The auto deduction is there in the terms of service (see link) item 14 of the EULA. McAfee not the only AV software that does that I think they want their users to always be safe and a few may forget to pay if the non deduction path was used.
I myself would prefer it up front as a question. You made a good point if the email bounces maybe they could have looked further but where as the only other contact was the credit card I assume. Maybe it should be necessary to add the personal email field as a secondary email address I have that active so a tech can look it up if my main email address doa.
Of course this all null now it has happened and you will be refunded sorry you think this was dodgy.
I will pass your worries up the line