Unexpected invoice? Start before you call, click, or pay.

A fake invoice scam usually tries to make you believe you were charged for something, renewed a subscription, or now owe money. The invoice may look like a PayPal request, a receipt, an antivirus renewal, a Geek Squad or Microsoft charge, an Apple or Amazon order, or a vendor bill for a business.

The safest first move is to pause before using anything inside the invoice. Do not call the phone number in the message, do not click a cancellation link, and do not pay just to make the charge stop. Open the real account, app, card statement, or company website yourself and check whether anything actually happened.

The risk depends on what changed. Receiving the invoice is usually different from calling the number, sharing card or bank details, installing remote-access software, entering a password, or paying.

Why fake invoices work

A fake invoice creates confusion around money. It makes you wonder whether a charge already happened, whether a subscription renewed, whether a business bill is overdue, or whether you need to act before a deadline. That confusion is the opening.

Many fake invoice messages avoid a traditional phishing link and push a phone number instead. Once you call, the person can steer the conversation toward remote access, card details, bank screens, gift cards, crypto, or a fake refund.

PayPal invoices and money requests need a separate check

PayPal invoice scams are confusing because the message may involve PayPal's real invoice or money request system. That means the email or account notification can look more convincing than a simple spoofed email. It still does not mean you ordered the item, owe the money, or need to call the number written in the invoice note.

If you receive a PayPal invoice or payment request for something you did not order, open PayPal yourself through the real app or by typing paypal.com. Check Activity there. If the request is unfamiliar, do not pay it. Use PayPal's built-in decline, cancel, or report options when available, and forward suspicious PayPal-looking emails or websites to PayPal's phishing address.

• Do not call a phone number in the invoice note, seller note, memo, or PDF.
• Do not pay the invoice just to see what happens.
• Do not send money to a crypto wallet mentioned in an invoice or request.
• Do not issue a refund unless you can verify a real payment came into your account and the real platform process says a refund is needed.
• If PayPal shows no completed payment or charge, treat the invoice as an unwanted request, not proof that money left.

Antivirus, tech support, and subscription renewal invoices

Fake Norton, McAfee, Geek Squad, Microsoft, antivirus, and computer-support invoices often say you were charged hundreds of dollars for an annual renewal. The message may say to call quickly if you want to cancel, dispute, or receive a refund. This overlaps with fake tech support scams because the next step may be a call where the person asks for remote access or payment details.

If you think the renewal might be real, check the real account or the card statement. Use the company's official website or app, not the invoice number. If there is no matching transaction, the message was likely designed to make you call.

• A fake renewal may use familiar names like Norton, McAfee, Geek Squad, Microsoft, Apple, Amazon, or a generic antivirus brand.
• The amount is often high enough to create panic but ordinary enough to look like a software subscription.
• The caller may say a refund requires you to open your bank account or install Quick Assist, AnyDesk, TeamViewer, UltraViewer, ScreenConnect, LogMeIn, or a similar tool.
• A refund that requires you to buy gift cards, send crypto, wire money, use a payment app, or move money between accounts is not a real refund process.

If you called the number

End the call first. You do not need to keep talking to be polite, to finish cancellation, or to prove the charge is fake. Once the call is over, write down what happened while it is still fresh.

• What number you called and what company name they used.
• Whether you shared your name, address, phone number, email, date of birth, card number, bank details, password, one-time code, SSN, or ID information.
• Whether you installed software, allowed remote access, opened a bank page, opened email, opened a password manager, or showed files.
• Whether they asked you to buy gift cards, send crypto, wire money, use a payment app, or transfer money for a refund.
• Whether they threatened you, told you not to talk to anyone, or called back from other numbers.

If you shared nothing sensitive and did not install anything, the main risk may be follow-up contact. If you shared information, opened financial accounts, or gave remote access, treat those as separate problems and act on them directly.

If you clicked, downloaded, or opened an attachment

Close the page or file. Do not continue through forms, do not reopen the attachment, and do not use a link from the invoice to sign in. If the invoice mainly involved an email link, fake login page, or suspicious attachment, the broader phishing page may also help.

A click alone is not the same as giving away a password or payment details. The important questions are whether you entered information, approved a login, downloaded and ran a file, enabled content in an Office file, installed an app, or gave permissions.

• If you entered a password, change it from the real site or app, preferably on a trusted device.
• If you entered card or bank details, contact the card issuer or bank using a known number.
• If an attachment ran, run trusted security software and review recent downloads and installed apps.
• If you gave a one-time code, review the account that code belonged to because it may have approved a login, reset, or payment.

If you paid or shared information

Contact the provider connected to the money or exposed account. A bank, card issuer, PayPal, payment app, wire company, gift card issuer, or crypto platform is the party that can tell you what can be blocked, disputed, reversed, replaced, or documented.

• Credit or debit card: call the number on the back of the card or use the official app. Ask about dispute options, card replacement, recurring charges, and account monitoring.
• Bank details or online banking access: contact the bank, review recent and pending activity, and ask what account protections are appropriate.
• PayPal or payment app: use the official app or website, report the invoice or transaction, and save transaction IDs.
• Gift cards: keep the cards and receipts, contact the gift card issuer quickly, and do not send card photos or PINs to anyone else.
• Wire, crypto, or money transfer: contact the platform or transfer company quickly, save wallet addresses or transfer IDs, and watch for recovery offers.
• Login information: change the password and review recovery email, recovery phone, sessions, connected apps, and security alerts.

If personal details, card data, bank information, identity documents, or account access were shared, see what to do when a scammer has your information for a more detailed information-exposure checklist.

If remote access was involved or the device/account now seems different, see the phone and account access page for account, browser, app, and device checks.

If a business received a vendor invoice

A fake business invoice can be simple, like a bill for supplies, ads, domains, search listings, software, tech support, or a subscription nobody ordered. It can also be more targeted, like a known vendor invoice with changed payment instructions.

Small businesses are vulnerable because paying bills is routine. The safer move is to slow the process down enough to verify the invoice outside the email thread.

• Match the invoice to a purchase order, contract, shipment, service record, or internal approval.
• Verify the sender domain, invoice history, dollar amount, account number, and payment instructions.
• Use a vendor contact already in your system, not the phone number or email in the new invoice.
• Be cautious with urgent past-due notices, new bank details, changed routing numbers, or pressure from someone claiming to be an executive.
• If a payment was sent to new instructions, contact the financial institution immediately and consider filing with IC3.

What not to do now

What to save

Where to report or act

ScamClarity is not an official reporting destination and cannot cancel invoices, recover money, or verify accounts. Use the official destination that matches what happened.

• Company or platform being impersonated: report through the real app, real account, official website, or official abuse channel.
• PayPal invoice or request: log in to PayPal through the real website or app and report or decline the suspicious invoice or request there.
• Bank, card issuer, or payment provider: contact them quickly if money moved, card or bank details were shared, or a charge appears.
• FTC ReportFraud: report consumer fake invoice, phishing, tech support, business impersonation, and refund scams.
• FBI IC3: report internet-enabled fraud, especially business invoice fraud, business email compromise, wire transfers, crypto, remote access, or significant losses.
• Work, business, or finance team: escalate internally if the invoice involved a company mailbox, vendor, employee account, purchase order, payment instructions, or managed device.
• Local law enforcement or emergency services: use this for threats, immediate danger, local pickup demands, or someone trying to collect cash, cards, gold, or devices in person.

Official sources used

These sources support the article's action steps, reporting options, PayPal nuance, brand-specific checks, payment guidance, and small-business invoice advice.

FAQ

What should I do if I got an invoice for something I did not buy?

Do not call, click, reply, or pay from the invoice. Check the real account, card statement, or company site separately. If there is no matching transaction, save and report the message, then delete it.

Is a PayPal invoice always real?

No. A PayPal invoice or money request can be sent through PayPal and still be unwanted or abusive. Check PayPal Activity in the real app or website. Do not call phone numbers written in invoice notes and do not pay unfamiliar requests.

Should I call the phone number on the invoice?

No. The phone number is often the point of the scam. Use a known number, official app, statement, or official website if you need to contact the company.

What if I already called the fake invoice number?

End contact and write down what happened. If you only talked and shared nothing sensitive, watch for follow-up pressure. If you shared information, opened financial accounts, installed software, or paid, act on those specific risks.

What if I installed remote-access software?

Disconnect the session, remove the tool, and use a trusted device for important password and payment-account changes. Review what was open on screen and contact your bank, card issuer, employer, or school if financial or managed systems were involved.

What if I paid the fake invoice?

Contact the payment provider quickly through official support. Save the invoice, receipt, transaction IDs, phone numbers, and messages. Ask what can be blocked, disputed, reversed, replaced, or monitored. Do not pay anyone promising guaranteed recovery.

What if the invoice is for Norton, McAfee, Geek Squad, Microsoft, Apple, Amazon, or antivirus software?

Check the real account or card statement first. Fake renewal invoices often use familiar brands and a high dollar amount to make you call. If you need support, use the official site or app, not the invoice phone number.

How do I report a fake invoice scam?

Report it to the company or platform being impersonated, the payment provider if money or payment details were involved, FTC ReportFraud for consumer fraud, and IC3 for internet-enabled fraud or business invoice losses.

Is a fake invoice the same as phishing?

Often, but not always. Some fake invoices are phishing messages meant to steal login, card, bank, or business data. Others are callback scams that push you to call a fake support number. Some are payment requests meant to make you pay directly.