Skip to content
ScamClarity

Scam Type

Unexpected invoice? Check the risk before you call or pay

Fake invoices, renewal emails, PayPal requests, and vendor bills can lead to callback scams, payment loss, or account exposure. Verify the charge safely and act based on what you already did.

By ScamClarity Editorial Team

Published May 21, 2026Updated May 28, 2026

Do not use the phone number, cancellation link, or payment instructions in an invoice you do not recognize. Open the real account, app, card statement, or company website yourself and check whether a charge, request, or payment actually exists.

A fake invoice may look like a PayPal invoice or money request, a subscription renewal, an antivirus or Geek Squad charge, a Microsoft order, an Apple or Amazon receipt, a PDF attachment, or a vendor bill. The risk changes based on what you already did: received it, clicked, called, shared information, installed remote access, paid, or handled it as a business invoice.

Start with what happened

Scroll sideways to see all columns.

What happenedDo firstRisk
You only received the invoice or receiptCheck the real account or card statement separately. Do not reply, call, or pay from the message.Lower risk if no matching charge appears
You got a PayPal invoice or money requestOpen PayPal directly, review Activity, and use PayPal's report, decline, or cancel options if it is unfamiliar.Check closely
You clicked a link but entered nothingClose the page, do not continue through forms, and check downloads or sign-in alerts.Check closely
You opened or downloaded an attachmentDo not reopen it. Check whether a file ran, asked for permissions, or asked you to enable content.Check closely
You called the numberHang up, write down what was said, and list any information, software, or payment requests involved.Check closely
You shared card, bank, login, account, or code informationContact the provider through the real app, website, statement number, or number on the back of the card.Act quickly
You installed remote-access softwareDisconnect the session, remove the tool, and use a trusted device for important account and payment changes.Urgent
You paid the invoice or sent money for a refundContact the payment provider quickly and save the invoice, receipt, transaction ID, and messages.Urgent
Your business received a vendor invoicePause payment and verify the invoice through purchase records and a known vendor contact already on file.Check closely

Use the closest match. If more than one applies, start with payment, passwords, bank details, remote access, or a business account.

Verify the invoice without using the invoice

The safest check is account-first, not message-first. Open the real account or website on your own, then look for a matching transaction, invoice, subscription renewal, order, or payment request. A dollar amount printed in an email is not proof that money left your account.

  • For a bank or card charge, use the official app, statement, or number on the back of the card.
  • For PayPal, open PayPal directly and review Activity before paying or responding.
  • For a subscription renewal, check the real account and your card statement. Do not use the invoice phone number.
  • For a business invoice, compare the invoice with purchase orders, contracts, vendor records, and existing payment instructions.
  • For an attachment or link, do not go back to the message to test it. Use the real company site separately.

PayPal invoices and money requests need a separate check

PayPal invoice scams are confusing because the request may come through PayPal's own invoice or money request system. That can make the notification look more convincing than a spoofed email, but it still does not prove you ordered the item, owe the money, or need to call the number written in the note.

If you receive a PayPal invoice or request for something you did not order, open PayPal through the real app or by typing paypal.com. Review Activity there. If the request is unfamiliar, do not pay it. Use PayPal's reporting, decline, or cancel options when available, and forward suspicious PayPal-looking emails or websites to PayPal's phishing address if the message came outside the app.

  • Do not call a phone number in the invoice note, seller note, memo, or PDF.
  • Do not pay the invoice just to see what happens.
  • Do not send crypto or another payment because the invoice note says there is an urgent account issue.
  • Do not issue a refund unless you can verify a real payment came into your account and the real platform process says a refund is needed.
  • If PayPal shows no completed payment or charge, treat the invoice as an unwanted request, not proof that money left.

Renewal and fake order invoices usually push a call

Fake Norton, McAfee, Geek Squad, Microsoft, antivirus, and computer-support invoices often claim you were charged for an annual renewal or order. The message may say to call quickly to cancel, dispute, or receive a refund. This overlaps with fake tech support scams because the call can become a remote-access, bank-screen, gift-card, crypto, or fake-refund scam.

If the renewal might be real, check the real account or card statement. Use the company's official website, app, or a known support path, not the invoice number. If there is no matching transaction, the message was likely designed to make you call before checking.

  • A fake renewal may use familiar names such as Norton, McAfee, Geek Squad, Microsoft, Apple, Amazon, or a generic antivirus brand.
  • The amount may be high enough to create panic but ordinary enough to resemble a software subscription.
  • The caller may say a refund requires you to open your bank account or install Quick Assist, AnyDesk, TeamViewer, UltraViewer, ScreenConnect, LogMeIn, or a similar tool.
  • A refund that requires gift cards, crypto, a wire transfer, a payment app transfer, or moving money between accounts is not a normal refund process.

What the invoice is trying to make you do

Most fake invoices are not just asking you to read a bill. They are trying to move you into a higher-risk action before you verify the charge.

Common invoice pressure points

Scroll sideways to see all columns.

What you seeWhat it is trying to make you doSafer check
Large unexpected chargeReact before checking whether money movedOpen the real bank, card, PayPal, or company account yourself
Call to cancel within 24 hoursMove you from email into a controlled phone callUse a known company contact or the official website
PDF, receipt, or order attachmentMake the message look routine or hide the phone numberDo not reopen unexpected files; save the file name for reporting
Refund or overpayment storyGet bank access or make you send money backDo not send money to receive a refund
Changed vendor payment instructionsRedirect a business paymentVerify through a known vendor contact and internal records

The same invoice can use more than one pressure point.

If you called the number

End the call first. You do not need to stay on the line to be polite, finish cancellation, or prove the charge is fake. Once the call is over, write down what happened while it is still fresh.

  • What number you called and what company name they used.
  • Whether you shared your name, address, phone number, email, date of birth, card number, bank details, password, one-time code, SSN, or ID information.
  • Whether you installed software, allowed remote access, opened a bank page, opened email, opened a password manager, or showed files.
  • Whether they asked you to buy gift cards, send crypto, wire money, use a payment app, or transfer money for a refund.
  • Whether they threatened you, told you not to talk to anyone, or called back from other numbers.

If you only talked and shared nothing sensitive, the main risk may be follow-up contact. If you shared information, opened financial accounts, installed software, or paid, treat those as separate problems and act on them directly.

If you clicked, downloaded, or opened an attachment

Close the page or file. Do not continue through forms, do not reopen the attachment, and do not use a link from the invoice to sign in. If the invoice mainly involved an email link, fake login page, QR code, or suspicious attachment, the broader phishing page may also help.

A click alone is not the same as giving away a password or payment details. The important questions are whether you entered information, approved a login, downloaded and ran a file, enabled content in an Office file, installed an app, or gave permissions.

  • If you entered a password, change it from the real site or app, preferably on a trusted device.
  • If you entered card or bank details, contact the card issuer or bank using a known number.
  • If an attachment ran, run trusted security software and review recent downloads and installed apps.
  • If you gave a one-time code, review the account that code belonged to because it may have approved a login, reset, account change, or payment.

If you paid or shared information

Contact the provider connected to the money or exposed account. A bank, card issuer, PayPal, payment app, wire company, gift card issuer, or crypto platform is the party that can tell you what can be blocked, disputed, reversed, replaced, monitored, or documented.

  • Credit or debit card: use the official app or call the number on the back of the card. Ask about dispute options, card replacement, recurring charges, and account monitoring.
  • Bank details or online banking access: contact the bank, review recent and pending activity, and ask what account protections are appropriate.
  • PayPal or payment app: use the official app or website, report the invoice or transaction, and save transaction IDs.
  • Gift cards: keep the cards and receipts, contact the gift card issuer quickly, and do not send card photos or PINs to anyone else.
  • Wire, crypto, or money transfer: contact the platform or transfer company quickly, save wallet addresses or transfer IDs, and watch for recovery offers.
  • Login information: change the password and review recovery email, recovery phone, sessions, connected apps, payment methods, forwarding rules, and security alerts.

If personal details, card data, bank information, identity documents, or account access were shared, see what to do when a scammer has your information for a more detailed information-exposure checklist.

If remote access was involved or the device/account now seems different, see the phone and account access page for account, browser, app, and device checks.

If a business received a vendor invoice

A fake business invoice can be simple, like a bill for supplies, ads, domains, search listings, software, tech support, or a subscription nobody ordered. It can also be more targeted, like a known vendor invoice with changed payment instructions.

Small businesses are vulnerable because paying bills is routine. Slow the process down enough to verify the invoice outside the email thread, especially when payment instructions changed or someone is pushing urgency.

  • Match the invoice to a purchase order, contract, shipment, service record, or internal approval.
  • Verify the sender domain, invoice history, dollar amount, account number, and payment instructions.
  • Use a vendor contact already in your system, not the phone number or email in the new invoice.
  • Be cautious with urgent past-due notices, new bank details, changed routing numbers, or pressure from someone claiming to be an executive.
  • If a payment was sent to new instructions, contact the financial institution immediately and consider filing with IC3.

What not to do now

Avoid the traps where a fake invoice usually becomes a money, account, device, or identity problem.

  • Do not call the number in the invoice

    Use a known phone number, official app, real website, statement, or account page instead.

  • Do not click invoice links to cancel

    Open the real account yourself and check there.

  • Do not pay to stop a charge until you verify it

    An invoice, request, or receipt is not the same as a completed charge.

  • Do not install remote-access software

    Remote access can let the caller view or control the device.

  • Do not send gift cards, crypto, wire transfers, or payment-app transfers for a refund

    A real refund should not require sending more money first.

  • Do not share one-time codes or passwords

    Codes can approve logins, resets, account changes, and payments.

  • Do not delete everything before saving evidence

    Keep enough to report, dispute, and explain what happened.

What to save

Save enough evidence to explain the invoice. Keep private details out of public posts, but save the facts that a provider, platform, employer, or agency may ask for.

  • The full email or message

    Include sender address, display name, date, subject line, headers if available, and screenshots.

  • Invoice details

    Invoice number, order number, brand or company name used, amount, due date, attachment name, and any memo text.

  • Phone and call details

    Phone number listed, number you called, callback numbers, caller names, call date and time, and what they asked you to do.

  • Links and files

    URLs, downloaded file names, attachment names, and whether anything ran or asked for permissions.

  • Payment proof

    Receipts, transaction IDs, gift card numbers and receipts, wire details, wallet addresses, PayPal activity, and bank or card case numbers.

  • Remote-access details

    Tool name, session ID if visible, what was open on screen, and any new apps, extensions, or account alerts.

Do not post full card numbers, SSNs, passwords, private account screenshots, gift card PINs, or ID images in public forums.

Where to report or get help

ScamClarity is not an official reporting destination and cannot cancel invoices, recover money, or verify accounts. Use the official destination that matches what happened.

  • Company or platform being impersonated: report through the real app, real account, official website, or official abuse channel.
  • PayPal invoice or request: log in to PayPal through the real website or app and report, decline, or cancel the suspicious invoice or request there.
  • Bank, card issuer, or payment provider: contact them quickly if money moved, card or bank details were shared, or a charge appears.
  • FTC ReportFraud: report consumer fake invoice, phishing, tech support, business impersonation, and refund scams.
  • FBI IC3: report internet-enabled fraud, especially business invoice fraud, business email compromise, wire transfers, crypto, remote access, or significant losses.
  • Work, business, or finance team: escalate internally if the invoice involved a company mailbox, vendor, employee account, purchase order, payment instructions, or managed device.
  • Local law enforcement or emergency services: use this for threats, immediate danger, local pickup demands, or someone trying to collect cash, cards, gold, or devices in person.

Sources checked

We checked official and provider sources for invoice and money request abuse, renewal and fake-order scams, small-business invoice fraud, payment exposure, account monitoring, brand impersonation, and reporting paths.

  • FTC fake Geek Squad renewal scam

    Subscription renewal invoices, fake cancellation numbers, remote access, fake refunds, gift cards, and FTC reporting.

  • FTC phishing guidance

    Unexpected invoices in phishing emails, suspicious links and attachments, reporting phishing, and what to do after responding.

  • FTC what to do if you were scammed

    Payment-provider contact, information exposure, device access, and ReportFraud guidance.

  • FTC ReportFraud

    U.S. consumer fraud reports for fake invoices, phishing, impersonation, and refund scams.

  • FTC small business fake invoices

    Unexpected business invoices, vendor checks, staff approval procedures, and small-business reporting.

  • PayPal invoice and money request scams

    PayPal invoice and money request abuse, not paying suspicious requests, avoiding invoice note phone numbers, and reporting through PayPal.

  • PayPal report a suspicious invoice

    PayPal's official in-account steps for canceling, declining, or reporting suspicious invoices and money requests.

  • FBI business email compromise

    Vendor invoice changes, business payment instruction fraud, urgent requests, financial institution contact, and IC3 reporting.

  • FBI IC3

    Internet-enabled fraud reports, including business invoice fraud and online payment losses.

  • CFPB account and card fraud guidance

    Contacting the bank or card provider quickly, watching for unauthorized transactions, and saving dispute records.

  • Microsoft fake order scams

    Fake order confirmations, cancellation phone numbers, suspicious Office files, false urgency, and independent account checks.

  • Apple social engineering guidance

    Apple impersonation, fake receipts, suspicious attachments, official support channels, and account-password steps.

  • Norton email verification

    Norton email domain checks, suspicious Norton emails, and forwarding suspicious messages to Norton.

  • McAfee customer scam awareness

    McAfee email and call checks, valid sender context, personal-detail warnings, official contact advice, and McAfee brand reporting.

  • Best Buy protect yourself

    Best Buy and Geek Squad impersonation warnings, trusted contact advice, personal-information warnings, and brand reporting.

FAQ

What should I do if I got an invoice for something I did not buy?

Do not call, click, reply, or pay from the invoice. Check the real account, card statement, PayPal Activity, or company site separately. If there is no matching transaction, save and report the message, then delete it.

Can a PayPal invoice be a scam if it appears in PayPal?

Yes. A PayPal invoice or money request can be sent through PayPal and still be unwanted or abusive. Check PayPal Activity in the real app or website, do not call numbers written in invoice notes, and do not pay unfamiliar requests.

Should I call the phone number on the invoice?

No. The phone number is often the point of the scam. Use a known number, official app, statement, or official website if you need to contact the company.

What if I already called the fake invoice number?

End contact and write down what happened. If you only talked and shared nothing sensitive, watch for follow-up pressure. If you shared information, opened financial accounts, installed software, or paid, act on those specific risks.

What if I installed remote-access software?

Disconnect the session, remove the tool, and use a trusted device for important password and payment-account changes. Review what was open on screen and contact your bank, card issuer, employer, or school if financial or managed systems were involved.

What if I paid the fake invoice?

Contact the payment provider quickly through official support. Save the invoice, receipt, transaction IDs, phone numbers, and messages. Ask what can be blocked, disputed, reversed, replaced, or monitored. Do not pay anyone promising guaranteed recovery.

What if the invoice says Norton, McAfee, Geek Squad, Microsoft, Apple, Amazon, or antivirus software?

Check the real account or card statement first. Fake renewal and order invoices often use familiar brands and a high dollar amount to make you call. If you need support, use the official site or app, not the invoice phone number.

Is a fake invoice the same as phishing?

Often, but not always. Some fake invoices are phishing messages meant to steal login, card, bank, or business data. Others are callback scams that push you to call a fake support number. Some are payment requests meant to make you pay directly.