McAfee & Norton Renewal Scam
An email arrives with McAfee’s or Norton’s logo announcing your antivirus subscription has auto-renewed for $249 or $349. You don’t remember having that subscription. The email tells you to call a number to cancel. That call is the entire scam — the number leads to criminals, not to McAfee or Norton, and the call ends with remote access to your computer and everything on it.
What Is the McAfee / Norton Renewal Scam?
The McAfee and Norton antivirus renewal scam is one of the highest-volume tech support fraud types reported to the FTC, appearing year after year in its top impersonation fraud categories. It exploits the widespread use of antivirus software — both McAfee and NortonLifeLock have tens of millions of active subscribers and many more former subscribers who received free trials or pre-installed versions on their devices and may have ongoing uncertainty about their subscription status.
The scam follows an identical structure to the Geek Squad renewal fraud but targets a different anxiety: not paying for tech support you don’t need, but paying for antivirus software you believe you already cancelled or never actively subscribed to. The fake renewal amount — calibrated between $199 and $399 — is large enough to demand attention but not large enough to trigger immediate disbelief. It lands in the plausible range of what an annual antivirus subscription actually costs.
What distinguishes this scam from other tech brand impersonation is the dual delivery vector. The email variant is the most common — a fake renewal notice with a phone number. But the McAfee and Norton brand names are also heavily used in browser pop-up scams, where a webpage displays a fake antivirus expiration alert with a support number. Both converge on the same outcome: a scam phone call that leads to a remote access attack.
How the Scam Works — Step by Step
The Email or Pop-Up Lure
Via email: a mass blast carrying the McAfee shield logo or Norton’s yellow branding announces an auto-renewal for a specific dollar amount, with an order number and today’s date. A phone number is included for cancellation. Via pop-up: a browser tab opens a full-screen page displaying a McAfee or Norton interface, warning that the subscription has expired and the computer is at risk — with a phone number to call for immediate assistance. Both versions produce the same fear response: unexpected charge or security risk requiring immediate action.
The Phone Call Setup
The phone number connects to a call center — often overseas — staffed with agents who answer with convincing McAfee or Norton branding. They confirm the charge, apologize for the confusion, and offer to either process a full refund or help the victim understand their subscription. The agent is professional, patient, and unhurried — building rapport before making any request. This unhurried approach distinguishes tech support scam calls from other fraud types and makes victims feel they are in a genuine customer service interaction.
The Remote Access Request
To “process the refund” or “check the subscription status,” the agent asks the victim to download a remote access tool — most commonly AnyDesk, TeamViewer, or Windows Quick Assist. Once connected, the scammer sees the victim’s full desktop and can access everything on it: saved browser passwords, banking apps, email accounts, and financial files. They may ask the victim to log into their bank account to “confirm the refund destination,” or they may navigate to it themselves while the victim watches what appears to be normal support activity.
The Overpayment Variant
One of the most damaging variants: after gaining access, the scammer “accidentally” transfers too much into the victim’s bank account — usually by manipulating the display of account balances rather than making an actual transfer — and asks the victim to send the excess back via Zelle, wire transfer, or gift card. The victim sees what looks like a large deposit in their account and complies, not realizing the displayed balance change was fabricated and no actual funds arrived. They send real money to correct a fake error.
Red Flags in a McAfee or Norton Renewal Email
- A phone number is embedded in the email for cancellation — real McAfee and Norton manage subscriptions through their official websites, not via phone numbers in renewal emails.
- The sender email domain is not @mcafee.com or @norton.com — check the actual sending address, not just the display name shown in your email client.
- You have no active subscription with the company, or no charge matching the renewal appears on any bank or card statement.
- The email or pop-up creates a tight deadline — “your card will be charged within 24 hours unless you call to cancel” — legitimate renewals do not use countdown threats.
- Any request for remote access to your computer during the cancellation call — McAfee and Norton do not require remote access to process subscription cancellations or refunds.
- A “refund” appears in your bank account during the call and you are asked to return part of it — this is always a fabricated balance display, not a real deposit.
💡 The Three-Step Check That Ends Every Antivirus Renewal Scam
1. Type mcafee.com or norton.com directly into your browser and check your account subscriptions. 2. Check your bank and card statements for a charge from McAfee or NortonLifeLock on the stated date. 3. If neither confirms a real subscription or charge, delete the email. These three checks take under two minutes and require no phone call, no link-click, and no remote access — making the entire scam moot before it can proceed.
The McAfee Pop-Up Warning Scam — A Separate but Related Attack
Separate from the email renewal scam, McAfee’s brand is heavily used in browser-based pop-up attacks. A webpage triggers a full-screen alert mimicking the real McAfee security dashboard — displaying a virus count, subscription expiration warning, and a phone number. Unlike the real McAfee software, which delivers alerts through a system tray icon and in-app notifications, this pop-up lives entirely in the browser and can be closed with standard browser controls.
The McAfee pop-up scam succeeds because the real McAfee software does occasionally display urgent-looking notifications, creating a visual template that the scam mimics. Users who have seen genuine McAfee alerts before may not immediately recognize that a browser-delivered version is fundamentally different from an application-level one. The key distinction: real McAfee and Norton software alerts never display a phone number to call — they direct users to the application’s interface for action.
Ironically, the Antivirus Scam Leaves You Less Protected Than Before
Victims who grant remote access during a fake McAfee or Norton call often end up with actual malware installed — the opposite of what antivirus software is meant to provide. Real identity theft protection monitors for the downstream signals of these attacks. See which services catch account takeover attempts fastest.
See Our Identity Theft Protection Rankings →How Exposed Are You to Tech Brand Impersonation Scams?
Tech support scams target specific behavioral and demographic profiles — older device users, people with a history of antivirus purchases, and those whose data appears in consumer databases. Our identity theft risk quiz takes 2 minutes and shows you exactly where your exposure lies.
Take the Identity Theft Risk Quiz →What To Do If You Called and Granted Remote Access
- Disconnect from the internet immediately — unplug your ethernet cable or disable Wi-Fi to terminate the remote session before any further access occurs.
- Change your email password first from a different device — this is the master key to resetting all other accounts, making it the highest-priority credential to secure.
- Change passwords for every financial account — bank, brokerage, PayPal, and any account linked to a saved payment method on the affected device.
- Contact your bank and flag the account for review — ask them to reverse any transfers that occurred during or after the remote session.
- Have the affected computer examined by a trusted local technician — remote sessions may have installed persistent access tools or keyloggers that survive a restart.
- Report to McAfee or Norton directly — abuse@mcafee.com or spam@norton.com — so they can take action against the fraudulent accounts impersonating their brand.
- Report to the FTC at reportfraud.ftc.gov and the FBI at ic3.gov with all details including the phone number called and any financial losses incurred.
