, to their own address. Delete anything you did not create. Check your recovery phone and recovery email have not been swapped too.
  3. Banking and finance next. New passwords, and call your bank to tell them a scammer had remote access. Ask them to watch the accounts.
  4. Reused passwords after that. Anything that shared a password with the above. Reused passwords turn one break-in into several.
  5. Turn on two-factor authentication everywhere. Prefer an authenticator app over SMS. A stolen password is far less use once a second factor is in the way.

If you are unsure how deep this goes, our guide on the signs you have been hacked helps you read the symptoms, and if money moved during the session, follow the first 24 hours checklist in parallel.

Step Four: Decide Between a Scan and a Wipe

Here is where I will give you the bench-honest answer rather than the comfortable one. If the scammer had genuine hands-on control of your computer for more than a fleeting moment, uninstalling the visible tool does not guarantee the machine is clean. Hidden remote tools and malware are common, and some are built specifically to survive a casual look.

A scan may be enough when The session was very brief, you disconnected fast, and the device shows no odd behaviour. A thorough scan and manual check can confirm it is clear.
A full wipe is the safe call when They had control for a while, installed anything, you handled banking on it, or the device is acting strangely. A clean reinstall is the only way to be certain nothing remains.

A full wipe and clean reinstall of the operating system is the only method that gives you certainty, because it removes whatever was hiding along with everything else. Back up your documents and photos first, then reinstall from scratch. If you are not confident doing that, this is exactly the kind of job to hand to a technician who can assess what was touched and tell you straight whether a scan covers it or a wipe is needed.

The dangerous assumption after a remote-access scam is that closing the app closes the door. Often it doesn't. The only way to be sure the scammer is out is to verify the machine properly, or start it fresh.

Step Five: Report It

Once the device and accounts are handled, lodge the reports. This is cybercrime, and the record matters if money was taken or your identity is exposed.

ReportCyber — Australian Cyber Security CentreReport remote-access fraud and hacking. Find the "report" path on the site. Scamwatch — report a scamNational Anti-Scam Centre. Helps track these tech-support scams nationally. IDCAREIf identity documents were exposed — 1800 595 160, Mon to Fri 08:00–17:00 AEST.

Reduce Your Exposure Going Forward

Once you are back on solid ground, a few habits make the next attempt far less likely to land. The biggest one is free: no legitimate company, bank, telco or government agency will ever cold-call and ask you to install remote-access software. That request is the scam, full stop. Beyond that, a password manager removes saved passwords from your browser where remote tools can grab them, and two-factor authentication blunts a stolen password. A VPN can reduce some exposure on public networks, though it does nothing against a remote-access scam you let in yourself, so treat it as one modest layer rather than a fix. If you want the honest scope, here is what a VPN actually prevents against Australian scams.

Had a scammer in your device? Bring it to iFix.

A remote-access session needs more than uninstalling an app. We check for hidden remote tools and malware, clear out malicious settings and forwarding rules, secure your accounts, and tell you straight whether a clean-up covers it or the machine needs a full wipe and reinstall. Sixteen years on the bench, 25,000+ repairs, and a plain-English answer either way.

Central Coast locals can walk in to our Erina workshop for same-day diagnosis, see our scam recovery service, or call (02) 4311 6146.

Book a Device Cleanup