The real fraud usually happens during that call – when scammers try to extract personal data, gain remote access, or redirect money.
This article breaks down a real sample and explains how to spot it and respond safely.

What this scam is

The Norton invoice refund scam (often paired with tech-support tactics) starts with an unsolicited invoice claiming you paid for a product you never ordered.

The PDF typically highlights a “support” number and makes canceling or refunding sound urgent. If the victim calls, the scammer guides the conversation toward actions that increase risk – sharing sensitive information, installing remote-access tools, or initiating a payment under the pretence of a refund or verification.

What the invoice tries to make you believe

The sample PDF uses familiar branding and billing language to look legitimate. It claims an auto-debit subscription renewal, shows a high dollar amount, and adds a time limit to push quick action.

This combination (brand + big charge + urgency + phone number) is a strong indicator of an invoice-refund campaign.

Tip: Assess the email sender and headers first. A polished PDF does not prove authenticity.

How the Norton invoice refund scam works

Most campaigns follow a predictable flow. The fake invoice is only the opener – the attacker aims to move the target into a phone conversation where they can control the narrative.
The flowchart below illustrates the typical sequence and why the phone call is the critical risk point.

It usually starts with a simple hook: a polished-looking invoice PDF lands in your inbox, labeled “renewal” or “receipt”, with a big charge that you do not recognize. Next comes pressure – the message adds a tight deadline (often 12-24 hours) to stop you from thinking and checking calmly.

Then the trap appears: a “call support” phone number that promises a quick fix. If you call, that is where the real attack begins – the scammer tries to steer you into installing remote-access software, “confirming” card or bank details, or logging in while they watch. The safest ending is to stay off their channel: do not call, verify independently in your bank/app and the official vendor site, then report the email and delete it.

Red flags that indicate an invoice refund scam

Some signals are strong enough that a single one is often sufficient to treat the message as malicious. Others are weaker on their own but meaningful in combination.
The chart below summarizes the most common flags seen in invoice-refund campaigns.

High-confidence indicators

• Sender mismatch: the email comes from a domain that is not owned by the brand (for example, a consumer domain like @gmail.com).
• Phone-first resolution: the PDF insists you must call a phone number to cancel, dispute, or refund.
• Artificial urgency: 12-24 hour “deadlines” or “statement cutoffs” that pressure immediate action.
• No external verification: the claimed charge cannot be found in your bank/card portal or official account history.

Medium-confidence indicators

• Vague product or plan names, inconsistent formatting, or missing account identifiers you recognize.
• Long, random-looking invoice strings that are easy to generate but hard to validate.
• Generic greetings (“Hi there”) and unnatural phrasing that suggests templated content.

What to do if you receive a suspicious invoice

The safest response avoids interacting with the message and focuses on independent verification. The steps below are designed to prevent the scammer from moving the conversation onto their channel (phone, remote tools, or payment workflows).

If you have not clicked or called

1. Do not call the number and do not reply.
2. Open your banking app (or card portal) and check for a real charge.
3. If there is no charge, delete the email and mark it as spam/phishing.
4. If you want to verify anyway, type the vendor website manually and check your account there (do not use links from the email).

Operational rule: treat all contact details inside the email/PDF as untrusted until verified independently.

If you called, clicked, or installed something

1. Disconnect the device from the internet.
2. Uninstall any remote access tools you were told to install.
3. Change passwords starting with email, then banking, then everything else (from a clean device if possible).
4. Contact your bank/card issuer and explain you interacted with a refund/tech support scam.
5. Run a reputable malware scan and review browser extensions.

Reporting and verification

These official channels can be used to report scams or confirm next steps. If you are unsure about a link, type the official URL manually.

• US FTC – Report fraud: reportfraud.ftc.gov
• FBI IC3 – Internet crime reporting: ic3.gov
• Canadian Anti-Fraud Centre: antifraudcentre-centreantifraude.ca
• Norton support portal (for general verification guidance): support.norton.com

Disclaimer: This article is educational and describes common scam patterns. If you see an unexpected charge, verify it through your bank/card issuer and the official vendor account portal (not via phone numbers or links provided inside the email/PDF).

The post Fake “Norton Invoice” refund scam – anatomy, red flags, and what to do (real example) appeared first on Gridinsoft Blog.

Norton Subscription Payment Has Failed Scam Overview

The “Norton Subscription Payment Has Failed” scam is a deceptive online scheme that falsely claims a user’s Norton AntiVirus subscription has expired and cannot be renewed. Even if the user has never used this anti-malware solution. Victims see alarming messages urging them to update their payment information to restore protection.

It has no relation to Norton, a real vendor of personal cybersecurity solutions. Con actors often use well known brand names because of its recognition and reputation, which can make the users believe the story about an expired subscription is real.

To make the scam more convincing, the message often includes an enticing 50% discount offer, or other “one-time deals”. The thing is – the timers that count the time before the offer expires reset with each page reboot, a definite sign of someone trying to scam the visitors.

As it typically happens, these fraudulent pages don’t lead to anything good. 90% of the time the user receives a pseudo antivirus instead of the genuine program, or even a potentially unwanted software. Rarely, such pages can redirect people to a real Norton purchase page, but I would not recommend following that offer. Purchases made by the affiliate link, which is used in that case, give a small pay to said affiliate, meaning that one can sponsor the scammers in such a way.

What is more worrying is that the page that may look like a genuine Norton website may in fact be a counterfeit, with a lot of tracking and keylogging scripts embedded into it. In that case, typing down any personal or financial information can lead to exceptionally worrying consequences.

How Does It Work?

There are two instances of the Norton Subscription Payment Has Failed scam to talk about. The first one is when the link leads to a fraudulent site that offers nothing but a fake program. The second, a much less likely one, leads to the original Norton website. Depending on the case, the goal and tactics are different. In any case the scam operates by displaying a pop-up or landing page claiming that a user’s Norton subscription renewal has failed.

This message includes a fabricated expiration date and a call to action, pushing the visitor to update their payment details. The urgency and discount offer are psychological tactics designed to lower skepticism and provoke impulsive actions.

In the first case, the link leads to an advertising/fraudulent site that offers to download the installer, while showing copious amounts of ads. The purpose of the scam is obvious: to make money on the ads and convince the user to download the advertised program’s installer. This app may range from just an unwanted program to an outright scareware, that will block normal system operations while demanding one to buy a full version.

In a more harmless version of the scam, most often these are all sorts of “optimizers” and system cleaners. They do not directly harm the system, but during their “scanning” they show the user a lot of problems. To fix them, the user is asked to buy a license. However, all these problems are not real, and the essence of the scam is to siphon off money.

More dangerous iterations may direct users to fake login pages designed to steal credentials or to malicious software downloads disguised as Norton updates. Some may even install browser-based threats that inject more misleading ads or attempt to harvest some data.

The second variant of this scam involves promoting a legitimate product in this way. Although no harm is caused by this campaign, it is a dirty method of advertising. The essence of this campaign is for the site to receive a commission for advertising/selling the product. Norton as a brand once again has no relation to that scam; they merely buy traffic from traffic arbitrage agents, who in turn may get their hands dirty.

How To Avoid Norton Subscription Payment Has Failed Scam?

Users often encounter scams like “Norton Subscription Payment Has Failed” due to intrusive advertising practices, malvertising, or adware infections. Some compromised websites redirect visitors to such fraudulent pages, while deceptive email campaigns may lure individuals into clicking malicious links. Even seemingly legitimate ads can lead to these scams if they originate from rogue advertising networks.

To protect yourself, it is crucial to understand the main rule of using the Internet: at this stage, the web page has no way to check the license status of the anti-malware product. You should be skeptical of alarming pop-ups demanding immediate payment updates, especially if you did not initiate a subscription renewal. Always verify subscription statuses directly on the official website rather than trusting in-browser notifications or third-party messages. Pay close attention to URLs, ensuring they match the genuine Norton domain before entering any personal information.

Avoid visiting piracy-related websites, as these are notorious for spreading scam pop-ups through aggressive advertising tactics. Do not enable browser notifications from suspicious pages, and be wary of unsolicited emails requesting you to verify payments or update sensitive details. If you suspect that your device is affected by adware, run a full system scan using a reputable anti-malware tool. This will help identify and remove any unwanted applications that might be serving these deceptive messages.

The post Norton Subscription Payment Has Failed Scam appeared first on Gridinsoft Blog.

NortonLifeLock Hacked via MOVEit Vulnerability

The vulnerability in Progress’ MOVEit MFT solution set the whole cybersecurity community abuzz. It allowed hackers to send external login requests to the cloud SQL database. After a successful brute force in such a manner, the crooks were receiving full access to the web repository – meaning they could upload their files and manage existing ones. Despite the patch being released pretty soon after the vulnerability discovery, it was too late. Threat actors, particularly ones who stand behind Cl0p ransomware, successfully abused the vulnerability to breach into the companys’ networks.

NortonLifeLock company, the developer of a famous Norton Antivirus, appears to be hacked via this breach as well. Along with 80+ other companies, it was listed on the Cl0p’s Darknet leak site since the beginning of summer 2023. It is not clear though whether exactly MOVEit vulnerability was used, and if it was – which one of several uncovered ones was used.

What is Cl0p Ransomware?

Cl0p ransomware gang is a Russian ransomware project backed by the threat actor known under the FIN7/Sangria Tempest name. A lot of facts point at FIN7 being related to Russian external reconnaissance service (a.k.a. SVR). The gang is famous for its cheeky pick of targets, particular passion at hacking into educational institutions and heavy use of novice software vulnerabilities. Earlier this year, Cl0p ransomware was spread after the use of vulnerability in PaperCut – another MFT solution. Though, the list of all security breaches it uses is obviously far bigger.

Getting back to the Norton hack, in the note on the Darknet site, Cl0p said nothing about the negotiations. If the company refuses to pay, hackers disclose this fact and publish the leaked data. This is not the case of Norton – their record says only about the fact of the hack. The negotiation commonly takes up to several weeks – especially if the company is ready to pay, but wishes to discuss the ransom sum.

How to protect against MOVEit vulnerability?

For any cybersecurity company, being hacked is a big reputational loss. Even though Norton is not guilty of MOVEit vulnerabilities, they were hacked and potentially let the user information leak – and that is already image-busing. Though until the detailed info regarding how exactly it was hacked, and how much data is lost, it is hard to say whether the users suffer or not. And despite Norton being not entirely guilty in this situation, they could use several preventive measures that minimise the chances of zero-day vulnerability exploitation.

Probably, the best method for 0-day counteraction is using a zero-trust security solution. They have their disadvantages – particularly high resource consumption and higher access delays – but their effectiveness is exceptionally good. When set up properly, they will not allow any program to perform an action without the diligent checkup, and that is what could have stopped the Cl0p at the moment of MOVEit breach exploitation.

The post NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability appeared first on Gridinsoft Blog.

What is Norton Scam?

Norton scam email is a common name for dubious emails that may come to anybody, regardless if they are the users of their products or not. These emails may potentially contain different text and disguise, same as any other phishing. But the most common is a notification about the subscription purchase or renewal. People receive a message that says their card was charged with a hefty sum, and to cancel it and receive a refund you should follow the instructions. The sum varies from $200 to $1000. This is not very realistic as these emails usually come to single users, who will never buy a corporate license or a one for 10+ machines.

Still, the sum is pretty scary and attracts the user’s attention. Phishing Norton emails may occasionally contain a link to a third-party site or a contact number of tech support. Both of them, as you can already guess, have nothing to do with the real services of a company. Villains may use a single phishing page for multiple spam campaigns.

The link may be plain text, as well as inside of the button or email text. It leads you to a phishing page, that will ask for your personal information – name, email address, phone number, et cetera. In some cases, they can ask you about the bank card details, including the security code (CVV/2). Later, this information will be used against you – after selling it to a third party on the Darknet.

The Tech support number is no good as well. There, crooks who mimic the real support will try to lure out your sensitive information, same as in the case with a link. The other thing which repeats the previous method is the behavior around the collected data – they sell it on Darknet forums as well.

How dangerous is the Norton scam email?

Same as any other phishing, it aims at grabbing as much personal information as possible. At a glance, you may think it is not that bad, as you share this information with different online services too. However, most of them keep this data a secret, as there are data protection laws that punish data selling. Meanwhile, phishing actors are not bound by any kind of laws, as the very essence of phishing is outlawed.

It is unlikely to meet a benevolent person among the buyers for leaked information on the Darknet. If you’ve shared your personal information, that will be the base for more precise, spear phishing. Crooks will try to perform a more sophisticated fraud to make you pay them by mimicking a thing you’re expecting. Leaked bank card details, on the other hand, give them the ability to manage your money as they want – and they can find a way to circumvent the bank’s safety measures. Carding has become way less widespread over the last 5 years, but remains a threat.

How to avoid being fooled with email scams?

There are a few rules that will help you to detect and avoid any questionable emails. They do not require anything specific and only rely on your attentiveness. Even the most sophisticated scams cannot be 100% identical to genuine emails. When it comes to some massive mailing with low-quality phishing emails, it is very easy to bust their disguise.

Unrealistic claims or offers

Do you really think Norton will charge you without your knowledge? Or offer a 1-year license for free, just for taking part in a quiz? When the things in the letter look untrustworthy, get some other ways to verify such offers. For example, you can check your bank account and see if there were any debit operations as described in the letter. On the official Norton website, you can see if there are any active subscriptions, and also promotions or giveaways. Still, emails may repeat the promotions, but contain a different link, so you will get into a fraud either.

Email addresses

No one can copy the email addresses of genuine mailing services, used by companies. And phishing actors sometimes don’t even try to – they apply using hijacked accounts or single-use emails, created only for spamming. Hence, seeing a letter that pretends to be a message from Norton, and is sent from ol1209130@bilibili.com is already fishy. In advanced scams, crooks may try to spoof the genuine address by changing the letters with numbers, to make them harder to distinguish from real ones in haste. For example, you may witness the nort0nsupp0rt@norton.com instead of support@nortonlifelock.com. Here is the list of address domains used by Norton in their official mailing – crooks cannot use or counterfeit it in any way.

Typos and poor email design

Can you imagine official letters from a worldwide-known company, whose design is poor and the text is full of errors? Most companies hire several writers who review the patterns used for automated emails and check up on all hand-made correspondence. Seeing a genuine letter that looks like a kid’s scribble is hardly a case. Be sure that it is likely a scam; you can additionally confirm your expectations by looking for the signs we mentioned above.

The post What is Norton Scam Email? Tips to Protect Yourself appeared first on Gridinsoft Blog.