Consumer Brand Impersonation Phishing and Tech-Support Scams Targeting Apple and Avast Users
Multiple brand-impersonation phishing campaigns are targeting consumers by abusing trust in Avast and Apple to drive victims into disclosing payment or account details. One campaign uses a near-identical fake Avast portal aimed at French-speaking users, presenting a fabricated €499.99 “subscription charge” and a short cancellation window to induce urgency; the site validates entered card numbers using the Luhn algorithm and uses a Tawk.to live-chat widget (ID 689773de2f0f7c192611b3bf) to pressure victims in real time into submitting full card details (including CVV) under the pretense of processing a refund.
Separate Apple-themed scams use phishing-to-phone and SMS lures to route victims to scam call centers and harvest credentials and financial information. One email purporting to be from an “Apple Fraud Prevention” team attempts to panic recipients into calling a fake support number, while an “Apple Security Alert” Apple Pay text claims a suspicious $143.95 Apple Store transaction and urges an immediate call to a +1 850-85* number to “cancel” the charge. Another tactic abuses iOS Calendar subscriptions (“iPhone Calendar Scam”) to flood devices with fake security/prize alerts that push users to click malicious links; guidance emphasizes unsubscribing from the rogue calendar and avoiding interacting with the spam invites.
Timeline
Mar 31, 2026
Fake Webroot renewal scam uses payment alerts and callback lures
A scam campaign impersonating Webroot was described using fake renewal texts, invoices, billing notices, and phishing emails that falsely claimed a payment or subscription renewal had been processed. Victims were pressured to call fraudulent support numbers, where scammers attempted to steal personal or financial information or gain remote access to devices.
Mar 26, 2026
Fake Norton renewal email scam uses callback number 1-810-219-4913
A tech support scam was reported in which a fake Norton renewal email falsely claimed the recipient had been charged hundreds of dollars and urged them to call a listed number to cancel or modify the transaction. The number allegedly connected victims to a fraudulent call center impersonating Norton and other technology companies to steal credentials, banking details, or remote access.
Feb 26, 2026
Researchers observe fake Avast refund phishing site targeting French speakers
Researchers identified a phishing campaign impersonating Avast with a near-identical website that falsely claimed victims were charged €499.99 and pushed them to submit payment card details for a supposed refund. Malwarebytes reported the site used client-side date generation, Luhn validation for card numbers, and a Tawk.to live chat widget to increase pressure and improve theft of usable card data.
Feb 25, 2026
Rogue iPhone calendar subscription scam highlighted
A phishing tactic abusing iPhone calendar subscriptions was described, in which victims are tricked into subscribing to malicious calendars that generate persistent fake alerts and prize messages. The scam was noted to rely on social engineering rather than malware, with guidance provided for unsubscribing and removing suspicious calendar accounts.
Feb 24, 2026
Apple Pay smishing campaign uses fake purchase alert and callback number
An SMS phishing campaign posing as an "Apple Security Alert" claimed an Apple ID was used for a $143.95 Apple Pay pre-authorization and urged recipients to call a scammer-controlled number. The operation aimed to steal account credentials and personal or financial information through a fraudulent call center.
Feb 24, 2026
Apple-themed fraud prevention phishing email scam documented
A phishing email campaign impersonating an "Apple Fraud Prevention Team" was reported, using alarmist language to pressure recipients into calling a fraudulent support number not associated with Apple. The scam was described as a phone-based social engineering attempt targeting Apple users.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
2 more from sources like online threat alerts
Related Stories
Brand-impersonation scams using fake support channels to steal credentials and financial data
Multiple brand-impersonation scams are targeting consumers by pushing them to interact with **fake customer support** and surrender sensitive data. One campaign uses a fraudulent site styled as **Avast** to convince French-speaking users they were charged **€499.99** and must act quickly to “cancel” and receive a refund; the page dynamically inserts the current date via JavaScript, loads the Avast logo from Avast’s own CDN to appear legitimate, and then harvests full payment-card details (PAN, expiry, and CVV) via a cancellation/refund form. Separate but related social-engineering activity targets **Robinhood** users with “security alert” **SMS** and **email** lures that direct victims to call scam call-center numbers, where operators attempt to extract login credentials, 2FA codes, and other personal/financial information; the email variant also commonly pushes victims toward installing remote-access tools such as *AnyDesk* or *TeamViewer* under the guise of support. In another consumer fraud pattern, scammers posing as a mobile carrier (e.g., **Spectrum**) call shortly after a phone delivery, claim the wrong device was shipped, and trick the recipient into mailing the phone to the attacker—enabling resale and potential identity-fraud follow-on if the device/line is activated under the victim’s details.
1 months ago
Apple Pay Phishing Using Fake Apple Support Calls to Steal Payment Details
A phishing campaign targeting **Apple Pay** users is using realistic-looking emails to push victims into calling a fraudulent “Apple Support” phone number, shifting the attack from link-clicking to **vishing** (voice phishing). The lure commonly claims a high-value Apple Store charge was attempted or stopped, and includes plausible details (e.g., **case ID**, timestamp, and an “appointment” to review the activity) to create urgency and legitimacy. Malwarebytes reported the operation’s objective is to extract **login/verification codes** and **payment data** during the phone interaction, enabling attackers to take over the victim’s Apple account and potentially access associated data and linked payment methods. Follow-on reporting highlighted the use of Apple branding and invoice-style formatting (including high-ticket purchase claims) to increase conversion, and emphasized the potential impact of account compromise beyond payment theft (e.g., access to stored personal data and connected services).
1 weeks ago
Consumer-Facing Phishing and Payment Scams Using Fake Support and Fraud Alerts
Multiple reports describe **social-engineering scams** that impersonate trusted brands and payment providers to drive victims into credential theft or direct monetary loss. A “crypto compensation” lure abuses a legitimate-looking *Yandex* poll as an entry point, then redirects victims to a fake Bitcoin payout page claiming an approved `0.943 BTC` transaction and imposes a small “commission”/fee to withdraw funds—classic advance-fee fraud wrapped in a polished, multi-step funnel (including a fake chat “support agent”). Separately, Japanese-language phishing emails impersonating **ANA**, **DHL**, and **myTOKYOGAS** show consistent infrastructure patterns (notably `.cn` domains in sender and landing-page URLs), suggesting a single operator or shared kit targeting Japanese-speaking recipients. Several consumer scam advisories highlight **SMS-based fraud alerts** that push targets to call attacker-controlled phone numbers, where scammers pose as “support” to steal **Apple ID/2FA codes** or payment details, or to coerce victims into moving money. One PayPal-themed case escalated to cash withdrawals handed to a courier after a victim called a number from an unsolicited text, illustrating how “fraud department” pretexts can transition from phishing to **cash-out theft**. Additional warnings cover lookalike payment sites (e.g., `payyourbill.aps medical.com`) and generic guidance on what to do after clicking a phishing link; these are broadly consistent with the same theme (phishing/payment fraud) but are not tied to a single, specific campaign or actor across all items.
Today