Incident Response Guide

I Got a Fake Invoice Email

You received an email claiming you owe money for something you didn't order. Here's what it is, what to do, and — most importantly — what not to do.

Updated 7 May 2026

What Is a Fake Invoice Email?

A fake invoice email is a scam message designed to frighten you into calling a phone number or clicking a link by claiming you owe money for something you never bought.

They typically look like legitimate invoices from companies you recognise — Norton, McAfee, PayPal, Apple, Amazon, Geek Squad — and claim you’ve been charged a large amount (often €200–€500) for a subscription or service renewal.

The email is fake. You have not been charged anything. The goal is to panic you into reacting before you think.

The Single Most Important Rule: Do Not Call the Number

Almost every fake invoice email contains a phone number to call if you “didn’t authorise this charge.”

Do not call it. This is the trap.

The number connects to scammers posing as customer service. Their goal is to:

  • Convince you to give them remote access to your computer (so they can steal your files, passwords, and banking details)
  • Get your credit or debit card number to “process a refund”
  • Keep you on the phone while they empty your accounts

Legitimate companies do not ask you to call a number in an invoice email to cancel a charge.

Common Types You May Have Received

These are the most frequent fake invoice scams targeting regular users:

Norton / McAfee / antivirus renewal An email claiming your antivirus subscription has auto-renewed for €299–€499. Includes a phone number to call to cancel. Neither Norton nor McAfee will email you a large unexpected charge with a call-back number.

PayPal invoice A scammer uses PayPal’s own invoicing system to send you a real-looking payment request from a fake business name. The invoice arrives from a genuine PayPal email address, which makes it especially convincing. Check your actual PayPal account — you will see no such pending payment.

Apple / iTunes / App Store receipt An email that looks exactly like a real Apple receipt, claiming you were charged for an app, subscription, or in-app purchase. Check your actual purchase history at appleid.apple.com — if the charge isn’t there, the email is fake.

Amazon order confirmation A fake order confirmation for items you didn’t buy, with a link to “cancel the order.” The link leads to a phishing page that steals your Amazon login.

“Your package couldn’t be delivered” + invoice A message claiming a package is waiting for you and you owe a small fee to release it. Small amounts feel more believable, but the link leads to a fake payment page.

What Happened? What Should You Do?

You received the email but haven’t done anything yet

Good. Mark it as spam and delete it. You do not need to respond, cancel anything, or verify anything. No action is required on your part.

If you want to be certain no charge was made, log in to your actual account at the company’s official website — type the address yourself, do not use any link in the email. Check your recent transactions there.

You called the phone number

Act now.

If the person on the phone asked you to:

Install remote access software (AnyDesk, TeamViewer, UltraViewer, or similar) — assume your computer has been accessed. Disconnect it from the internet immediately (turn off Wi-Fi or unplug the cable), then run a full malware scan. Change the passwords for your email, banking, and any other accounts that were open while they had access.

Provide your card number or banking details — call your bank immediately and tell them your card details were given to a scammer. Ask them to block your card and monitor for suspicious transactions.

Stay on the phone for a “refund” that required your banking login — this is a common technique where scammers “accidentally overpay” the refund and then ask you to send the difference back. Contact your bank immediately.

If you’re unsure what was shared, call your bank anyway — it’s always better to report early.

If you clicked a link and were taken to a page that looked like PayPal, Amazon, Apple, or another service — check whether you entered any login credentials or payment details.

  • If you entered a password: change it immediately on the real website, then change it on any other account where you use the same password. Use our password generator to create new ones.
  • If you entered card details: call your bank and report it.
  • If you only looked at the page and closed it: run a malware scan on your device as a precaution.

You already paid

Call your bank immediately. Explain that you were scammed into making a payment. Ask them to:

  • Attempt to reverse or recall the transfer
  • Block further charges from the same source
  • Issue a new card if your card details were involved

The sooner you call, the better the chance of recovery. Banks handle fraud cases regularly — don’t hesitate.

Also report the scam to your national consumer protection authority or cybercrime reporting centre. They track these operations and may be able to assist.

How to Tell If an Invoice Email Is Real

When in doubt, use this checklist:

  • Log in to your account directly — type the company’s web address yourself and check your purchase history or recent charges. If there’s no charge there, the email is fake.
  • Check the sender address carefully — scammers use addresses like billing@norton-renewals.com or support@paypa1.com. The real company’s domain is always exactly right (paypal.com, apple.com, etc.).
  • Hover over any links before clicking — the destination URL will appear in the bottom of your browser. If it doesn’t match the company’s real domain, don’t click.
  • Look for your name — legitimate invoices from services you use will usually address you by name. “Dear Customer” is a red flag.
  • There is no urgency in real invoices — phrases like “respond within 24 hours or the charge will be final” are pressure tactics, not real billing procedures.

What NOT to Do

  • Do not call any phone number in the email
  • Do not click any links — go to the website directly instead
  • Do not reply to the email — it confirms your address is active
  • Do not open any attachments — PDFs and Word files in invoice scam emails can contain malware
  • Do not pay anything before verifying the charge exists on your actual account

Report It

Reporting takes a few minutes and helps protect others.

  • Mark the email as spam/phishing in your email client
  • Forward to the real company if it impersonates a known brand (e.g. spoof@paypal.com for PayPal fakes, reportphishing@apple.com for Apple fakes)
  • Report to your national cybercrime or consumer protection centre — most countries have an online form

Prevention Checklist

  • Never call a phone number listed in an unexpected invoice email
  • Always verify charges by logging into your account directly — never through a link in an email
  • Use different passwords on every account (use our password generator)
  • Enable two-factor authentication on email, PayPal, Apple ID, and Amazon
  • Be especially cautious with unexpected emails claiming large charges — that urgency is deliberate