An email arrives with McAfee’s or Norton’s logo announcing your antivirus subscription has auto-renewed for $249 or $349. You don’t remember having that subscription. The email tells you to call a number to cancel. That call is the entire scam — the number leads to criminals, not to McAfee or Norton, and the call ends with remote access to your computer and everything on it.
The McAfee and Norton antivirus renewal scam is one of the highest-volume tech support fraud types reported to the FTC, appearing year after year in its top impersonation fraud categories. It exploits the widespread use of antivirus software — both McAfee and NortonLifeLock have tens of millions of active subscribers and many more former subscribers who received free trials or pre-installed versions on their devices and may have ongoing uncertainty about their subscription status.
The scam follows an identical structure to the Geek Squad renewal fraud but targets a different anxiety: not paying for tech support you don’t need, but paying for antivirus software you believe you already cancelled or never actively subscribed to. The fake renewal amount — calibrated between $199 and $399 — is large enough to demand attention but not large enough to trigger immediate disbelief. It lands in the plausible range of what an annual antivirus subscription actually costs.
What distinguishes this scam from other tech brand impersonation is the dual delivery vector. The email variant is the most common — a fake renewal notice with a phone number. But the McAfee and Norton brand names are also heavily used in browser pop-up scams, where a webpage displays a fake antivirus expiration alert with a support number. Both converge on the same outcome: a scam phone call that leads to a remote access attack.
Via email: a mass blast carrying the McAfee shield logo or Norton’s yellow branding announces an auto-renewal for a specific dollar amount, with an order number and today’s date. A phone number is included for cancellation. Via pop-up: a browser tab opens a full-screen page displaying a McAfee or Norton interface, warning that the subscription has expired and the computer is at risk — with a phone number to call for immediate assistance. Both versions produce the same fear response: unexpected charge or security risk requiring immediate action.
The phone number connects to a call center — often overseas — staffed with agents who answer with convincing McAfee or Norton branding. They confirm the charge, apologize for the confusion, and offer to either process a full refund or help the victim understand their subscription. The agent is professional, patient, and unhurried — building rapport before making any request. This unhurried approach distinguishes tech support scam calls from other fraud types and makes victims feel they are in a genuine customer service interaction.
To “process the refund” or “check the subscription status,” the agent asks the victim to download a remote access tool — most commonly AnyDesk, TeamViewer, or Windows Quick Assist. Once connected, the scammer sees the victim’s full desktop and can access everything on it: saved browser passwords, banking apps, email accounts, and financial files. They may ask the victim to log into their bank account to “confirm the refund destination,” or they may navigate to it themselves while the victim watches what appears to be normal support activity.
One of the most damaging variants: after gaining access, the scammer “accidentally” transfers too much into the victim’s bank account — usually by manipulating the display of account balances rather than making an actual transfer — and asks the victim to send the excess back via Zelle, wire transfer, or gift card. The victim sees what looks like a large deposit in their account and complies, not realizing the displayed balance change was fabricated and no actual funds arrived. They send real money to correct a fake error.
1. Type mcafee.com or norton.com directly into your browser and check your account subscriptions. 2. Check your bank and card statements for a charge from McAfee or NortonLifeLock on the stated date. 3. If neither confirms a real subscription or charge, delete the email. These three checks take under two minutes and require no phone call, no link-click, and no remote access — making the entire scam moot before it can proceed.
Separate from the email renewal scam, McAfee’s brand is heavily used in browser-based pop-up attacks. A webpage triggers a full-screen alert mimicking the real McAfee security dashboard — displaying a virus count, subscription expiration warning, and a phone number. Unlike the real McAfee software, which delivers alerts through a system tray icon and in-app notifications, this pop-up lives entirely in the browser and can be closed with standard browser controls.
The McAfee pop-up scam succeeds because the real McAfee software does occasionally display urgent-looking notifications, creating a visual template that the scam mimics. Users who have seen genuine McAfee alerts before may not immediately recognize that a browser-delivered version is fundamentally different from an application-level one. The key distinction: real McAfee and Norton software alerts never display a phone number to call — they direct users to the application’s interface for action.
Victims who grant remote access during a fake McAfee or Norton call often end up with actual malware installed — the opposite of what antivirus software is meant to provide. Real identity theft protection monitors for the downstream signals of these attacks. See which services catch account takeover attempts fastest.
Tech support scams target specific behavioral and demographic profiles — older device users, people with a history of antivirus purchases, and those whose data appears in consumer databases. Our identity theft risk quiz takes 2 minutes and shows you exactly where your exposure lies.
