How to Spot Fake Antivirus Renewal Scam Emails
Fake, scam, and phishing emails and text messages cheat people out of thousands of dollars each day, millions each year. Learning to spot such fake messages isn't always easy.
In particular, fake antivirus renewal scams have become very common. Read on for my advice on how to spot them and protect yourself.
General indicators of a scam message
These are a number of common elements that can indicate that a message is fake, including:
- The "From" address does not match the company name. For example, if "Norton Customer Service <email@example.com>" was in the "From" field, while that initial "human name" portion looks convincing, would the longstanding global company that makes Norton Antivirus really send you an email from a Gmail address?
- The message body is phrased to scare you and then rush you into action, claiming that they will save you. For example. "Your computer is vulnerable to attack NOW! Click or tap this link or call this number TODAY to protect yourself again!"
- The domain name in the link they want you to click does not match the company name. For example, "http://www.norton.protectyou8592.com/abc/xyz" is NOT a link into the real Norton website. To spot the domain name in a link, look for the first single-slash; here, it's between the ".com" and "abc" elements. Then, read the previous two components immediately before that single slash; here, it's "protectyou8592.com" which is NOT the real "norton.com" domain name.
The sender may have hidden the full web address of the link that they want you to click underneath a phrase like "click here." Some scammers go even farther, displaying one safe-looking underlined web address (like "www.norton.com") that hides the very different malicious address underneath it that you'll land on if you click (like "www.norton.protectyou8592.com"). See below under "Protecting yourself" to learn how to reveal such a hidden address.
Specific indicators of a fake antivirus renewal scam
The two most common variations of this particular scam are phrased like these examples:
- "Your protection has EXPIRED! Click or call to renew and get protected again."
- "Thanks for renewing, you've been charged $300 [or some other, very large amount]. Click or call if this was an error or you want to cancel."
Both of these are designed to scare you into clicking their link or calling their number. They will then try to convince you to give them your credit card number and other personal information, which in turn will probably enable them not only to steal your money, but possibly also your identity.
There are a number of things you can do to protect yourself, including:
- Look carefully at the raw email address in the "From" field. Unfortunately, not every email program displays that by default; in the example above, such programs would only display that fake "Norton Customer Service" name. If your email software doesn't show the sender's actual email address every time, learn how to make it visible.
- In order to reveal the real web address that may be hidden underneath a (typically underlined) link, in many computer email programs you can simply hover your mouse cursor (without clicking) over that underlined word. On a smartphone or tablet you can typically see the full web address of such a link by tapping-and-holding on that underlined word.
- Know the name of your current Windows or Macintosh antivirus software (if any), and (if it isn't free) its annual cost, the date when your current subscription will expire next, and whether it will auto-renew on your credit card or not. Write that information on a note on your desk, in an easy-to-find document in your computer, or in the Notes app on your iPhone, iPad, or Android, so you can be prepared if you receive this type of scam message. Popular antivirus programs include Avast, AVG, Avira, Bitdefender, McAfee, Norton, VirusBarrier, Webroot, and Windows Security (formerly Windows Defender), which is built into Windows 10 and 11.
- There are many free online articles and courses where you can learn to spot scam and phishing messages and websites. See "Where to go from here" below for more information.
If any of this is too difficult or complicated for you to manage on your own, talk to someone you know and trust to help you.
Where to go from here