Share
BRAND IMPERSONATION

McAfee renewal scam email: is the fake $399 auto-charge invoice real? (2026)

The McAfee renewal scam email lands as a tidy receipt: "Thank you for renewing your McAfee subscription. Your card has been charged $399." It looks like billing. It is bait for a phone call.

SafeBrowz Threat Research Security ResearchJune 19, 20269 min read
Quick Take: If you get an unsolicited email or "invoice" saying your McAfee subscription auto-renewed for several hundred dollars and you do not remember buying or renewing it, treat it as a scam. It is a fake invoice, not a McAfee bill. Do not call the number in the email and do not click its links. The number leads to a fake "refund" call center that wants remote access to your computer and your bank login. The links lead to a fake McAfee sign-in page. Verify your real subscription only one way: open a new tab, type mcafee.com yourself, and sign in. McAfee's real domain is mcafee.com; the scam uses lookalike domains and non-McAfee phone numbers.

The play: a polite invoice for something you never bought

The McAfee renewal scam email is engineered to look like a legitimate receipt. Subject lines are flat: "McAfee Total Protection Subscription Renewal Confirmation," "Your McAfee Auto-Renewal Receipt," or "Order #MCF-7741082 - Payment Processed." The body shows an order number, a renewal date, a fake card last-4, a billing address, and a total around $349 to $499. Common amounts in rotation are $299.99, $349.99, $399.99, and $499.99 - high enough to panic the recipient, not so high it looks absurd.

Most variants carry two payloads. The first is a phone number, usually in bold under one line: "If you did not authorize this renewal, call within 24 hours to cancel or request a refund." The second is a link or button - "Cancel subscription" or "Get a refund" - that points to a fake McAfee login or payment page on a lookalike domain such as mcafee-billing-refund[.]com or mcafee-renewals[.]net. Some versions attach a PDF "invoice" with the phone number embedded, which slips past filters that scan only body text.

The email rarely demands a password up front. That is exactly why it works. Most people have been trained to look for obvious phishing links. A receipt with a phone number and a "cancel" button feels safe. The trap is downstream: the call, or the lookalike page.

The tech support pivot: what happens when you call

The moment you dial the McAfee subscription scam phone number, you reach an offshore call center fronting as McAfee Support. The agent is friendly and works from a script polished over thousands of calls. The FTC and FBI IC3 have both published warnings on this exact pattern. McAfee is among the brands repeatedly impersonated in subscription-refund and tech-support scams, alongside Norton; the FTC's most-impersonated list is topped by Best Buy and Geek Squad, Amazon, and PayPal.

Verification theater. The agent asks for your name, email, and the "order number," pretends to look you up, confirms the renewal went through, then says that because the charge "has already been processed," the refund has to come from the billing department. They transfer you.

Remote access. The next agent says they need to "connect to your computer" to "process the refund directly to your bank." They walk you through installing AnyDesk, TeamViewer, UltraViewer, or Quick Assist - legitimate tools that real IT teams use, abused here. Once you read out the session code, they have full control of your screen and keyboard.

The fake refund. The agent opens your online banking from inside the remote session and guides you to log in, harvesting your bank credentials. Then comes the trick: the "accidental overpayment." The agent appears to refund you but types an extra zero on the deposit field. The bank page is often a fake overlay drawn locally with HTML. "I accidentally refunded you $4,000 instead of $400. My manager will fire me. Please send the difference back."

Extraction. The "refund" was never deposited. Panicking and believing you now owe the company, you are told to send the "extra" back via gift cards, wire transfer, or cryptocurrency. All irreversible. By the time you realize the deposit never landed, the gift card codes have been redeemed.

The FBI IC3 has documented this pattern across multiple public service announcements, listing refund and recovery fraud as one of the fastest-growing tech-support subcategories, with victims over 60 a disproportionate share of the hundreds of millions of dollars in reported tech-support losses. AARP Fraud Watch tracks the same playbook rotating across McAfee, Norton, Geek Squad, Microsoft, and PayPal branding.

How real McAfee charges work

Real subscriptions are managed at mcafee.com. Genuine charges show up in three places you can verify without ever picking up the phone:

  • Your McAfee account. Sign in at mcafee.com and open My Account, which lists every real subscription with the exact product, term, and price.
  • Your card or bank statement. Real McAfee charges appear as "MCAFEE" on your statement, dated to the renewal day - not as a number you have to call.
  • The official renewal email from mcafee.com. Real McAfee emails link back to mcafee.com and name your actual subscription, and they tell you in advance that a renewal is coming rather than claiming the money is already gone.
๐Ÿ›ก LIVE CHECK

Test a suspicious link right now

Got a phishing email or text? Paste the "cancel" or "refund" link from a suspicious McAfee invoice. Our 3-layer engine (Local + APIs + AI) returns a verdict in ~3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

McAfee does not cold-call customers about renewals, does not bury unfamiliar phone numbers in its receipts, and never asks customers to install AnyDesk or TeamViewer on a cold refund contact. McAfee has published consumer guidance on this exact impersonation pattern. The rule it repeats: verify by signing in to your McAfee account, not by calling a number in an email.

The 7 red flags to spot the fake McAfee invoice

If two or more match, treat the email as a scam and delete it.

  1. You never bought or renewed it. An auto-renewal charge for a subscription you do not have, or do not remember setting up, is the single biggest tell. No subscription means no charge can occur.
  2. PDF attachment with the order details. Real McAfee receipts render in the email body. A PDF "invoice" carrying the phone number dodges link-based filters - a near-certain scam signature.
  3. Urgent cancel window. "Call within 24 hours" exists to short-circuit your thinking. Real billing does not punish you for taking a day to check.
  4. Unfamiliar support number. The McAfee subscription scam phone number rarely matches the one on mcafee.com. Scammers buy fresh toll-free numbers weekly. A 1-800 prefix only means the call is free for the caller.
  5. "Payment already processed" framing. Real McAfee renewal notices say "your subscription will renew on [date]" in advance - not "we have already charged you, call to undo it."
  6. Lookalike sender or link domain. Real McAfee emails come from mcafee.com. Scam senders and "cancel" links use lookalikes such as mcafee-billing-refund[.]com, mcafee-renewals[.]net, or mcafee-secure-support[.]com, or free email providers.
  7. "Call to dispute" as the only real action. Real receipts let you manage subscriptions in your account. If the only path is the phone or a "cancel" link to an unfamiliar domain, the email exists to get you on the call or onto the fake page.

The 5-step verification before you touch the phone

  1. Open a new tab and type mcafee.com manually. Do not click any link in the email. Skip Google ad results, which can lead to spoofed sign-in pages.
  2. Sign in to your McAfee account. A real subscription will be visible. No account means no subscription means the email is not real.
  3. Check My Account โ†’ Subscriptions. Anything active is listed with exact pricing and renewal date. If nothing matches the "invoice," it is fake.
  4. If you genuinely need to contact McAfee, use the support contact on mcafee.com. Never the number in the email. Never a Google ad number. Online chat is usually faster.
  5. Report the scam. Report it to McAfee through the official channel on mcafee.com and to the FTC at reportfraud.ftc.gov, then delete it.

If you already called the number

You called but hung up before giving anything

Your number is now on a "warm lead" list and you will get follow-up calls. Block the number. Add yours to the National Do Not Call Registry at donotcall.gov. Otherwise you are unharmed.

You installed AnyDesk, TeamViewer, or UltraViewer

  1. Disconnect from the internet immediately. Unplug Ethernet, turn off Wi-Fi.
  2. Uninstall the remote-access software (AnyDesk, TeamViewer, UltraViewer, LogMeIn, Quick Assist).
  3. Run a full malware scan with Windows Defender or another reputable scanner. Scammers sometimes leave a stealth backdoor.
  4. Change banking passwords from a different device. Use your phone if the PC was compromised.
  5. Place a fraud alert with your bank. Free, lasts one year.
  6. Consider a credit freeze with Equifax, Experian, and TransUnion. Free online.
  7. File a report with FBI IC3 at ic3.gov. Even if you did not send money.

You sent money via gift cards, wire, or crypto

Recovery odds are limited but not zero. Act within minutes.

  1. Gift cards. Call the issuer (Apple, Target, Google Play, Steam) immediately. Some can freeze within 30 to 60 minutes.
  2. Wire transfer. Contact the sending bank or Western Union / MoneyGram immediately and request a recall. Only possible if not yet picked up.
  3. Cryptocurrency. File with IC3 and report to your crypto exchange. Some exchanges freeze the receiving address if reported before funds are mixed.
  4. Cash by USPS or FedEx. Postal Inspection Service can sometimes intercept in transit. Call 1-877-876-2455.
  5. Report to reportfraud.ftc.gov, IC3, and your state attorney general regardless.

Variants using the same playbook

Same script, different brand:

For any antivirus or subscription brand invoicing something you do not remember buying, run the five-step verification: type the brand's real domain, sign in, check subscriptions. The number and links in the email are never the right way to verify.

Why this scam keeps working in 2026

Three structural reasons. McAfee is a real brand with real auto-renewals, so the email is plausible to anyone who has ever owned the product. The email rarely asks for credentials directly, so it passes most spam filters. And the call-center model is patient: unlike crypto drainers that operate in seconds, the tech-support call runs 30 minutes to two hours of polite conversation, with the victim emotionally invested by the time payment is requested. FTC Consumer Sentinel reports have flagged tech-support fraud as a top complaint category for adults over 60 for several consecutive years.

The best protection is a verification habit. For any email about a charge, verify by typing the domain into a new tab and signing in. Email links and email phone numbers are never the right entry point.

How browser-layer defense fits in

The pure inbox version is hard to block at the browser because the trap is a phone call (the same call-center pivot behind the Geek Squad invoice scam). But the second payload - the "cancel subscription" or "get a refund" link - points to a fake McAfee sign-in or payment page that captures real credentials and card details. A browser-layer scanner catches that lookalike page before you type anything into it.

SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders, against a 550+ brand database including McAfee, Norton, Avast, AVG, and LifeLock. It is especially useful as a gift install for older relatives, the primary demographic this scam targets.

Frequently asked questions

Is the McAfee renewal email real or a scam?

If you did not buy or renew a McAfee subscription, an email saying it auto-renewed for several hundred dollars is a scam, not a real McAfee invoice. Real McAfee charges appear in your account at mcafee.com and on your card statement as "MCAFEE." The fastest check: open a new tab, type mcafee.com yourself, sign in, and look at My Account. If no matching subscription is listed, the email is fake. Do not call the number in it.

Did my McAfee subscription really auto-renew for $399?

McAfee does auto-renew real subscriptions, but at the price shown in your subscription details, which for most plans is well below $399. The $299 to $499 figures in these emails are designed to panic you. Sign in at mcafee.com to see your actual renewal price. If you do not have a subscription, no renewal can occur and the "invoice" is fake.

The email has a McAfee invoice phone number. Is it safe to call?

No. The number in an unsolicited McAfee invoice rarely matches the official support contact on mcafee.com. Scammers buy temporary 1-800, 1-888, and 1-877 numbers regularly, and a toll-free prefix only means the call is free for the caller, not that they are McAfee. The call leads to a fake refund call center that will ask to remote into your computer and into your bank. Verify your subscription by signing in at mcafee.com instead.

The agent asked me to install AnyDesk to process my refund. What does that do?

AnyDesk is a legitimate remote-access tool that scammers abuse to take full control of your screen and keyboard. Real McAfee support never asks customers to install remote-access software on a cold contact about a refund. Legitimate refunds process back to the original payment method automatically. If you installed it, disconnect from the internet, uninstall the tool, run a malware scan, and change your banking passwords from a different device.

They said they accidentally refunded me too much and I need to send money back. Is that a scam?

Always. The accidental overpayment trick is a standard tech-support fraud pattern and the entire reason for the remote-access step. The deposit you saw was never real, it was an overlay drawn on your bank page during the remote session. Hang up, disconnect, scan for malware, change banking passwords from another device, and report to IC3 at ic3.gov.

I called the McAfee number and gave remote access but did not send money. What now?

Act as if your machine and accounts were exposed. While accessing your computer they may have installed a backdoor or copied browser-saved passwords. Uninstall any remote-access tool, run a full malware scan, change passwords on accounts you opened during the session from a different device, place a fraud alert with your bank, and monitor your statements for 30 days. Report it to the FTC at reportfraud.ftc.gov and to FBI IC3 at ic3.gov.

Related reading

Bottom line: The McAfee renewal scam works because the email looks like a routine receipt. The trap is the phone call, the remote access, the fake refund, or the lookalike login page. Defense: never call a number in the email and never click its links. Verify by signing in to mcafee.com directly. And install a browser-layer scanner for anyone in your family who might fall for this.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches the fake-renewal lookalike domains, callback-bait patterns, and remote-access payload landing pages instantly.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

Related reading