Phishing campaigns impersonate Norton, McAfee, and Malwarebytes constantly — fake "your subscription expired" emails, fraudulent calendar invites, and pop-ups with bogus billing numbers. The fastest defense is knowing your real renewal date so anything else stands out.
Run every "your antivirus expired" message through these before clicking anything.
Must end in the vendor's actual domain: @norton.com, @mcafee.com, @bitdefender.com, @malwarebytes.com. Anything else — even close lookalikes like norton-billing.com — is a scam.
Real vendor renewal emails do not include phone numbers for "billing support". Scams almost always do, often with a toll-free format that looks helpful.
Hover over any button or link before clicking. It must go to the vendor's actual site. If the URL is anything else, do not click — even if the button text says "norton.com".
Open a fresh browser tab. Sign in to your vendor account directly. Check the actual subscription status there. If the email contradicts your account, it is fake.
If you know your real renewal date, every fake "expired" alert stands out instantly.
Done in seconds. No sign-up required.
An email arrives saying your Norton, McAfee, or Geek Squad antivirus has been auto-renewed for $300–$600. The email includes an "invoice" attachment and a phone number to call if you want to cancel the charge. The phone number connects to scammers who try to talk you into giving up remote access to your computer. EECU's published warning on the Norton renewal email scam describes this pattern — it is a known phishing operation, not isolated incidents.
A browser tab opens (often after visiting a malicious or compromised website) with an urgent red banner saying your antivirus subscription has expired and your computer is at risk. The pop-up has a countdown timer, prompts you to download "security software" from the browser, and lists a phone number for "immediate support". McAfee's own guide on fake antivirus alerts lists every one of these as a scam tell.
Newer and harder to spot: a calendar invite drops into your Google or Outlook calendar from a sender impersonating Malwarebytes (or another vendor) with a "renewal notice" that includes a fake billing number to call. Malwarebytes published a public warning about this scam in March 2026. Calendar invites bypass spam filters more easily than emails, which is why scammers have moved to this format.
The reason scams work is that most people do not actually know when their antivirus renews. So a "your subscription expired" message arrives, the user has no anchor to compare against, and the urgency does the rest of the work.
A reminder you set 30 days before the real renewal date inverts that. You know the date. When a phishing email or pop-up arrives with a different date, you notice immediately. When the real vendor email arrives at the right time, you have already decided what to do. The unsolicited messages stop having power because your calendar is the source of truth, not the inbox.
For where to find your actual renewal date in each major vendor's app, see how to check when your antivirus expires. For the cancellation steps if you decide not to renew, see cancelling antivirus auto-renewal before billing. This page is part of the antivirus renewal reminder pillar.
Check four things: the sender domain (must end in the vendor's real domain — norton.com, mcafee.com, bitdefender.com), the wording (real vendor emails do not include phone numbers for "billing support"), the link target (hover before clicking — it should go to the vendor's actual site), and your vendor account directly (sign in separately and verify the date).
These two have the largest installed base of paid users, including many older users who came with the antivirus pre-installed. Norton and McAfee renewals also command higher prices, which makes a fake invoice harder to question. Malwarebytes has been a recent target as well — Malwarebytes flagged a fake calendar-invite scam impersonating its own renewal notices in March 2026.
Often, no. McAfee's own guide on fake antivirus alerts lists the tells: urgent countdown timers pressuring immediate action, grammar errors or misspellings, fake phone numbers for "immediate support", and prompts to download software from a web browser instead of your installed antivirus. Real expiration notices come from inside the antivirus app, not from a browser pop-up.
Close the browser tab without entering any information. If you entered card details, contact your bank immediately and freeze the card. Run a full scan with your installed antivirus or Windows Defender. Change passwords on accounts you use the same email or password for. Do not call any phone number that appeared in the scam — it is part of the same operation.
Almost certainly. Malwarebytes published a warning in March 2026 about scammers sending fake calendar "renewal" notices impersonating Malwarebytes to trick victims into calling a fake billing number. Decline the invite, do not call any number in it, and report it as phishing inside your calendar app.
Because you know the real date. When you receive a "your subscription expired" email or pop-up, you can compare it to the date you set yourself. If the dates do not match, it is not legitimate. You stop reacting to whatever message arrives in the inbox and start reacting to your own calendar.
Set a reminder for your real renewal date and every fake 'expired' email instantly stops being convincing. Free, no account, takes 30 seconds.
Set Real Renewal ReminderLast modified: