Avast Refund Scam: French Users Targeted for Credit Card Details

February 24, 2026 Priya Shah – Business Editor Business

A sophisticated phishing campaign impersonating Avast, a leading cybersecurity firm, is targeting French-speaking users, tricking them into divulging complete credit card details under the guise of processing a €499.99 refund. The fraudulent website employs live chat support, dynamically adjusts transaction dates to appear current, and meticulously replicates Avast’s visual branding to harvest payment information at scale, security researchers reported Tuesday.

The operation centers around a fake Avast site that initially presents a charge of €499.99, claiming it is being refunded. Victims are then prompted to provide their name, address, email, phone number, and full credit card information – including the card number, expiry date, and three-digit security code – to facilitate the purported refund. Unlike many phishing attempts, this campaign utilizes a live chat feature, staffed by individuals who actively engage with potential victims to overcome hesitation and encourage them to submit their details.

The phishing page’s design incorporates elements intended to instill trust. The Avast logo is directly sourced from Avast’s own content delivery network, ensuring a visually accurate representation. The page mimics the layout of a legitimate Avast web portal, complete with links to “Home,” “My Account,” and “Assist.” A warning message highlights a 72-hour cancellation window, immediately followed by a contradictory claim that transactions older than 48 hours cannot be cancelled – a subtle tactic designed to create a sense of urgency.

Crucially, the transaction date displayed on the page is not static. A JavaScript function dynamically updates the date to reflect the current day, making the charge appear recent regardless of when the victim accesses the site. Even as the amount remains fixed at €499.99, the dynamic date aims to enhance the illusion of a legitimate, immediate transaction. Researchers emphasize that no actual Avast account is accessed during this process; the charge is entirely fabricated.

The scam’s effectiveness lies in its ability to appeal to multiple types of visitors, according to analysis of the scheme. These include genuine Avast customers seeking a refund, individuals who may have forgotten they have an Avast account, those who believe their card details have been stolen and are attempting to resolve a fraudulent charge, and even individuals attempting to fraudulently claim a refund they are not entitled to. The form itself does not differentiate between these groups, requesting the same information from all visitors.

Once a victim submits their credit card details, the information is sent to a backend file named “send.php” as a JSON object. The page then redirects the victim to a confirmation message stating, “Your application is being processed — Thank you for your inquiry,” and includes a button labeled “Uninstalling Avast” – a final attempt to remove any security software that might detect the fraud.

The inclusion of a live chat widget, provided by Tawk.to, distinguishes this campaign from many other phishing operations. The chat feature allows the scammers to directly address visitor concerns and provide reassurance, effectively transforming a static phishing page into an interactive fraud operation. The Tawk.to account identifier associated with the phishing site is 689773de2f0f7c192611b3bf, with widget code 1j27pp82q.

Security experts advise individuals to be wary of unsolicited refund offers, particularly those requesting full credit card details. Key warning signs include unrecognized charges appearing with the current date, urgent cancellation deadlines, requests for complete credit card information, the absence of account verification requirements, and the presence of live chat support pushing for immediate action. If individuals suspect they have entered their details on a fraudulent website, they should immediately contact their bank or card issuer to cancel their card and report the incident.