Skip to main content

The Phantom Menace: Office Depot Settles with FTC Over Fake Virus Scans

Office Depot and its tech support provider,, proved to be anything but “supportive” after allegedly providing false malware scan results and conning customers into paying for repairs and technical services that, in many cases, they did not need. The companies will pay a combined $35 million settlement to the FTC, with Office Depot paying $25 million, and the additional $10 million, to settle allegations of unfair or deceptive acts or practices in violation of the FTC Act.  All $35 million will go toward refunding customers tricked by the scheme.  

Office Depot, which contracted with to provide tech support service for its customers, enticed customers to come in for a “Free PC Tune-up” where a “tech expert” would “run complete diagnostics” on the computer, and Office Depot marketed the value of the free service to be as much as $60. From July 2007 to November 2016, the Free PC Tune-Up involved running a program called PC Health Check, created and licensed by, on customers’ computers. PC Health Check was designed to look like it was scanning the customers’ computer and then deceptively told customers it found malware symptoms on their computers even though it had not actually performed a scan. Instead, the results were based entirely on whether customers answered “yes” to four questions they were asked at the beginning of the PC Health Check program about how their computer functioned, such as whether their computer ran slowly, received virus warnings, crashed often, or displayed pop-up ads. Checking the box for any one of these questions triggered a report that malware had been found on the computer. The recommendations issued by the program after this “scan” induced customers to spend millions of dollars on repairs and technical support.

The FTC alleges that Office Depot and knew that the PC Health Check program falsely reported that the scan found malware symptoms, and Office Depot has been aware of concerns since at least 2012. First, had previously informed Office Depot that this software program runs in only a few minutes using “heuristic questions to identify likely malware infestations.” Indeed, in May 2013, OfficeMax, an Office Depot subsidiary, warned its stores not to run the PC Health Check Program after a tech repair service had been completed because, if “any of the questions at the beginning of the [PC Health Check Program] are checked, it will automatically suggest a Software repair,” because the “tool ‘assumes’ there is an infection based on questions asked.” Additionally, since at least 2012, the Office Depot Companies had been receiving complaints from store employees about the accuracy and reliability of the PC Health Check Program. One employee wrote, “I cannot justify lying to a customer or being TRICKED into lying to them for our store to make a few extra dollars.” Yet, the Office Depot Companies nonetheless launched incremental profit generating initiatives where they instructed stores to raise millions of dollars in profit by increasing the number of PC Health Check services performed and the rate of converting the PC Health Check services into tech-service sales.

In addition to the $35 monetary payment, the proposed settlement also prohibits the making of misrepresentations regarding the security of performance of consumers’ electronic devices, and Office Depot to ensure that its existing and future software providers do not engage in such conduct. also cannot make, or provide others with the means to make, misrepresentations about the performance or detection of security issues on consumer electronic devices. FTC Commissioners voted unanimously to authorize and file the complaint, and the complaint and stipulated final orders have been filed in the U.S. District Court for the Southern District of Florida.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.