In March 2021, fake email renewals for Norton Internet Security landed in inboxes and spam folders, and warned of devices infected with viruses. An example email had the subject line: "your norton subscription has expired your device has been infected with viruses n°020953." A variation said the same thing with a different ending number: "your norton subscription has expired your device has been infected with viruses n°915093."
The Fake Email From 'Norton Support'
The email that appeared to be from "Norton-Support2021" notified users that their supposed subscription to Norton Internet Security had expired.
The headline claimed that recipients' devices had become infected with viruses. However, that seemingly important item didn't appear in the body of the email:
Our records indicate that your subscription to Norton™ Internet Security Expired on:
⚠️ 20 Feb 2021 11:11:22 -0500⚠️
Therefore, you are no longer receiving automatic updates that protect you against the latest threats, including viruses, spyware, hackers, and identity thieves.
If you are browsing, banking, shopping, checking email or doing anything online, we highly recommend you renew your subscription now and get the new Norton™ Internet Security.
You will receive a full year of protection for up to 3 household PCs and peace of mind when you're online.
The Norton Team
This was not a legitimate email from Norton AntiVirus or Norton Internet Security.
Investigating the Suspicious Email
In an example email we reviewed, all links in the message pointed to a website hosted on a Brazilian domain. The "unsubscribe" link at the bottom of the message led to the scam as well.
If readers receive a suspicious email that claims to be from Norton, desktop users can safely hover over links (but not click on them) in order to see where they lead. If they don't go to an official Norton website, such as "norton.com," do not click the link.
Also, the email address the message came from appeared to begin with "Norton-Support2021@" and end with a long string of random letters. The email address did not end in "@norton.com" or anything similar.
Advice From Norton
The company published a page to help keep Norton users safe from these kinds of renewal email virus scams. For example, it listed several email addresses they used to send official correspondence: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org.
It's true that Norton may send renewal offers. However, such offers will never arrive with completely lowercase subject lines. Further, there was no indication that Norton notifies customers "your device has been infected with viruses" in renewal email offers.
"The URLs in our emails point to the server at: https://secure.norton.com. Make sure that the URLs begin with https:// and has a norton.com or lifelock.com domain."
Norton users who run the company's apps will potentially receive official emails from email@example.com, firstname.lastname@example.org, NortonAccount@norton.com, email@example.com, and firstname.lastname@example.org.
Other email addresses are covered on the Norton Support page.
Virus Hoaxes and Threats Are Nothing New
We've covered concerns regarding computer viruses since the 1990s. For example, the purported virus in a Budweiser frogs screensaver first made the rounds in 1997. Thankfully, it was a hoax.
Twenty-four years later, the Norton emails being received by readers were not a hoax. We recommend proceeding with caution when reviewing potentially harmful messages. Hovering over links to see where they lead is safe, but clicking on them may not be.
In sum, fake renewal email offers appeared to be from Norton Internet Security and claimed that devices were infected with viruses. This was not official correspondence from the company. The scams should be avoided.