Fake Disney+ Order Confirmation and Account Upgrade Scam
Scammers send fake Disney+ order confirmations for a bundle upgrade the recipient did not authorise, using the surprise charge as a pretext to direct victims to a phishing page for cancellation.
Part of: Fake Order Confirmation Phishing Scams
Last reviewed: 7 June 2026
Disney+ regularly promotes bundle offers combining Disney+, Hulu, and ESPN+. Fake order confirmation emails that reference a bundle upgrade or add-on purchase exploit both the plausibility of these real offers and the recipient's instinct to investigate an unexpected charge on their account.
The approach is the reverse of a standard threat phish: rather than threatening the victim, the scam presents as an accidental transaction that the recipient will want to cancel and reverse. This creates a motivated recipient who is looking for a way to stop the imaginary charge.
The resulting traffic to the fake cancellation page is composed of engaged, concerned users who are actively seeking to take action — exactly the state of mind most likely to complete a credential-entry flow.
How this scam works on the Disney+ brand
Disney+ sends genuine order confirmations and plan change notifications from @email.disneyplus.com. These emails arrive only when an account holder actually changes their subscription plan through the disneyplus.com account settings. Disney+ does not charge for unsolicited plan upgrades.
Fake order confirmation emails reference a specific plan name — such as the Disney Bundle Ultimate or a fictional 'Premium Family Plan' — and a realistic-looking charge amount. A 'Manage Subscription' or 'Cancel Order' button links to a phishing domain. After the victim enters their credentials to 'cancel', the page presents a payment verification form requesting card details to 'process the refund'.
This double-harvest — credentials first, then card details under the refund pretext — maximises the data collected from a single interaction.
Common red flags
- Order confirmation email is not from @email.disneyplus.com or @disneyplus.com
- The Disney+ account shows no corresponding order or charge when checked directly
- The 'Cancel Order' button links to a non-disneyplus.com domain
- After entering credentials, the page asks for card details to 'process a refund'
- The plan name or bundle referenced does not match any real Disney+ product
- The email was not preceded by any account action you took
How to protect yourself
- Check your Disney+ account at disneyplus.com/account to verify any orders or plan changes — genuine ones will appear there
- Contact Disney+ support through help.disneyplus.com if you see an unrecognised charge on your bank statement
- Never cancel or refund a Disney+ order through a link in an email — use your account settings directly
- Use a unique email address alias for streaming service accounts to detect targeted phishing
- Set a strong unique password for Disney+ separate from your email and banking passwords
How to report it
- Report phishing to Disney+ at help.disneyplus.com
- Forward the email to [email protected]
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- If card details were submitted, contact your bank or card issuer immediately
Frequently asked questions
Does Disney+ ever charge for plan upgrades without my consent?
No. Any change to your Disney+ subscription plan requires your action within the account settings at disneyplus.com. Disney+ does not initiate unsolicited upgrades. If you see an unexpected charge, verify it in your account and contact Disney+ support at help.disneyplus.com.
How do I check for unexpected orders on my Disney+ account?
Log in to disneyplus.com and navigate to your account settings. Look at your subscription details and billing history. Any plan changes or charges you authorised will appear there. If you see a charge you cannot explain, contact Disney+ support and your bank.
Why do scammers use fake order confirmations rather than threats?
Fake order confirmations create motivated, non-suspicious victims who want to correct what seems like an error. Unlike threat-based phishing, the 'order error' framing feels less like an attack and more like a genuine mistake — one the recipient wants to resolve, leading to higher engagement rates.