Antivirus Auto-Renewal Overcharge Scams
Security software companies or scammers impersonating them charge far above market rate at renewal, use alarming pop-ups to prevent cancellation, or bill for licences on devices you no longer use.
Last reviewed: 1 June 2026
What this scam is
Antivirus and security software auto-renewal overcharge scams take two distinct forms. In the first, a genuine — but commercially aggressive — security software publisher renews an annual licence at a price dramatically higher than the promotional rate you paid originally, often without adequate advance warning and relying on the security anxiety created by pop-up renewal warnings to prevent cancellation. In the second, fraudsters impersonate security software brands entirely, sending fake renewal invoices or installing rogue software that generates alarming security warnings to coerce payment.
Both forms exploit the anxiety that people naturally feel about computer security. A pop-up warning that your antivirus has expired and your computer is 'at risk' is effective at reducing rational evaluation and increasing the urgency to pay quickly. The emotional state of believing your device is unprotected is a powerful lever.
Legitimate security software companies do use auto-renewal and do send expiry warnings. What distinguishes the scam versions is the severity of the overcharge — sometimes three to four times the new-subscriber price — combined with inadequate pre-renewal notice and high-friction cancellation processes. The fraudulent impersonator version goes further, generating fake security alerts, creating fake billing portals, and in some cases installing rogue software that cannot be removed without following the scammer's instructions.
The overlap between legitimate aggressive billing and outright fraud in this category means that even genuine security software publishers can exhibit practices that verge on manipulative.
How it works
For the overcharging variant: you purchased security software at a promotional rate — perhaps reduced significantly from the standard price. Auto-renewal was enabled by default. A year later, the software renews automatically at the full standard price, which may be several times the promotional rate. You receive an email notification, but the price displayed is in a location and size that is easy to miss. A large charge appears on your bank statement.
When you contact the company to cancel and request a refund, you are told that auto-renewal was disclosed at purchase, the charge is valid, and a refund is not available. You may be offered a partial refund or a discount to renew rather than a full refund.
For the impersonator variant: you receive an alarming pop-up warning or email stating that your antivirus licence has expired and your computer is infected or at risk. The warning uses the branding of a well-known security software company. A phone number or link is provided to 'renew immediately'. Calling the number connects you to a fraudster who offers to renew your licence and may also offer to 'remove the threats' on your computer remotely — gaining access to your device in the process. Payment is taken by card, and no genuine security software is delivered.
Why this scam works
Security pop-ups and warnings about computer threats create a fear response that bypasses the slow, deliberate thinking that would normally be applied to an unexpected financial demand. The combination of a trusted brand name and a frightening message creates a sense of emergency. Victims call the number or click the link before verifying whether the warning is genuine — exactly the response the scammer requires.
Common red flags
- Renewal charge significantly higher than your first-year price
- Alarming pop-up warning about expired or compromised security software
- Pop-up or email includes a phone number to call for immediate renewal
- Renewal email or pop-up uses urgent language about imminent risk
- Charge appears without adequate pre-renewal warning
- Caller offers remote access to your computer to remove security threats
- Invoice comes from an email domain not matching the official software company
- Renewal portal URL does not match the software company's official domain
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
WARNING: Your [Security Software] protection has expired. Your computer is at risk. Renew now at [fake link] or call [number].
Your [Security Software] annual licence has been renewed at [amount]. To review your subscription, visit [link].
URGENT: [Security Software] has detected [number] threats on your device. Call [number] immediately to renew and remove threats.
Your [Security Software] subscription renews in 24 hours at [amount]. To cancel, call [number] before midnight.
Invoice: [Security Software] Licence Renewal — [amount]. If you did not authorise this, call [number] to dispute.
Common variations
- Promotional rate to full-price shock — first year at deep discount, renewal at standard rate without adequate notice
- Fake security pop-up — rogue website or malware generates warnings impersonating genuine software
- Cold call renewal — caller claims your licence has expired and offers to renew by phone
- Fake refund scam — invoice for a renewal you did not make, with a number to call to dispute and cancel
- Multi-device overcharge — renewal charged for a device count higher than your actual number of devices
How to verify before you act
Never act on a pop-up warning about security software without first opening the application directly from your desktop. Genuine security software shows its real status inside the application — it does not rely solely on browser pop-ups or cold calls. If your security software is genuinely due to renew, the renewal option will be available inside the application's settings.
Payment methods used
- Card
- Recurring card billing
- Payment apps
Who is usually targeted
- Existing users of security software approaching renewal
- Older adults who rely on their security software and fear expiry
- Home computer users with limited experience verifying renewal notices
- Anyone who received a heavily discounted first-year security software offer
What to do immediately
- Do not call any number shown in a pop-up warning or email about security software
- Open your security software directly from your desktop to check its genuine status
- If you have been overcharged at renewal, contact the company through their official website to request a refund or price match
- If a stranger was given remote access to your computer, disconnect from the internet immediately and seek professional help
- Contact your bank if any card charges were made through a suspicious renewal portal
- Report fake security warning pop-ups to your national cybercrime authority
How to prevent it
- Note the first-year promotional price and check what the renewal rate will be before purchasing
- Disable auto-renewal and set a manual reminder to compare prices before renewing
- Never call a phone number shown in a security warning pop-up
- Verify security software status by opening the application directly, not from links or pop-ups
- Compare the renewal price against new-subscriber pricing before paying — ask for a price match
- Keep records of your software licences and renewal dates
Evidence to preserve
- Screenshot of any pop-up warning
- The original purchase confirmation showing the first-year price
- Bank statement showing the renewal charge
- Any email renewal notice received
- Screenshot of the URL of any website visited in connection with the renewal
- Records of any contact with the company about the charge
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
My antivirus charged me much more than I paid originally — is this legitimate?
It may be technically authorised if auto-renewal at the standard price was disclosed in the original terms — but many people successfully negotiate a refund or a price match to the new-subscriber rate by contacting customer service. Contact the company through their official website and ask explicitly for a refund or price match. If they decline, your bank may be able to process a chargeback if the renewal price was not adequately disclosed.
A pop-up says my antivirus has expired and my computer is infected — what should I do?
Do not call any number shown in the pop-up and do not click any links in it. Close the browser or window. Open your security software directly from your desktop or taskbar to see its genuine status. If you do not have security software installed, visit the official website of a reputable provider by typing the URL directly. Many browser pop-ups claiming your computer is infected are themselves the threat.