A fake subscription renewal appears in your Google Calendar with a phone number to call
A fake billing notice lands in your Google Calendar without you clicking anything — claiming Norton, McAfee, Geek Squad, or Amazon auto-renewed for $269–$399. A phone number in the event connects to scammers who ask for remote access or your card number.
Also known as: Google Calendar phishing, fake subscription renewal calendar, calendar invite billing scam, Geek Squad calendar scam, Norton renewal calendar fraud
Already happened to you? Do this in the next few minutes
- 1 Call your bank or card's fraud line right now. Use the number on the back of your card — not any number from the message or caller. Ask them to stop or reverse the payment and freeze the account.
- 2 If you paid by gift card, wire, or an app (Zelle, Venmo, Cash App): contact that company immediately and report it as fraud. Acting fast sometimes recovers the money.
- 3 Report to the FBI at ic3.gov and the FTC at reportfraud.ftc.gov. The sooner, the better.
- ! If you installed any "support", "server", "refund", or remote-access app at their request (AnyDesk, TeamViewer, Quick Support, etc.): disconnect the internet now, then run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
What to do right now
- 1 Do not call the phone number in the calendar event — delete the event and block the sender
- 2 If you want to verify a subscription charge, log in directly to the company's real website (norton.com, amazon.com, etc.) — never through a calendar notification
- 3 To prevent future attacks: in Google Calendar, go to Settings → Events from Gmail → turn off 'Automatically add events from Gmail to my calendar'
- 4 If you already called and gave remote access: disconnect from the internet immediately, run a full antivirus scan, and change your passwords from a separate device
- 5 If you installed any 'support' or 'server' or 'refund app' or remote-access app at the scammer's request (AnyDesk, TeamViewer, Quick Support, etc.), run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
- 6 Report to the FTC at https://reportfraud.ftc.gov and the FBI's IC3 at https://www.ic3.gov.
Was remote-access software installed?
If a scammer asked you to install AnyDesk, TeamViewer, Quick Support, or any remote-access app, your device may still be compromised.
Run SeraphSecure to detect and remove it →Red flags
- ⚠ A calendar event appeared that you did not create and did not accept — Google Calendar auto-adds events from strangers unless you disable this
- ⚠ The event claims a large subscription renewal ($269–$399) from Norton, McAfee, Geek Squad, Amazon, or PayPal — companies never deliver renewal notices as calendar invites
- ⚠ The event description includes a phone number to call to 'cancel' — real subscription services want you to log in to your account, not call a random number
- ⚠ The 'transaction ID' and 'membership number' in the event were invented — you cannot find them in your actual account
- ⚠ The caller asks for remote access to your computer to 'process the refund' — this is how they steal your data or install malware
Sources
- Google — June 2026 Fraud and Scams Advisory (calendar phishing named as rising threat)
- Malwarebytes — Watch out for fake Malwarebytes renewal notices in your calendar (Mar 2026)
- KnowBe4 — Scammers Abuse Calendar Invites to Plant Phony Subscription Notices
- Techlicious — Google Calendar is adding scam billing notices to your schedule (2026)
- MakeUseOf — That Google Calendar renewal warning might be a scam (2026)
- AOL / Opinion — Email and text phishing scams have moved to calendar invites (2026)