Fake Antivirus Renewal Scams: How to Spot Them and Stay Safe

You open your email and see a message that looks urgent: "Your Norton subscription has been renewed for $349.99. Call now to cancel." Your heart races. You don't remember ordering this. You didn't authorize any charge. And now you're worried money is about to disappear from your account.

Take a breath. This is almost certainly a scam—and you're not alone in receiving it.

Fake antivirus renewal emails and pop-ups are one of the most common tech support scams targeting people today. These messages impersonate trusted brands like Norton, McAfee, and Microsoft to create panic and push you into calling a fake "support" number. Once you call, scammers use psychological tactics to gain access to your computer and, ultimately, your money.

The good news: these scams follow predictable patterns, which means you can learn to spot them. This guide will show you exactly what to look for, what happens if you engage with scammers, and what to do if you've already been targeted.

What Is a Fake Antivirus Renewal Scam?

How These Scams Work

A fake antivirus renewal scam starts with an email, pop-up, or phone call claiming that your antivirus subscription has been renewed—or is about to expire—and that you'll be charged a large sum unless you take immediate action.

The message typically includes:

• Imagery, logos and messages that hijack a known brand in security like Norton, McAfee or Microsoft.
• A fake invoice showing a charge between $299 and $499
• A phone number to call for "cancellation" or "refund"
• Urgent language warning that money will be debited within 24-48 hours

The goal is simple: make you panic and call the number. The scammer is counting on your desire to talk to a human to 'sort it out'. Once you do, the real scam begins.

The person who answers sounds professional and helpful. They'll typically send you a new email or send you to a site to "download software" so they can "verify your account" or "process your refund." This software gives them "remote access" to control your computer. From there, they may steal personal information, install malware, or execute the devastating "overpayment refund" trick that has cost some victims tens of thousands of dollars.

Why Scammers Impersonate Norton, McAfee, and Microsoft

Scammers choose to impersonate these brands because they're household names. Norton, McAfee, and Microsoft are software that millions of people recognize even if they don't currently have an active subscription. The familiarity creates just enough doubt: "Wait, did I sign up for this? Do I have this on my computer?"

Scammers know that many people, especially those who aren't deeply familiar with their computer's software, may not remember exactly what security programs are installed. This uncertainty, combined with fear of losing money, pushes people to call.

The Real Cost: $159 Million Lost to Tech Support Scams in 2024

These aren't small-time crimes. According to the Federal Trade Commission's 2024-2025 report on protecting older consumers, Americans 60 and older reported losing $159 million to tech support scams in 2024 alone. Adults in this age group were five times more likely than younger adults to have their money stolen by these schemes.

These statistics aren't meant to frighten you. They're meant to show that these scams are widespread, sophisticated, and worth taking seriously.

What These Scam Emails and Pop-Ups Look Like

Here's an example of what a fake antivirus renewal email might look like:

From: Norton Billing <billing@n0rton-secure.com>
Subject: Your Norton™ Subscription Has Been Renewed - Invoice #NRT-2025-84729

Dear Valued Customer,

Thank you for renewing your Norton 360 Premium subscription.

Order Details:

• Product: Norton 360 Premium (3-Year Plan)
• Amount Charged: $349.99
• Transaction ID: NRT-2025-84729
• Renewal Date: January 26, 2026

This amount will be debited from your account within 24-48 hours.

If you did not authorize this transaction or wish to cancel and receive a full refund, please contact our Billing Department immediately:

📞 Call Now: 1-888-XXX-XXXX (Toll-Free)

Our support team is available 24/7 to assist you.

Thank you,
Norton Billing Team

Red flags in this example:

• The sender domain "n0rton-secure.com" uses a zero instead of the letter "o"
• Generic greeting "Valued Customer" rather than your actual name
• Unusually high price ($349.99 for a 3-year plan)
• Phone number instead of a link to your Norton account
• Urgent 24-48 hour deadline designed to create panic

Fake Pop-Up Warnings That Lock Your Screen

Some scams don't arrive by email—they appear as alarming pop-ups, or fake alerts, while you're browsing the web. These warnings may claim:

• Your computer has a virus
• Your antivirus has expired
• Your personal information is at risk
• You must call a number immediately

These pop-ups often try to prevent you from closing the browser window, making it seem like your computer is frozen or infected.

Here's what a fake pop-up might look like:

⚠️ CRITICAL SECURITY ALERT ⚠️

Your McAfee Protection Has Expired!

Your computer is at IMMEDIATE RISK of:

• Viruses and malware
• Identity theft
• Credit card fraud

Call our Security Experts: 1-800-XXX-XXXX

WARNING: Do not close this window. Your computer may be infected.

Red flags:

• Aggressive, fear-based language
• Claims you can't close the window (legitimate warnings never do this)
• Phone number prominently displayed
• No option to log into your actual account to verify

Important: If you encounter a pop-up like this, don't call the number. You can usually close these by pressing Ctrl+Alt+Delete (Windows) or Command+Option+Escape (Mac) to force-quit your browser.

These pop-ups get triggered by malicious links embedded in advertisements on legitimate sites or when you visit a malicious site designed to actually trigger this full-screen pop-up.

The Phone Call Trap: What Happens When You Call

How Scammers Gain Remote Access to Your Computer

When you call the number on a fake antivirus email or pop-up, you'll reach someone who sounds professional, patient, and eager to help. They may introduce themselves with a common-sounding name and claim to work for Norton, McAfee, or Microsoft support.

The conversation typically follows this pattern or scam script:

1. They express concern about the "unauthorized charge" and promise to help
2. They ask you to download software like AnyDesk, TeamViewer, or UltraViewer
3. They explain this is for "secure verification" or to "process your refund"
4. Once installed, they ask you to share a code that gives them control of your screen

With remote access, the scammer can see everything on your computer—your files, your browser, your email, and most dangerously, your bank accounts if you log in.

The "Overpayment Refund" Trick That Steals Thousands

This is where the scam becomes truly devastating.

Once connected to your computer, the scammer may ask you to log into your bank account "to verify the refund went through." While you're watching, they claim to process your refund—but then pretend something went wrong.

"Oh no," they say. "I accidentally deposited $34,000 instead of $349. This is a huge mistake. I could lose my job. Can you please check your account?"

They may even manipulate what you see on screen—editing the HTML of your bank's website to show a fake balance increase. In reality, no money was deposited. But under pressure and wanting to help, some victims have transferred their own savings to "return" money that was never actually sent.

Why They Ask for Wire Transfers, Gift Cards, or Cash

Scammers specifically request payment methods that are difficult or impossible to reverse:

• Wire transfers go directly to overseas accounts and cannot be recalled
• Gift cards (iTunes, Google Play, Amazon) can be redeemed immediately and anonymously
• Cash sent via shipping companies (FedEx, UPS) is virtually untraceable
• Cryptocurrency transfers are permanent and anonymous

The FBI has noted a recent trend of scammers instructing victims to mail cash in packages. Once sent, recovery is essentially impossible.

No legitimate company will ever ask for payment via gift cards or cash shipments. If someone asks for this, it is always a scam.

7 Red Flags That Reveal a Fake Antivirus Email

Knowing what to look for can protect you from falling for these scams. Here are seven warning signs:

1. Suspicious Sender Addresses

Look carefully at the "From" address. Scammers use domains that look similar to real companies but contain subtle differences:

• n0rton-secure.com (zero instead of "o")
• mcafee-billing.net (wrong domain extension)
• microsoft-support.info (not a real Microsoft domain)

Legitimate emails from Norton come only from @norton.com or @nortonlifelock.com. McAfee uses @mcafee.com. Microsoft uses @microsoft.com.

2. Urgent Deadlines and Fear-Based Language

Phrases like "Act within 24 hours," "Immediate action required," or "Your account will be charged" are designed to prevent you from thinking clearly. Legitimate companies don't threaten you with urgent deadlines for routine billing matters.

3. Generic Greetings

Emails that begin with "Dear Customer," "Dear User," or "Valued Member" rather than your actual name are suspicious. Companies you have accounts with typically know your name and use it.

4. Phone Numbers Instead of Account Links

Real renewal notices direct you to log into your account through the company's website. Scam emails prominently display phone numbers because the scammers need you to call them to execute their scheme.

5. Inflated or Unusual Prices

If the "renewal charge" seems surprisingly high—$349, $499, or even $599—that's intentional. Higher amounts create more panic and urgency. Actual Norton and McAfee subscriptions typically cost between $30 and $150 per year, depending on the plan.

6. Poor Grammar and Formatting

While scammers have improved with AI, many fake emails still contain awkward phrasing, spelling errors, or inconsistent formatting. Legitimate companies have professional communications teams that agonize over the wording in these emails and rarely make errors.

7. Requests for Remote Access or Unusual Payments

Any email or pop-up that eventually leads to requests to download software or require urgent bank access, wire transfers, gift cards, or cash is a scam. No legitimate company operates this way no matter how real the person on the end of the line sounds.

How to Verify If an Antivirus Email or Pop-Up Is Real

Check the Sender's Email Domain Carefully

Before doing anything else, look at the full email address—not just the display name. Hover over or click on the sender's name to reveal the actual address.

Legitimate domains include:

• @norton.com
• @nortonlifelock.com
• @mcafee.com
• @microsoft.com

Scammers like to add extra words to the domain, replace letters with similar-looking numbers (a 0 instead of O, a 1 instead of an l), and other small changes that are difficult to see at first glance.

Log Into Your Account Directly

Never click links in an email you're unsure about. Instead:

1. Open a new browser window
2. Type the company's website directly (norton.com, mcafee.com)
3. Log into your account
4. Check your subscription status and billing history

If there's no record of the charge mentioned in the email, the email is fake.

Call the Company Using Their Official Website Number

If you want to speak with someone, find the company's phone number on their official website—not from the email. For reference:

• Norton Support: Visit support.norton.com
• McAfee Support: Visit mcafee.com/support
• Microsoft Support: Visit support.microsoft.com

When in Doubt

The best thing to do is to forward the email to submit@scamwise.com or take a screenshot of the pop-up and submit it on Scamwise.com, a free tool to help people check suspicous messages.

What to Do If You Already Engaged with Scammers

If you've already interacted with a scam email or call, don't panic—but do act quickly. The steps you take now can limit the damage. And please know: falling for a sophisticated scam doesn't mean you did anything wrong. These criminals are professionals who manipulate and socially engineer millions of people every year.

If You Called the Phone Number

If you called but didn't download any software or share personal information:

• You're likely okay, but stay alert for follow-up calls
• Block the number you called
• Don't engage if they call you back
• Report the incident to the FBI IC3 here: https://www.ic3.gov/

Scammers often call victims back, sometimes pretending to be from a "different department" or claiming there's a new urgent issue. Don't answer calls from numbers you don't recognize and stay vigilant. Consider a service offered by savisecurity.com or others that will help block/filter scams before they reach you.

If You Downloaded Remote Access Software

If you installed AnyDesk, TeamViewer, UltraViewer, or similar software and gave someone access:

Immediately:

1. Disconnect from the internet (unplug your router or turn off WiFi)
2. Uninstall the remote access program
3. Run a full antivirus scan with legitimate software (Windows Defender is built into Windows and is reliable)
4. Change passwords for all important accounts (your bank and primary email are best places to start) and you should change them from a different device if possible
5. Enable two-factor authentication on high-value accounts like your primary email and any apps you store or send money (bank, payment apps, etc) at a minimum.

After you've done that, you can check your computer for:

• New programs you didn't install
  • Mac: To find newly installed programs on a Mac, open Finder, go to the Applications folder, and sort by "Date Added" or "Date Created"
  • Windows: To find newly installed programs on Windows 10/11, open Settings > Apps > Installed apps (or "Apps & features"), then change the Sort by dropdown to Date installed.
• Changed browser settings
  • Search Engine: Go to Settings > Search engine to ensure your default (e.g., Google) hasn't been changed to a malicious or unknown provider.
  • Site Permissions: Navigate to Settings > Privacy and security > Site settings to review permissions for camera, microphone, and notifications.
  • Appearance: Check Settings > Appearance for unexpected changes to your theme or home button.
  • Startup Page: Check Settings > On startup to see if your homepage was changed.
• Unfamiliar browser extensions
  • Extensions: Type chrome://extensions in the address bar to look for, disable, or remove unknown or suspicious extensions that may have modified your settings.
• Any files that were accessed or modified
  • Open your files and sort by "Date Modified"

If you're not comfortable doing this yourself, consider having a trusted family member help or taking your computer to a reputable local repair service.

If You Gave Access to Your Bank Account

If you logged into your bank account while a scammer had remote access or if you took action with your bank based on the scammer's guidance:

Immediately:

1. Call your bank's fraud department (use the number on your card or statement)
2. Explain that someone had remote access to your computer while you were logged in
3. Ask them to freeze your account temporarily
4. Request to review recent transactions for anything unauthorized
5. Ask about changing your account number if significant fraud is suspected

Also:

• Change your online banking password from a secure device
• Set up transaction alerts for all activity
• Consider placing a fraud alert on your credit reports

Banks have fraud departments specifically trained to help in these situations. They've seen this before and can guide you through next steps.

If You Sent Money (Wire Transfer, Gift Cards, or Cash)

This is the most difficult situation to recover from, but there are still steps to take:

For wire transfers:

• Contact your bank immediately—there's a small window where transfers can sometimes be reversed
• File a report with the FBI's IC3 (ic3.gov)
• The sooner you report, the better the chances of any recovery

For gift cards:

• Contact the gift card company (Apple, Google, Amazon) and explain what happened
• Provide the card numbers if you still have them
• Recovery is rare, but reporting helps track criminal networks

For cash sent via mail or shipping:

• Contact the shipping company (FedEx, UPS) immediately if the package hasn't been delivered
• File a police report
• Report to the FBI IC3

Recovery of funds is often difficult, but reporting is important. Your report helps law enforcement track these criminal operations and may help prevent others from becoming victims.

How to Protect Yourself and Your Family

Talk to Older Parents About These Scams

If you're a caregiver or adult child of aging parents, having a conversation about scam awareness can be one of the most protective things you do. Here are some tips:

Start with empathy, not alarm:

• "I've been seeing a lot of scam emails lately and wanted to share what I've learned"
• Avoid language that might feel condescending or imply they can't handle technology

Make it collaborative:

• "Can we set up a system where you check with me before calling any tech support numbers?"
• "I'd love to be your second opinion on suspicious emails"

Normalize asking for help:

• Many people are embarrassed to admit they're unsure about something
• Emphasize that scammers are sophisticated and target everyone
• Share that you've received similar scam emails too

Set up practical protections:

• Add important phone numbers (bank, real tech support) to their contacts
• Create a simple "when in doubt" rule: "Call me before calling any number from an email"
• Tell them about a free scam check website like scamwise.com or other trusted scam-checkers on the market

Enable Real Antivirus Protection

You don't need expensive antivirus software to stay protected:

• Windows Defender (built into Windows 10 and 11) is a reliable, free option
• Apple devices have strong built-in security features
• If you do want additional protection, purchase directly from the company's official website

Many cybersecurity experts note that for most home users, the built-in protections plus safe browsing habits are sufficient.

Use Call Blocking and Email Filters

• Sign up for proactive scam filter services through Savi Security or other providers
• Email services like Gmail, Outlook, and Yahoo automatically filter many scam emails to spam
• Mark suspicious emails as spam rather than just deleting them—this helps train the filter

How to Report Fake Antivirus Scams

Reporting scams helps law enforcement track criminal operations and may prevent others from becoming victims. Here's where to report:

Report to the FTC (Federal Trade Commission)

The FTC collects reports on scams and uses them to build cases against fraudsters.

How to report:

• Visit ReportFraud.ftc.gov
• Provide details about what happened
• Include any phone numbers, email addresses, or company names the scammers used

File a Complaint with FBI IC3

The FBI's Internet Crime Complaint Center handles online fraud, including tech support scams.

How to report:

• Visit ic3.gov
• Click "File a Complaint"
• Provide as much detail as possible, including any financial losses

Forward Phishing Emails to the Real Company

Major companies track scams that impersonate their brands:

• Norton: Forward suspicious emails to spam@nortonlifelock.com
• McAfee: Forward to spam@mcafee.com
• Microsoft: Forward to reportphishing@microsoft.com
• AARP: Forward to spoof@aarp.org (if the scam impersonates AARP)

FAQs

Is this Norton antivirus renewal email real or a scam?

Most likely, it's a scam—especially if:

• You don't have a Norton subscription
• The sender's email isn't from @norton.com or @nortonlifelock.com
• The email asks you to call a phone number instead of logging into your account
• The price seems unusually high

To be certain, log into your Norton account directly at norton.com (not through any links in the email) and check your subscription status. If there's no pending charge, the email is fake.

What happens if I call the number on a fake antivirus renewal scam email?

You'll reach a scammer pretending to be tech support. They'll likely:

• Ask you to download remote access software
• Request to "verify" your computer or bank account
• Eventually try to steal money through the "overpayment refund" trick or other methods

If you've already called but haven't downloaded software or shared information, hang up and block the number. If you've gone further, see the "What to Do If You Already Engaged" section above.

Can scammers really steal money through remote access?

Yes. With remote access to your computer, scammers can:

• Watch you log into your bank account and capture your credentials
• Manipulate what you see on screen (showing fake balances)
• Transfer money while you're distracted
• Install malware that captures passwords later
• Access personal files and information for identity theft

This is why you should never give remote access to anyone who contacts you unsolicited.

What should I do if I gave a scammer remote access to my computer?

1. Disconnect from the internet immediately (unplug your router or turn off WiFi)
2. Uninstall the remote access software they had you install
3. Run a full antivirus scan using Windows Defender or another trusted program
4. Change passwords for all important accounts from a different secure device
5. Contact your bank if you logged into financial accounts during the session
6. Enable two-factor authentication on all accounts that offer it
7. Monitor your accounts closely for the next several months

If you're not confident handling this yourself, ask a trusted family member for help or take your computer to a reputable local repair service.

Stay Protected—You're Not Alone

Receiving a fake antivirus email can be unsettling, especially when it's designed to look so convincing. But now you know the warning signs: suspicious sender addresses, urgent deadlines, inflated prices, and requests to call phone numbers instead of logging into your account.

Remember:

• Legitimate companies don't threaten you with urgent deadlines
• Real tech support will never ask for remote access through an unsolicited email
• No legitimate business accepts payment via gift cards or cash shipments

If you've been targeted by one of these scams, you're in good company—millions of people receive these emails every day. What matters is how you respond.

When in doubt, pause. Check directly with the company through their official website. And don't hesitate to ask a trusted friend or family member for a second opinion.

Trust your instincts, verify before you act, and remember: it's always okay to hang up, delete the email, and ask for help.