Fake Antivirus Subscription Renewal — Norton / McAfee

How This Attack Works

Victims receive a convincing invoice email claiming their Norton or McAfee subscription has auto-renewed for $299–$499. The email includes a refund phone number. When called, a fake support agent installs remote access software to "process the refund," then steals banking credentials or transfers funds directly from the victim's account during the screen-share session.

Red Flags to Watch For

• ✗
  Sender domain is not @norton.com or @mcafee.com
• ✗
  Invoice amount is much higher than your actual subscription price
• ✗
  Email includes a phone number for cancellation — legitimate companies use online portals
• ✗
  Support agent asks you to download AnyDesk, TeamViewer, or similar remote access tools
• ✗
  Agent asks you to log in to your bank account while sharing your screen
• ✗
  You are asked to purchase gift cards or wire money for a "refund processing fee"

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

• norton-renewal-invoice.comMALICIOUS
• mcafee-auto-renew.netMALICIOUS
• antivirus-subscription-renew.comMALICIOUS
• norton-cancel-charge.netMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.