You're browsing the internet, minding your own business, when a window fills your screen. It's red. There's a Microsoft logo. It says your computer is infected with viruses and your personal data is at risk. A phone number is helpfully provided. You should call immediately.

If you've spent any time online in the last decade, you've seen this screen โ€” or you know someone who has. What most people didn't know is that behind a particularly aggressive version of this scam were two real companies, based in Cyprus, running the operation at industrial scale. The FTC found out. Twenty-six million dollars later, refund checks are in the mail.

What were Restoro and Reimage actually doing?

Restoro Cyprus Limited and Reimage Cyprus Limited sold computer repair software and tech support services. Their marketing funnel started with a convincing fake: pop-up ads designed to look like official Microsoft Windows security alerts, warning users that their computers were infected and urging them to run a scan immediately.

Here's the thing about the scan: it found problems regardless of whether any existed. According to the FTC's complaint, the companies' scans typically identified serious-sounding issues that required immediate attention โ€” on computers that were perfectly healthy. The scan was not a diagnostic tool. It was a sales tool with a predetermined conclusion.

After alarming users into purchasing the software, the real upsell began. Consumers were given a phone number to call to "activate" their new purchase. Once on the phone, Restoro and Reimage telemarketers would remotely access the customer's computer and point to perfectly normal system logs and error messages โ€” the kind every Windows machine generates constantly in the background โ€” as evidence of malware, viruses, or serious hardware problems.

These are logs that IT professionals routinely ignore because they're routine. To a worried customer watching a technician scroll through alarming-looking error messages on their own screen, they look like a catastrophe. The companies used that gap in understanding to charge customers hundreds of dollars more for hands-on technician services, on top of what they'd already paid for the software.

The FTC specifically noted that Restoro and Reimage particularly targeted older consumers โ€” people less likely to be familiar with what normal Windows error logs look like, and more likely to be genuinely frightened by an urgent-seeming security warning.

How big was this, and what happened to the companies?

The FTC charged Restoro and Reimage with violating the FTC Act and the Telemarketing Sales Rule. In March 2024, both companies agreed to a $26 million settlement โ€” one of the larger tech support fraud recoveries in recent memory.

The settlement also permanently barred them from misrepresenting security or performance issues in connection with any product or service, and from engaging in deceptive telemarketing. In other words: no more fake virus warnings, and no more calling people to tell them their routine system logs are malware.

The payment processor got caught too. Paddle, a U.K.-based payment processor that handled transactions for Restoro and Reimage, agreed to a separate $5 million settlement with the FTC in 2025 for facilitating the scheme. The $5 million supplements the consumer refund fund. The takeaway: when a scam runs at this scale, everyone in the chain eventually answers for it.

Who is getting a check โ€” and why is this a second round?

The FTC sent its first round of Restoro-Reimage refunds in March 2025 โ€” 736,375 PayPal payments totaling more than $13.1 million. That's a lot of people, which means a lot of PayPal accounts to track down, and a lot of payments that went unclaimed.

This second round consists of paper checks going to everyone who received a PayPal notification in 2025 but didn't accept the payment within the 30-day window. If that's you โ€” maybe you didn't recognize the sender, maybe the email went to spam, maybe you assumed it was itself a scam โ€” your refund is now coming by mail instead.

Didn't get anything in 2025 and think you should have? If you paid Restoro or Reimage and never received a PayPal notification or a check, contact Rust Consulting directly at 1-844-590-1102. You may have a records issue that can be resolved.

What do you need to do?

Nothing, beyond opening your mail and going to the bank. The check comes from Rust Consulting, the FTC-contracted administrator for this refund program. You have 90 days from the date on the check to cash it. After that, the funds return to the settlement โ€” not to you.

How to verify the check is legitimate

There is something almost poetic about a scam involving fake computer warnings now generating refund checks that look suspicious. Here's how to confirm yours is real:

โœ“Rust Consulting is the FTC-contracted administrator. Their name and phone number (1-844-590-1102) appear on the official FTC settlement page for this case.
โœ“The case is publicly documented. Search "Restoro FTC" or "Reimage FTC settlement" โ€” you'll find the March 2024 enforcement action and the March 2025 refund announcement on ftc.gov.
โœ“Nobody is asking you for anything. Real FTC refunds never charge a fee, require your SSN, or ask for bank account information to "process" a payment. The check is the payment.
Watch for the irony scam. A refund program about fake computer warnings will absolutely attract scammers sending fake refund notices about fake computer warnings. If anyone contacts you by phone or email claiming they can help you get your Restoro or Reimage refund faster โ€” or asking for any payment or personal information โ€” hang up. The real check arrives in the mail with no strings attached.

The bigger picture

The fake virus popup is one of the oldest tricks in the online scam playbook, and it works because it exploits something real: computers do get viruses, warnings do sometimes mean something, and most people aren't sure what a healthy system looks like on the inside. Restoro and Reimage didn't invent the format โ€” they just industrialized it, built a telemarketing operation around it, and ran it long enough to bilk tens of millions of dollars from consumers before the FTC arrived.

The next time you see a scary-looking popup warning you about viruses, remember: Microsoft does not send you browser alerts asking you to call a phone number. Your computer's actual security software doesn't look like a webpage. And a scan that always finds critical problems, on every machine, every time, is not a scan โ€” it's a script.

Forward this to someone who needs it. You probably know at least one person who doesn't.

Source: This article is based on the FTC's official refund page, complaint, and press releases. Primary source: ftc.gov/enforcement/refunds/restoro-reimage-refunds. Administrator: Rust Consulting, 1-844-590-1102.