"Your antivirus renewed for $499": do not call the cancellation number
The invoice looks real. The phone call is the actual attack.
The email looks exactly like an invoice: an order number, a date, a familiar antivirus brand, and a charge for hundreds of dollars. To cancel it, the message insists you must call within 24 hours — but the phone call is the real target of the scam, not the invoice itself. Both Norton and McAfee document these exact emails, complete with fake invoices and fabricated cancellation numbers, and the FTC has separately warned about fake technology-subscription renewal notices. The high dollar amount creates fear, the tight deadline blocks you from verifying calmly, and the phone number connects you to a fake support agent rather than the real company.
This mirrors a pattern common to invoice-based scams generally: the message doesn't need to be technically sophisticated, it only needs to create enough fear about an unexpected charge and offer a single, artificially urgent channel to "resolve" it. Genuine renewal notices, by contrast, are usually handled entirely inside your account dashboard, with routine billing emails that don't threaten a fast-approaching deadline or demand a phone call just to cancel. If a message insists that calling is the only way to stop a charge, that structural detail alone is worth treating as suspicious before you even evaluate anything else about it.
What happens when you call
The person who answers will typically claim they need to locate the charge or process a refund, and may ask you to install AnyDesk, TeamViewer, or another remote-access tool so they can "help" from their end. Once they have control of your screen, they'll often direct you to open online banking, then stage a fake refund that looks like it overpaid you — and demand you send the "excess" back, which is the actual theft. Other variations skip remote access entirely and just ask for your card number, account credentials, or a one-time SMS code, or push you toward gift cards. What's presented as a routine cancellation process is really designed to end in stolen money and, in the remote-access version, a compromised device.
How to check whether the charge is real
Don't open the attachment and don't use the phone number printed in the message. Instead, type the official antivirus provider's address into your browser yourself and log into your actual account to review subscriptions, billing history, and auto-renewal status. Then separately check your card or bank statement for the charge. If no charge shows up anywhere, there is nothing to cancel — the email can simply be deleted and reported.
Warning signs on the invoice
- An unusually high renewal amount
- A phone number presented as the only way to cancel
- A 24-48 hour deadline pressuring quick action
- An unexpected PDF or attached document
- A sender address outside the company's official domain
- Wrong currency, product name, or customer details
- A request to install software or open your online banking
- A "refund" process that requires remote access to your computer
If you already called or installed something
End the call. If you installed a remote-access tool, disconnect the device from the internet and uninstall it before doing anything else. From a different, trusted device, change any passwords that may have been visible during the session. Contact your bank using its official number (never one given during the call) and explain that a third party may have viewed or controlled your online banking. Keep the fake invoice, the phone number used, and any related receipts, and report unauthorized access or financial loss to your bank and, if money was lost, to local authorities.
It's also worth building a habit that prevents this scam from working the next time it lands in your inbox: bookmark the official login page for your antivirus provider directly, rather than relying on search results or links in emails, and check your renewal date and billing history there every so often rather than waiting for an email to prompt you. A password manager that only autofills credentials on the real, saved domain provides a similar layer of protection, since it simply won't offer to fill anything on a lookalike page. None of this requires trusting any single email — it just removes the email as the thing you have to make a judgment call about in the moment.
The browser popup version
A related version of this scam doesn't arrive by email at all — instead, a webpage triggers a barrage of popups claiming your device is infected, styled with a real antivirus logo and a support number. Don't call the number or click anything inside the alert; close the tab or force-quit the browser instead. Afterward, review your browser's notification permissions and installed extensions for anything you don't recognize, since some versions of this scam trick people into granting persistent notification access.
Quick checklist
- Never call a number printed inside an unexpected invoice email
- Check your subscription by logging into the official site directly
- Compare the charge against your actual card or bank statement
- Never install remote-access software because a caller asked you to
- Never send money back after a "refund" you didn't request
- Disconnect and uninstall remote-access tools immediately if you're unsure
