Subscription Renewal Scams: Fake Norton, McAfee, and Amazon Prime Invoices

It's one of the most common scam emails in circulation, and it lands in millions of inboxes every day:

Subject: Invoice #NRT-2026-4478291 — Your Norton 360 Subscription Has Been Renewed

Dear Customer,

Thank you for renewing your Norton 360 Deluxe subscription. Your account has been charged $399.99 for the annual plan. If you did not authorize this transaction, please call our billing department at 1-888-XXX-XXXX within 24 hours to request a full refund.

Order ID: NRT-2026-4478291 Product: Norton 360 Deluxe — 5 Devices Amount: $399.99 Payment Method: Auto-debit from bank account

Similar emails impersonate McAfee, Geek Squad, Amazon Prime, Netflix, Microsoft 365, Adobe Creative Cloud, and dozens of other subscription services. The format varies, but the hook is always the same: a charge you didn't authorize for an amount high enough to make you react.

How the Scam Works

The Panic Invoice

The email is designed to trigger an immediate emotional response. You see a $399.99 charge for something you didn't buy, and your first instinct is to fix it — fast. The scammers count on you calling the phone number in the email without stopping to verify whether the charge is real.

The amount is strategically chosen. It's high enough to cause alarm ($399.99, $349.99, $499.99) but not so outrageous that you'd dismiss it as obviously fake. It's within the range of what a premium annual subscription might cost.

The Phone Call

When you call the number, a "billing representative" answers. They're polite, professional, and seem helpful. They confirm the "charge" and offer to process a refund. But to do that, they need remote access to your computer — they'll ask you to download AnyDesk, TeamViewer, or another remote access tool.

Once they have control of your screen, the scam plays out in one of two ways.

Version 1: The Overpayment Refund Scam. They ask you to log into your bank account. While you watch, they manipulate the screen to make it look like they accidentally refunded too much — $3,999.90 instead of $399.99. They then demand you return the "overpayment" via wire transfer or gift cards. In reality, they moved money between your own accounts or manipulated the display. No refund was ever issued.

Version 2: Information Harvesting. They ask for your credit card number, bank account details, or other personal information to "verify your identity" for the refund. They now have enough information for identity theft and fraudulent charges.

The Link Version

Some scam emails include a link instead of (or in addition to) a phone number. Clicking the link takes you to a phishing site that mimics the subscription service's login page. When you enter your credentials to "check your account," the scammers capture your username and password.

Why This Scam Is So Effective

Many people have multiple subscriptions and lose track of them. The average American has 12 paid subscriptions. When you see a charge for Norton or McAfee, you might not remember if you subscribed years ago and forgot about it. The uncertainty makes you more likely to engage.

Auto-renewal anxiety is real. Many services auto-renew at higher rates, so a surprise charge feels plausible. The scam specifically targets services known for aggressive auto-renewal policies.

The "refund" framing makes you feel like the company is on your side. You're not being asked to pay — you're being offered your money back. This lowers your defenses.

Red Flags to Watch For

1. You don't have a subscription with the company. If you've never had a Norton, McAfee, or Geek Squad subscription, any "renewal" email is obviously fake. But even if you have had one in the past, verify the charge through the official website before calling any number.

2. The charge amount is unusually high. Norton 360 Deluxe costs roughly $50-$100/year, not $399.99. If the price doesn't match the product's real pricing, it's a scam.

3. The email asks you to call a phone number. Legitimate renewal notifications include a link to your account on the official website, not a phone number to call for a "refund."

4. The sender's email address is suspicious. Hover over or tap on the sender name. Real Norton emails come from @norton.com or @nortonlifelock.com. Real Amazon emails come from @amazon.com. Scam emails come from addresses like billing@norton-support-team.com or refund@amazon-prime-billing.net.

5. The email contains grammar errors or formatting issues. Professional companies have proofreaders. Scam emails often have subtle mistakes — extra spaces, misaligned logos, inconsistent fonts, or awkward phrasing.

6. Urgency to act within 24 hours. "Call within 24 hours or the charge becomes permanent" is a pressure tactic. Real billing disputes have much longer resolution windows.

7. They ask for remote access to your computer. No legitimate refund requires you to download screen-sharing software. This is always a scam.

What to Do When You Get a Fake Renewal Email

Don't call the number in the email. If you want to verify whether a charge is real, go directly to the company's website and log in, or call the customer service number listed on their official website.

Check your bank and credit card statements. Log into your bank account directly (not through any link in the email) and look for the charge. If it doesn't appear in your recent transactions, the email is fake.

Don't click any links in the email. If you want to check your subscription status, navigate to the company's website by typing the URL directly in your browser.

Report the email as phishing. Most email providers have a "Report Phishing" option. Use it — it helps filter these emails for other users too.

If you already called and gave remote access: Follow the steps in the "What to Do" section of our refund scams article. Immediately disconnect from the internet, uninstall remote access software, change all passwords from a different device, and contact your bank.

---

Got a suspicious renewal email? Don't call the number — paste the email into our free scam scanner instead. Our AI instantly identifies fake invoices, phishing patterns, and impersonation tactics.