Beware the PayPal “Invoice from Norton Antivirus LLC” Scam

Photo of author

Written by: Thomas Orsolya

Published on:

A dangerous phishing scam has emerged targeting PayPal users through a fake email invoice. Scammers are sending emails with the subject “Invoice from Norton Antivirus LLC” claiming users owe $399 for a Norton purchase. The email provides a fraudulent phone number and tells recipients to call for any issues. However, the number connects to scammers posing as PayPal support to steal financial and personal information. This scam is rampant and fooling many unsuspecting victims. Read on to understand how the scam works, what to do if you are targeted, and how to stay safe from PayPal phishing attempts.

PayPal Norton Scam

Scam Overview

This scam starts with an email claiming to be an invoice from Norton Antivirus LLC for $399 for a fake Norton purchase made through PayPal. The email provides a phone number and instructs recipients to call for any issues.

However, the email and invoice are fraudulent. The scammers’ goal is to get victims to call the number so they can pretend to be PayPal support. They use various tactics to gain remote access to victims’ computers and steal financial information.

Once on the phone, the scammers may say the charge was an error and they want to refund the money. But first they need to confirm some details and access the computer to process the refund. The scammers direct victims to a website or application that allows remote control of the computer.

With access, the scammers can steal stored passwords and financial information. They may also install malware that allows them to continue spying on victims.

In addition to remote access, the scammers may use other tricks like:

  • Asking for credit card numbers to process a refund or a fee for their “support services”
  • Tricking victims into installing fake antivirus software that infects the computer
  • Getting victims to log into their online banking accounts so the scammers can watch them enter credentials
  • Directing users to fraudulent websites cloned to look like PayPal to harvest account logins
  • Convincing victims to buy worthless or overpriced tech support plans and software utilities

This scam starts with a simple phishing email but can balloon into extensive identity theft and financial fraud if victims engage with the scammers. The phone call often opens the door to major damage through stolen account access, remote computer control, and social engineering.

How the PayPal Norton Scam Works

This is a step-by-step breakdown of how the scam unfolds:

The Phishing Email

The scam starts with an email sent to thousands of potential victims. The subject line is “Invoice from Norton Antivirus LLC.” The sender name also shows Norton Antivirus LLC.

The email body claims the recipient paid $399 to Norton LLC through PayPal for a purchase made that day. It provides the phone number 888-279-2416 to call for any issues.

The email may include the PayPal logo and colors to appear more legitimate. However, it is sent from a spoofed email address, not from PayPal.

The Initial scam Phone Call

When victims call the number, the scammers answer the phone posing as PayPal customer support agents. They ask for information like name, email address, and partial account number to build trust.

The scammers apologize for the erroneous Norton charge and claim they need to cancel the invoice and refund the money. But first they must “verify the account” before processing the refund.

Gaining Remote Computer Access

The scammers direct victims to a website and instruct them to download a remote access tool. This allows the scammer to control the victim’s computer remotely.

They may say they need to connect to process the refund or make sure no other suspicious activity is occurring. But this access allows them to spy on victims.

The scammers may also direct users to log into their online bank accounts while watching the credentials entered.

Stealing Personal and Financial Information

With remote access, the scammers can now search the computer for sensitive information such as:

  • Saved passwords, financial documents, tax returns
  • PayPal session cookies, account numbers
  • Online banking usernames and passwords
  • Credit card numbers, CVV codes, expiration dates
  • Social Security Numbers, driver’s license numbers
  • Passport numbers, birth certificates

The scammers may also install keylogging malware to continue harvesting data after the call.

Charging Fraudulent Fees

In addition to stealing information, the scammers may charge victims money in various ways:

  • Asking for credit card information to collect a fee for the refund or tech support services
  • Tricking the victim into buying fake antivirus software, worthless subscriptions, or overpriced computer tune-ups
  • Having victims log into online banking to make wire transfers to accounts controlled by the scammers
  • Leveraging remote access to transfer money out of online bank accounts

Further Fraudulent Activity

With the sensitive details obtained, the scammers may:

  • Access and drain the victim’s PayPal account
  • Take over other online accounts by resetting passwords
  • Open fraudulent credit cards or bank accounts to steal money
  • File fake tax returns and collect refunds in the victim’s name
  • Damage the victim’s credit and commit wider identity theft

Just one phone call gives the scammers enough access and information to inflict huge financial and identity theft damages.

What to Do If You Receive the Scam Email

If you receive an email claiming to be a PayPal invoice from Norton Antivirus LLC, do not call the provided phone number. Here are the steps to take:

  • Forward the scam email as an attachment to phishing@paypal.com to report it. PayPal tracks these scams and works with authorities.
  • Do not reply to the email, click any links within it, or call the number. These actions confirm an active target to scammers.
  • Check your PayPal account history to identify any unauthorized activity. Log in directly through the PayPal website or mobile app.
  • Change your PayPal password if you feel your account may be compromised. Avoid reusing old passwords.
  • Review connected payment sources like bank accounts or credit cards for unauthorized charges. Contact institutions to dispute fraudulent activity.
  • Place an initial fraud alert on your credit through one of the three credit bureaus. This flags potential identity theft issues.
  • Monitor your credit reports and financial accounts closely for signs of misuse of your information.

What to Do If You Already Called the Scammers

If you already called these scammers and provided personal or financial details, take these steps immediately:

  • Contact PayPal to inform them your account is compromised. Reset your password or close the account if unauthorized activity occurred.
  • Change passwords on any other financial accounts that used the same login credentials.
  • Work with your bank and credit card company to freeze accounts, dispute charges, and issue new cards.
  • Place an extended fraud alert on your credit, which locks your reports from new accounts for 7 years.
  • Monitor all your financial accounts and credit reports for fraudulent activity. Check reports from Equifax, Experian and TransUnion.
  • Consider filing an identity theft report with the FTC and your local police station. This aids recovery efforts.
  • Contact the IRS to discuss potential identity theft if scammers have your SSN and date of birth.
  • If you suspect your device is infected with malware, you should run a scan with Malwarebytes Anti-Malware.

Recovering from Identity Theft

If scammers steal and abuse your personal information, undoing the damage can be complex. Key steps include:

  • Filing a complaint with the FTC to activate an Identity Theft Report.
  • Placing a credit freeze with all three credit bureaus to restrict access to your credit reports.
  • Contacting affected financial institutions and government agencies to report fraudulent activity. Provide an Identity Theft Report.
  • Closing newly opened fraudulent accounts and correcting false information added to your reports.
  • Responding to all contacts promptly to resolve identity theft issues before they multiply.
  • Using the FTC sample letter templates to dispute unauthorized debts or credit issues.
  • Being patient and persistent to clear up your credit and accounts. It can be a lengthy process.

10 FAQs About the PayPal Norton Scam

1. Will Norton actually invoice me via PayPal?

No. Legitimate Norton purchases and renewals happen directly through Norton.com, not via PayPal invoices. Norton will never threaten suspension or send a random PayPal bill.

2. Does PayPal call customers about invoice issues?

No. PayPal does not make outbound calls about account issues. Any call claiming to be PayPal support related to an invoice is scam.

3. Can PayPal see the scam email I received?

No. PayPal cannot see emails that were sent to you directly by scammers. Forward the scam email as an attachment to phishing@paypal.com so they have a copy.

4. What details should I never share over the phone?

Never share your PayPal password, credit card numbers, bank account details, SSN, or other personal info with an unsolicited caller claiming to be PayPal. Real PayPal staff will never ask for these details.

5. If I paid the fake Norton invoice, can PayPal refund me?

Unfortunately, PayPal cannot refund money lost to scams conducted external to their platform. If you paid a scam invoice via bank transfer, you need to work with your bank to attempt recovery.

6. Can I tell if my account was accessed by calling PayPal?

Yes. Contact PayPal directly through their official customer service lines. They can review activity on your account and help you identify unauthorized access or charges.

7. Should I change my PayPal password if I suspect a scam?

Yes, immediately. Even if you did not divulge your password, you should reset it if you have reason to believe your account security was compromised.

8. How long does it take to resolve identity theft issues?

It typically takes an average of 200 hours of work over 7 months to undo identity theft damage, according to the Identity Theft Resource Center. It requires persistence.

9. Can PayPal compensate me if I lost money to a scam?

Unfortunately, PayPal does not cover money lost due to providing sensitive account information to scammers. Your bank may be able to help recover stolen funds.

10. Where can I learn more about PayPal phishing scams?

PayPal provides excellent resources about identifying and avoiding current phishing scams at their Security Center: www.paypal.com/us/smarthelp/article/how-can-i-tell-if-an-email-requesting-information-is-legitimate-faq3176.

In Summary…

The “Invoice from Norton Antivirus LLC” phishing scam targeting PayPal users is deceiving victims into surrendering account access and sensitive personal data. If you receive this scam email, report it to PayPal immediately. Do not call the provided number or reply to the email. Check your account for unauthorized activity and reset your password. With caution, awareness, and swift action, PayPal users can avoid being scammed and protect their identities.

10 Rules to Avoid Online Scams

Here are 10 practical safety rules to help you avoid malware, online shopping scams, crypto scams, and other online fraud. Each tip includes a quick “if you already got hit” action.

  1. Stop and verify before you click, log in, download, or pay.

    warning sign

    Most scams win by creating urgency. Verify using a trusted method: type the website address yourself, use the official app, or call a known number (not the one in the message).

    If you already clicked: close the page, do not enter passwords, and run a malware scan.

  2. Keep your operating system, browser, and apps updated.

    updates guide

    Updates patch security holes used by malware and malicious ads. Turn on automatic updates where possible.

    If you saw a scary “update now” pop-up: close it and update only through your device settings or the official app store.

  3. Use layered protection: antivirus plus an ad blocker.

    shield guide

    Antivirus helps block malware. An ad blocker reduces scam redirects, phishing pages, and malvertising.

    If your browser is acting weird: remove unknown extensions, reset the browser, then run a full scan.

  4. Install apps, software, and extensions only from official sources.

    install guide

    Avoid cracked software, “keygens,” and random downloads. During installs, choose Custom/Advanced and decline bundled offers you do not recognize.

    If you already installed something suspicious: uninstall it, restart, and scan again.

  5. Treat links and attachments as untrusted by default.

    cursor sign

    Phishing often impersonates delivery services, banks, and popular brands. If it is unexpected, do not open attachments or log in through the message.

    If you entered credentials: change the password immediately and enable 2FA.

  6. Shop safely: research the store, then pay with protection.

    trojan horse

    Be cautious with brand-new stores, “closing sale” stories, and prices that make no sense. Prefer credit cards or PayPal for dispute options. Avoid wire transfers, gift cards, and crypto payments.

    If you already paid: contact your card issuer or PayPal quickly to dispute the transaction.

  7. Crypto rule: never pay a “fee” to withdraw or recover money.

    lock sign

    Common patterns include fake profits, then “tax,” “gas,” or “verification” fees. Another is a “recovery agent” who demands upfront crypto.

    If you already sent crypto: stop paying, save evidence (wallet addresses, TXIDs, chats), and report the scam to the platform used.

  8. Secure your accounts with unique passwords and 2FA (start with email).

    lock sign

    Use a password manager and unique passwords for every account. Enable 2FA using an authenticator app when possible.

    If you suspect an account takeover: change passwords, sign out of all devices, and review recent logins and recovery settings.

  9. Back up important files and keep one backup offline.

    backup sign

    Backups protect you from ransomware and device failure. Keep at least one backup on an external drive that is not always connected.

    If you suspect infection: do not connect backup drives until the system is clean.

  10. If you think you are a victim: stop losses, document evidence, and escalate fast.

    warning sign

    Move quickly. Speed matters for disputes, account recovery, and limiting damage.

    • Stop payments and contact: do not send more money or respond to the scammer.
    • Call your bank or card issuer: block transactions, replace the card if needed, and start a dispute or chargeback.
    • Secure your email first: change the email password, enable 2FA, and remove unfamiliar recovery options.
    • Secure other accounts: change passwords, enable 2FA, and log out of all sessions.
    • Scan your device: remove suspicious apps or extensions, then run a full malware scan.
    • Save evidence: screenshots, emails, order pages, tracking pages, wallet addresses, TXIDs, and chat logs.
    • Report it: to the payment provider, marketplace, social platform, exchange, or wallet service involved.

These rules are intentionally simple. Most online losses happen when decisions are rushed. Slow down, verify independently, and use payment methods and account controls that give you recourse.

Next

Don’t Fall for the Easy Returns Refund Credit Scam Call