The woman on the other end of the call sounded exhausted. Over the previous six hours she had been on the phone with "Norton" trying to cancel a $499 antivirus charge she didn't recognize. By the time she got to me, the "Norton agent" had remoted into her computer, logged her out of her bank, taken control of her browser, and instructed her to drive to a CVS to buy gift cards as a "refund." She trusted her gut, hung up, and called me instead.

The scam started with an email she opened around 9 a.m. Subject: "Your Norton 360 subscription has been renewed." Body: a fake invoice for $499.99 with a customer service number to call if she didn't recognize the charge.

That's the entire scam in one sentence. There is no malicious link. There is no virus-laden attachment. The only weapon in the whole email is a phone number — and the phone number is enough.

Why this scam is so successful

Most people have learned to be careful about clicking links in emails. So scammers stopped using links. Instead, they put a phone number in front of you and let your panic do the work.

The email is calmly designed. It looks like a real receipt. It uses a real brand name. Norton, McAfee, Geek Squad, PayPal, and Best Buy are the most common right now. There's an invoice number, an order date, even a tax line. Everything about it looks like a legitimate confirmation, except for the part where you didn't actually buy anything.

Your eyes lock onto the dollar amount. $499.99. Six hundred dollars. Twelve hundred. Whatever it is, it's the right amount of upsetting. High enough that you can't ignore it, low enough that you halfway believe it could be a real mix-up.

You scroll down. You find the support number. You call.

What happens when you call

A polite, calm-sounding person answers. They sound exactly like a customer service rep from any company you've ever called. They apologize for the confusion. They take your name. They look you up in "the system."

Then they say one of two things:

"Oh, I see the issue — this charge was actually applied to a different account that's linked to yours. Let me transfer you to our refund department."

Or: "I'd be happy to refund this for you. To verify the charge and process the reversal, I'll need to connect to your computer briefly. Could you go to a website for me (usually it's anydesk.com, or teamviewer.com), and read me the number on the screen?"

That's the trap. Once they have remote access to your computer, they're in. They open your bank in a hidden window, "accidentally" type in too many zeros on the refund — "Oh no, I refunded you $5,000 instead of $500, my manager will fire me, you have to send the difference back" — and walk you through a wire transfer or, more often, a trip to buy gift cards.

The whole act takes between thirty minutes and four hours. People who get sucked in often don't realize they were scammed until the next day, when no refund appears and the "Norton" number stops answering.

The four warning signs in the email itself

Before you ever pick up the phone, the email tells you it's fake.

The first sign: the sender's address isn't from the real company. Norton's real domain is norton.com, PayPal is paypal.com. If the email comes from serice@norton-billing-team.net or noreply@paypal-invoice-confirm.com it's not them.

The second sign: there's a phone number prominently displayed and the message strongly encourages you to call. Real receipts almost never tell you to call a phone number. They link you to your account dashboard.

The third sign: no link to your actual account. If the real Norton charged you, you'd be able to log in to norton.com and see the order. If the email avoids sending you to your real account — and instead pushes you to call — that's because there is no real account.

The fourth sign: amounts and brands you don't use. If you've never had Norton in your life, an email about your "Norton renewal" is almost certainly a fake. Same with Geek Squad, McAfee, or any service you never signed up for.

The right way to check a charge

If the email rattles you, don't reply, don't call the number, don't click anything. Instead:

Open a new browser tab and go directly to the company's real website by typing the address yourself. Log in to your account and check your order history. If there's no charge there, there's no charge.

Or check your actual bank or credit card account. Did the money actually come out? Most of the time, the answer is no — because there was never a real charge in the first place.

Or call the real company using the number on the back of your credit card or from the company's official website. Not the number in the email.

What if you already called

If you called the number and gave them your name, that's recoverable. They have your name. They're going to keep calling and emailing you. Block the numbers as they come in.

If you let them connect to your computer, that's more serious. Disconnect from the internet immediately, then bring the machine to a real technician — me, or anyone you trust — to be checked. Change every password you can think of, but do it from a different device. And call your bank to flag any unusual activity.

If you bought gift cards or sent a wire, call your bank and the gift card company right away. Speed matters. Sometimes wires can be reversed within the first 24 hours, and gift cards occasionally can be frozen if the scammer hasn't drained them yet.

And don't be embarrassed. The client I mentioned at the start? She's one of the smartest people I know. These scams aren't designed to fool dumb people. They're designed to fool panicked people, which is all of us, eventually.

Tomorrow I'm covering the Reply-To trick — a sneaky email setting that makes scam replies look like they're going to the real company when they're actually going straight to a scammer's inbox. If you want Friday's printable cheat sheet, subscribe here.