A new and highly convincing refund scam is targeting French-speaking internet users by impersonating Avast, tricking victims into handing over full credit card details under the false promise of reversing a €499.99 charge.
According to a recent investigation by Malwarebytes, the phishing operation uses brand impersonation, real-time chat support, and clever scripting techniques to create urgency and extract sensitive financial information at scale. As detailed according to the original Malwarebytes report, the scam is designed to look and feel indistinguishable from a legitimate Avast support portal.
This campaign is not just another phishing page it is an interactive fraud ecosystem.
A Perfectly Branded Trap
The fraudulent website loads the official Avast logo directly from Avast’s own content delivery network, ensuring the visual identity appears authentic. Navigation links such as “Home,” “My Account,” and “Help” mimic the real interface.
At the center of the deception is a bold claim:
“You were charged €499.99 today.”
The date dynamically updates using the visitor’s system clock, making the transaction appear to have occurred that very day. The amount, however, is hardcoded at €499.99 large enough to trigger panic, yet plausible enough for a premium subscription renewal.
There is no real charge. No account has been accessed. The number exists solely to provoke urgency.
The Real Objective: Harvesting Payment Data
After prompting users to request a refund, the site collects:
- Full name
- Address and regional details
- Email and phone number
- Credit card number
- Expiry date
- CVV security code
To increase credibility, the page even validates card numbers using the Luhn algorithm, rejecting invalid entries to ensure only real card data is submitted.
When victims click “Confirm,” all details are sent to a backend file (send.php) as a structured JSON payload.
The final twist? A confirmation message stating:
“Your application is being processed.”
Below it sits a button labeled “Uninstalling Avast”, a subtle push to remove security software that might otherwise detect malicious behavior.
Live Chat: Phishing Goes Interactive
What sets this campaign apart is the embedded Tawk.to live chat widget, allowing operators to engage visitors in real time.
If a user hesitates or notices inconsistencies – such as contradictory cancellation timelines (“72 hours” vs. “48 hours”) – a fake support agent can step in to reassure them.
This transforms static phishing into an adaptive social engineering attack.
Who Is Being Targeted?
The scam is engineered to capture multiple psychological profiles:
- Existing Avast customers who believe a renewal charge is legitimate
- Forgotten subscribers unsure about old licenses
- Non-customers convinced their card was stolen
- Opportunists attempting to claim money that was never theirs
The page never verifies account credentials. It skips directly to financial information.
Global Impact and Industry Implications
Although the current campaign targets French-speaking users, the tactic itself is globally replicable.
Brand impersonation scams are increasing across industries from antivirus vendors to banks and telecom providers. The growing sophistication of phishing pages signals a broader evolution in cybersecurity threats, particularly those combining automation with real-time human interaction.
Organizations worldwide must prepare for similar impersonation campaigns targeting their customers.
For businesses seeking proactive defense strategies, Saintynet Cybersecurity provides advisory services and threat response expertise tailored to evolving phishing ecosystems.
10 Recommended Security Actions
Security teams and organizations should consider the following measures:
- Monitor for brand impersonation domains targeting your company.
- Implement DMARC, SPF, and DKIM to reduce email spoofing.
- Educate customers that refunds never require re-entering full card details.
- Deploy real-time phishing detection tools.
- Conduct regular brand abuse monitoring and takedown operations.
- Strengthen web filtering and DNS protection.
- Promote security awareness training programs (available at saintynet.com).
- Alert customers immediately when impersonation campaigns are detected.
- Encourage use of virtual cards or transaction alerts.
- Integrate threat intelligence feeds to identify emerging scam patterns early.
For individuals who may have entered their card details:
- Contact your bank immediately.
- Cancel the card and dispute unauthorized transactions.
- Change passwords linked to the submitted email address.
- Run a full security scan using reputable protection tools.
MEA Perspective (Optional Context)
While this campaign currently targets French-speaking users, similar tactics are increasingly seen across Africa and the Middle East, where digital payments and subscription services are expanding rapidly.
Financial institutions, telecom operators, and SaaS providers in the region must strengthen customer communication strategies and proactive fraud detection mechanisms.
CyberCory previously explored brand impersonation trends in our coverage of evolving phishing tactics (see related analysis on CyberCory.com).
Conclusion
This Avast refund scam demonstrates how modern phishing operations blend brand impersonation, dynamic scripting, and live human interaction to maximize success rates.
By leveraging urgency, visual authenticity, and psychological pressure, attackers are harvesting full credit card details without ever breaching a real Avast system.
The lesson is clear: verification must always occur through official channels. Legitimate companies do not request full card numbers and CVV codes to process refunds.
As phishing campaigns become more interactive and convincing, organizations and individuals must remain vigilant.
CyberCory will continue monitoring emerging fraud trends and provide updates as this campaign evolves.
