A long-running impersonation campaign targeting antivirus users shows no signs of slowing, with researchers warning that the real danger is no longer the fake email, but the fraudulent IT support call that follows.
What happened
A fresh wave of fake McAfee subscription renewal emails and browser pop-ups is circulating, using urgent expiration warnings to panic recipients into calling fraudulent IT support numbers or purchasing fake software. According to Cybernews, the campaign revives a tactic that has run for several years, with the most recent wave prompted by a Guardian report documenting recipients receiving expiration warnings for software they had never installed. In one documented case, a Mac user who had never used McAfee clicked on an old bookmarked site and was shown a pop-up claiming five viruses had been detected, and their McAfee subscription had expired, prompting them to purchase a genuine McAfee plan before realizing the original warning was fraudulent. The pop-ups and emails direct recipients to phone numbers connected to fake IT support centers, where callers are pressured into purchasing non-existent services or handing over payment details.
Going deeper
The mechanics of these campaigns have changed beyond simple credential phishing. Researchers documented a variant in which fake security alerts serve as the first stage of a callback phishing chain. The pop-up or email creates urgency, the recipient calls the number provided, and a live operator then runs a social engineering script to extract payment information, remote access to the device, or both. McAfee confirmed on its website that cybercriminals are increasingly impersonating its brand through fake emails, text messages, pop-ups, and phone calls, and stated it will never ask users to call a phone number included in an email or text. The campaign exploits a specific cognitive pattern, recipients who receive what appears to be a legitimate software warning from a brand they recognize, even one they do not use, experience enough uncertainty to treat the warning as potentially real.
What was said
Researchers told Cybernews that "callback phishing is thriving," noting that "these scams often create urgency through fake payment confirmations or unauthorized charge alerts designed to alarm recipients and prompt them to call. People are more likely to trust a convincing individual during a live conversation." Researchers added that while AI is helping attackers make scams "more convincing and easier to scale," the real focus of social engineering remains "exploiting human trust." McAfee stated on its official website that signs of a fake email include spelling and grammar mistakes, suspicious links, and requests for personal or financial information, and advised users to verify subscription status directly through official channels rather than contact details in unsolicited messages.
In the know
Callback phishing has been documented across multiple healthcare-specific campaigns in 2026. The ATHR voicemail phishing (vishing) platform, documented in April 2026, automated the same callback structure at scale: fake billing and account alerts sent by email, followed by AI-driven voice agents that guided victims through credential disclosure over the phone. According to BleepingComputer, the FBI issued a warning in May 2026 about the Kali365 phishing-as-a-service platform, which combined fake Microsoft 365 alerts with device code phishing flows that bypassed multi-factor authentication entirely. The underlying structure in all three campaigns is identical to the McAfee scam and involved creating an alarm through a fake security notice, prompting an action, and using that action to extract access or payment.
The big picture
Healthcare organizations are not the primary target of consumer-facing scareware campaigns, but their staff are. A billing administrator who receives a fake McAfee expiration warning on a work device and calls the number provided is one step away from giving a fraudulent IT operator remote access to a machine that may be connected to patient records, billing systems, or clinical applications. The same urgency and authority cues that make these scams effective against consumers, a familiar brand name, an expiring security product, a phone number that appears to offer help, work equally well in healthcare environments where staff process dozens of vendor communications daily. According to Paubox's Top 3 Healthcare Email Attacks report, only 5% of known phishing attacks are reported by employees to security teams, meaning callback phishing campaigns that target staff can run through their full chain without any internal detection signal.
FAQs
What is callback phishing and how does it differ from standard email phishing?
Standard phishing delivers a malicious link or attachment in an email. Callback phishing delivers a phone number instead, directing the recipient to initiate contact with the attacker. The dangerous interaction happens over the phone rather than through a browser, bypassing email security tools that scan for malicious links and keeping the credential theft or payment fraud step off the organization's monitored network perimeter.
Why do fake security alerts work even on people who do not use the software being impersonated?
Unfamiliarity with a product creates uncertainty rather than immunity. A recipient who does not know whether they have McAfee installed may treat the warning as a product that was bundled with their device or installed by IT, making the expiration notice plausible enough to prompt action before they think to verify.
How does AI change the scale and effectiveness of callback phishing campaigns?
AI-generated lures produce grammatically correct, personalized emails at volume, removing the spelling errors and awkward phrasing that awareness training teaches people to spot. AI voice agents can handle live calls without human operators, allowing campaigns to run at scale without requiring a staffed call center. The result is a higher-quality scam delivered to more targets at a lower cost per attempt.
What should healthcare organizations include in security awareness training to address this threat?
Training should specifically cover callback phishing as a category distinct from link-based phishing, with clear guidance that any unsolicited email or pop-up containing a phone number for IT support or billing should be verified through an independently sourced contact before calling. Staff should be told that legitimate software vendors, including Microsoft, McAfee, and Google, will never instruct users to call a number embedded in an alert message.
What is the correct response when staff encounter a pop-up or email claiming a security product has expired?
Close the browser tab or email, navigate directly to the vendor's official website by typing the address manually, and check account status from there. If the alert appeared in a browser, clearing the browser cache and running a scan with installed security software addresses any potential adware that may have triggered it. The phone number in the alert should never be called.
Farah Amod : March 20, 2026
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
