Real Subscription Renewal Email vs Subscription-Renewal Phishing
How to tell a genuine SaaS or subscription billing notification from a phishing email designed to steal your payment details under a fake renewal alert.
Last reviewed: 1 June 2026
Genuine billing emails are boring by design. They greet you by the name on the account, mention the specific plan you pay for and the last four digits of your card, and any real problem is also visible when you log into the service yourself. They do not need you to click anything urgently. Renewal phishing works because almost everyone has several subscriptions, cannot recall exactly when each one renews, and finds a failed payment notice mildly embarrassing rather than suspicious. The template is copied from the real thing, the logo is right, and updating your card takes fifteen seconds, which is precisely the point. The distinction that matters most is where the problem appears. If the only place your account is in trouble is inside an email, and the service itself shows nothing wrong when you log in directly, the email is the problem.
Side-by-side comparison
| Genuine subscription renewal email | Subscription-renewal phishing email | |
|---|---|---|
| Sender domain | Email originates from the service's official domain — e.g. @netflix.com, @adobe.com — verifiable by inspecting the full email headers | Email comes from a domain that mimics the brand (e.g. netflix-billing.com, adobe-support.net) or a completely unrelated domain |
| Account-specific details | Genuine billing emails include your account name, the last four digits of the card on file, and the specific plan you subscribe to | Generic greeting ('Dear Customer', 'Dear Valued Member') with no account-specific details that would verify the sender knows who you are |
| Link destination | Any link in a genuine billing email goes to the service's primary official domain — verifiable by hovering over the link before clicking | Link goes to a domain that is not the service's primary domain; URL may be long, obfuscated, or use a URL shortener |
| Payment update method | Genuine billing issues are flagged inside your account when you log in — not exclusively via email with an external link | Entire call to action is to click a link and enter card details externally; logging into the official app shows no issue |
| Urgency framing | Renewal reminders are routine and do not threaten immediate service suspension for failing to click a link | Claims your service will be suspended within 24 hours, your account has been charged for an unexpected amount, or that a refund is pending |
Common red flags
- Email sender domain is not the service's official primary domain
- Generic salutation with no account-specific identifying information
- Link in the email goes to a domain different from the service's official website
- Urgent threat of immediate suspension or a large unexpected charge if you do not act now
- Logging into the official service directly shows no billing issue, failed payment, or notification
Verification steps
- Log in to the service directly by typing the URL — check the billing section of your account settings for any real issue
- Hover over any email link to preview the destination URL before clicking; verify it matches the official domain
- Check the full sender email address, not just the display name, for the exact domain
What not to do
- Do not click links in renewal or billing emails without first checking the sender domain and link destination
- Do not enter card details on any page reached from a billing email — log into the service directly instead
- Do not call a phone number in a billing email without verifying it on the service's official website
A safe response
Do not use the link, even to look. Open the service the way you normally would, by typing its address or using its app, and check the billing section of your account; a genuine failed payment will be waiting there too. If the email is the only place anything is wrong, delete it and report it as phishing. If you have already entered card details, ring your bank or card provider using the number on the back of the card, report it, and ask for the card to be replaced. If you entered a password, change it on that service and anywhere you reused it, then turn on two-factor authentication and review recent account activity.
Frequently asked questions
The email had my real name and the correct last four digits of my card, is it still fake?
It can be. Details like your name, email address and partial card numbers appear in data breaches and are bought and reused, so a convincing email is not proof of a genuine sender. Partial card digits are also shown on receipts and statements that may have been intercepted. Treat personalisation as no evidence at all and rely on the same test: log into the service directly and see whether the billing problem exists there.
How can I tell if the email is really from Netflix or Adobe?
Check the full sender address — not just the display name. The domain after the @ must exactly match the service's official domain. Also log into the service directly and check your billing settings; a genuine issue will appear there too.
I received a refund offer for a subscription I do not recognise — should I claim it?
This is a common phishing technique. Do not click any refund link. Log into your bank account directly to check whether any charge from the company exists. If you do not recognise a subscription, contact your bank to investigate the charge through official channels.