Menu
A worried woman holding a printed invoice with a credit card and laptop on the desk
Scam TypesJune 24, 2026- Leo

Fake Antivirus Renewal Invoice: A 7-Point Checklist

Did You Get a Surprise Antivirus Renewal Invoice?

If an email or text says your Norton, McAfee, Geek Squad, or other antivirus subscription just auto-renewed for a few hundred dollars and gives a number to call if you want to cancel or dispute the charge, it is almost certainly a scam. The invoice is fake, and the number does not reach a billing department, it reaches a scammer. ScamVerify™ tracks the computer and tech-support scam category these fake invoices belong to: 17,923 complaints in our FTC and FCC data, with 2,822 in the last 90 days. The big surprise charge is bait, designed to make you call in a panic before you check whether the subscription is even real. Before you dial that number, run the checklist below. If your invoice hits even a couple of these, delete it.

The Checklist: 7 Signs It Is a Fake Invoice

Read your email against each point. Genuine receipts almost never match these; fake ones match most of them.

  1. A large charge you do not remember authorizing. The amount is deliberately alarming, usually $299 to $499, to trigger a fast reaction. A renewal you never set up is the first red flag.
  2. A phone number to call to "cancel" or "dispute." This is the biggest tell. Real companies manage subscriptions inside your online account, not through a call-to-cancel hotline. The number exists only to get you on the phone.
  3. A generic or wrong greeting. "Dear Customer," your name missing, or a name that is not yours. A real billing receipt is tied to your actual account.
  4. The sender's email address is not the real company. Look past the display name at the actual address. Fakes use lookalike or unrelated domains, not norton.com or mcafee.com.
  5. Pressure and a deadline. "You will be charged within 24 hours unless you call," or "act now to avoid the fee." Urgency is there to stop you from checking.
  6. No way to verify it in your real account. When you log in to the company directly, there is no such subscription and no such charge, because it never existed.
  7. It asks you to confirm card details or "process a refund" by phone. Real refunds go back to your card automatically. A request to call, confirm a card, or accept a refund over the phone is the setup for a bigger scam.

Suspicious email?

Paste it to Ava and she explains exactly what you are dealing with and what to do next.

Or forward suspicious emails to scan@scamverify.ai for instant analysis.

What the Invoice Actually Wants You to Do

The invoice is not trying to collect money. It is trying to get you to call. Once you do, a fake "agent" tells you the charge can be reversed, but to issue the refund they need to connect to your computer. That remote connection is the real attack. From there they run the refund and overpayment scam: they fake a deposit of far too much money, act panicked, and beg you to return the "difference" by gift card or wire, money that comes straight out of your real account. So the fake invoice is just the doorway. The danger is the phone call it is trying to start.

Why You Got It, and Why You Might Get More

You do not have to be a Norton or McAfee customer to receive one of these. They are blasted out by the millions to scraped and leaked email lists, on the bet that some fraction of recipients happen to use that brand, or worry that they might. That is also why the details are vague: a real-looking order number, a logo lifted from the web, a professional layout, but nothing actually tied to you, because the sender has no idea who you are. The danger is what happens if you engage. Calling the number, replying to the email, or clicking a link signals that your address is live and that you react to these messages, which gets you added to "responder" lists that are sold on and hit harder. The quietest, safest response is to report it as phishing and delete it without a click.

How to Check If You Actually Have a Subscription

The safe way to settle any doubt takes two minutes and never involves the number in the email. Open a new browser tab and go to the company's real website yourself, or open its app, and log in to your account. Your real subscriptions and charges live there. You can also check your card or bank statement directly for any actual charge. If you find nothing, the invoice is fake. If you do see a charge you do not recognize, deal with it through your card issuer using the number on the back of your card, never the number on the suspicious invoice.

What to Do With the Email

  1. Do not call the number. That is the entire goal of the message.
  2. Do not click any links or open attachments. They can lead to phishing pages or malware.
  3. Verify independently. Log in to the real company or check your card statement to confirm there is no real charge.
  4. Report and delete it. Mark it as phishing or spam in your email, which helps your provider catch the next one, then delete it.
  5. Check it with Ava. Paste the email or the number it gave you and she checks it against the same complaint and carrier data we track, then tells you whether it is safe.

If You Already Called or Paid

If you called and only hung up, you are fine. But if you let them connect to your computer, gave card details, or sent money to "fix" an overpayment, act now. Disconnect the computer from the internet, change your important passwords from a different device, and call your bank and card issuer to stop and dispute any charges. For the full lock-down checklist, follow our guide on what to do after you let a tech remote into your computer. To recognize the related traps, see how the bank or Amazon fraud callback uses the same fake-charge bait, and read our full guide to tech-support scams. Then tell Ava exactly what happened, and she will map out the specific next steps for your situation.

Your AI analyst

Run it by Ava.

Describe the call, the message, or whatever they are asking for. Ava names exactly what you are dealing with, tells you your next move, and can act to shut it down for you and keep watch in case they try again.