Fake Antivirus Renewal Scams: How to Spot Them and Stay Safe

You open your email and see a message that looks urgent: "Your Norton subscription has been renewed for $349.99. Call now to cancel." Your heart races. You don’t remember ordering this. You didn’t authorize any charge. And now you’re worried money is about to disappear from your account.

If you’ve received a suspicious email or renewal notice right now, you can check it instantly on Scamwise — free, no account needed. Or read on to understand exactly how these scams work.

Take a breath. This is almost certainly a scam—and you’re not alone in receiving it.

Fake antivirus renewal emails and pop-ups are one of the most common tech support scams targeting people today. These messages impersonate trusted brands like Norton, McAfee, and Microsoft to create panic and push you into calling a fake “support” number. Once you call, scammers use psychological tactics to gain access to your computer and, ultimately, your money.

The good news: these scams follow predictable patterns, which means you can learn to spot them. This guide will show you exactly what to look for, what happens if you engage with scammers, and what to do if you’ve already been targeted.

What Is a Fake Antivirus Renewal Scam?

How These Scams Work

A fake antivirus renewal scam starts with an email, pop-up, or phone call claiming that your antivirus subscription has been renewed—or is about to expire—and that you’ll be charged a large sum unless you take immediate action.

The message typically includes:

• Imagery, logos and messages that hijack a known brand in security like Norton, McAfee or Microsoft.
• A fake invoice showing a charge between $299 and $499
• A phone number to call for “cancellation” or “refund”
• Urgent language warning that money will be debited within 24-48 hours

The goal is simple: make you panic and call the number. The scammer is counting on your desire to talk to a human to ‘sort it out’. Once you do, the real scam begins.

The person who answers sounds professional and helpful. They’ll typically send you a new email or send you to a site to “download software” so they can “verify your account” or “process your refund.” This software gives them “remote access” to control your computer. From there, they may steal personal information, install malware, or execute the devastating “overpayment refund” trick that has cost some victims tens of thousands of dollars.

Why Scammers Impersonate Norton, McAfee, and Microsoft

Scammers choose to impersonate these brands because they’re household names. Norton, McAfee, and Microsoft are software that millions of people recognize even if they don’t currently have an active subscription. The familiarity creates just enough doubt: “Wait, did I sign up for this? Do I have this on my computer?”

Scammers know that many people, especially those who aren’t deeply familiar with their computer’s software, may not remember exactly what security programs are installed. This uncertainty, combined with fear of losing money, pushes people to call.

The Real Cost: $159 Million Lost to Tech Support Scams in 2024

These aren’t small-time crimes. According to the Federal Trade Commission’s 2024-2025 report on protecting older consumers, Americans 60 and older reported losing $159 million to tech support scams in 2024 alone. Adults in this age group were five times more likely than younger adults to have their money stolen by these schemes.

These statistics aren’t meant to frighten you. They’re meant to show that these scams are widespread, sophisticated, and worth taking seriously.

What These Scam Emails and Pop-Ups Look Like

Here’s an example of what a fake antivirus renewal email might look like:

From: Norton Billing <billing@n0rton-secure.com>
Subject: Your Norton™ Subscription Has Been Renewed - Invoice #NRT-2025-84729

Dear Valued Customer,

Thank you for renewing your Norton 360 Premium subscription.

Order Details:

• Product: Norton 360 Premium (3-Year Plan)
• Amount Charged: $349.99
• Transaction ID: NRT-2025-84729
• Renewal Date: January 26, 2026

This amount will be debited from your account within 24-48 hours.

If you did not authorize this transaction or wish to cancel and receive a full refund, please contact our Billing Department immediately:

📞 Call Now: 1-888-XXX-XXXX (Toll-Free)

Our support team is available 24/7 to assist you.

Thank you,
Norton Billing Team

Red flags in this example:

• The sender domain “n0rton-secure.com” uses a zero instead of the letter “o”
• Generic greeting “Valued Customer” rather than your actual name
• Unusually high price ($349.99 for a 3-year plan)
• Phone number instead of a link to your Norton account
• Urgent 24-48 hour deadline designed to create panic

Fake Pop-Up Warnings That Lock Your Screen

Some scams don’t arrive by email—they appear as alarming pop-ups, or fake alerts, while you’re browsing the web. These warnings may claim:

• Your computer has a virus
• Your antivirus has expired
• Your personal information is at risk
• You must call a number immediately

These pop-ups often try to prevent you from closing the browser window, making it seem like your computer is frozen or infected.

Important: If you encounter a pop-up like this, don’t call the number. You can usually close these by pressing Ctrl+Alt+Delete (Windows) or Command+Option+Escape (Mac) to force-quit your browser.

The Phone Call Trap: What Happens When You Call

How Scammers Gain Remote Access to Your Computer

When you call the number on a fake antivirus email or pop-up, you’ll reach someone who sounds professional, patient, and eager to help. They may introduce themselves with a common-sounding name and claim to work for Norton, McAfee, or Microsoft support.

The conversation typically follows this pattern or scam script:

1. They express concern about the “unauthorized charge” and promise to help
2. They ask you to download software like AnyDesk, TeamViewer, or UltraViewer
3. They explain this is for “secure verification” or to “process your refund”
4. Once installed, they ask you to share a code that gives them control of your screen

With remote access, the scammer can see everything on your computer—your files, your browser, your email, and most dangerously, your bank accounts if you log in.

The “Overpayment Refund” Trick That Steals Thousands

Once connected to your computer, the scammer may ask you to log into your bank account “to verify the refund went through.” While you’re watching, they claim to process your refund—but then pretend something went wrong. They may even manipulate what you see on screen—editing the HTML of your bank’s website to show a fake balance increase. In reality, no money was deposited. But under pressure and wanting to help, some victims have transferred their own savings to “return” money that was never actually sent.

Why They Ask for Wire Transfers, Gift Cards, or Cash

Scammers specifically request payment methods that are difficult or impossible to reverse:

• Wire transfers go directly to overseas accounts and cannot be recalled
• Gift cards (iTunes, Google Play, Amazon) can be redeemed immediately and anonymously
• Cash sent via shipping companies (FedEx, UPS) is virtually untraceable
• Cryptocurrency transfers are permanent and anonymous

No legitimate company will ever ask for payment via gift cards or cash shipments. If someone asks for this, it is always a scam.

7 Red Flags That Reveal a Fake Antivirus Email

Knowing what to look for can protect you from falling for these scams. Here are seven warning signs:

1. Suspicious Sender Addresses

Look carefully at the “From” address. Scammers use domains that look similar to real companies but contain subtle differences: n0rton-secure.com (zero instead of “o”), mcafee-billing.net (wrong domain extension), microsoft-support.info (not a real Microsoft domain).

Legitimate emails from Norton come only from @norton.com or @nortonlifelock.com. McAfee uses @mcafee.com. Microsoft uses @microsoft.com.

2. Urgent Deadlines and Fear-Based Language

Phrases like “Act within 24 hours,” “Immediate action required,” or “Your account will be charged” are designed to prevent you from thinking clearly. Legitimate companies don’t threaten you with urgent deadlines for routine billing matters.

3. Generic Greetings

Emails that begin with “Dear Customer” rather than your actual name are suspicious. Companies you have accounts with typically know your name and use it.

4. Phone Numbers Instead of Account Links

Real renewal notices direct you to log into your account through the company’s website. Scam emails prominently display phone numbers because the scammers need you to call them to execute their scheme.

5. Inflated or Unusual Prices

If the “renewal charge” seems surprisingly high—$349, $499, or even $599—that’s intentional. Actual Norton and McAfee subscriptions typically cost between $30 and $150 per year, depending on the plan.

6. Poor Grammar and Formatting

While scammers have improved with AI, many fake emails still contain awkward phrasing, spelling errors, or inconsistent formatting.

7. Requests for Remote Access or Unusual Payments

Any email or pop-up that eventually leads to requests to download software or require wire transfers, gift cards, or cash is a scam.

How to Verify If an Antivirus Email or Pop-Up Is Real

Never click links in an email you’re unsure about. Instead, open a new browser window, type the company’s website directly (norton.com, mcafee.com), log into your account, and check your subscription status and billing history. If there’s no record of the charge, the email is fake.

When in doubt, forward the email to submit@scamwise.com or take a screenshot of the pop-up and submit it on Scamwise.com — a free tool to help you check suspicious messages instantly.

What to Do If You Already Engaged with Scammers

If you’ve already interacted with a scam email or call, don’t panic—but do act quickly. The steps you take now can limit the damage. Falling for a sophisticated scam doesn’t mean you did anything wrong. These criminals are professionals who manipulate and socially engineer millions of people every year.

If You Called the Phone Number

If you called but didn’t download any software or share personal information: you’re likely okay, but stay alert for follow-up calls. Block the number and don’t engage if they call back. Report the incident to the FBI IC3 at ic3.gov.

If You Downloaded Remote Access Software

Immediately: disconnect from the internet, uninstall the remote access program, run a full antivirus scan with Windows Defender, change passwords for all important accounts from a different device, and enable two-factor authentication on your primary email and financial apps at minimum.

If You Gave Access to Your Bank Account

Call your bank’s fraud department immediately. Ask them to freeze your account temporarily and review recent transactions. Change your online banking password from a secure device. Consider placing a fraud alert on your credit reports.

If You Sent Money (Wire Transfer, Gift Cards, or Cash)

For wire transfers: contact your bank immediately and file with the FBI’s IC3 at ic3.gov. For gift cards: contact the gift card company (Apple, Google, Amazon) with the card numbers. For cash sent via mail: contact the shipping company immediately and file a police report.

How to Protect Yourself and Your Family

If you’re a caregiver or adult child of aging parents, having a conversation about scam awareness can be one of the most protective things you do. Start with empathy, make it collaborative, and create a simple “when in doubt, check it first” rule. Tell them about Scamwise — a free tool anyone can use to check suspicious emails, messages, or numbers before acting.

Stay Protected — You’re Not Alone

Receiving a fake antivirus email can be unsettling, especially when it’s designed to look so convincing. But now you know the warning signs: suspicious sender addresses, urgent deadlines, inflated prices, and requests to call phone numbers instead of logging into your account.

For ongoing protection that works automatically, Savi filters scam calls and texts before they reach your family. Join the Savi waitlist to be first in line when we launch.