Fake Subscription Renewal Phishing on X (Twitter)
Phishing DMs and emails impersonating X Premium billing warn users that their verified status or subscription will be revoked, directing them to fraudulent pages that steal login credentials or payment details.
Part of: Fake Subscription Renewal Phishing
Last reviewed: 1 June 2026
X Premium's blue checkmark carries social signalling value for many users, and the threat of losing it — or the associated features — creates genuine urgency. Scammers exploit this by sending phishing messages that mimic X's billing and account communication style with near-perfect branding.
X's history of repeated subscription model changes means users are accustomed to receiving policy and billing notices, making fake renewal alerts easier to believe. A convincing fake email or DM can prompt even careful users to click through before verifying.
How this scam works on X (Twitter)
Users receive a DM from an account impersonating X Support, or a phishing email using X branding, warning that their Premium subscription payment has failed. The message threatens account demotion or feature removal within 24–48 hours and provides a link to update billing information. The link leads to a credential-harvesting site.
Some variants use X's own advertising platform to display promoted posts warning of 'account verification issues', routing users to external phishing pages. Because promoted posts can appear in users' timelines from unfamiliar accounts, they carry a degree of platform legitimacy.
Common red flags
- DM from an account claiming to be 'X Support' with a payment failure warning
- Email claiming your X Premium subscription failed — from a domain that is not x.com or twitter.com
- Promoted post in your timeline warning of an 'account verification problem' with a link
- Urgent 24-hour deadline to update your payment information
- Link in the message leading to a domain other than x.com
- Request for your X password as part of the payment update process
How to protect yourself
- Navigate to x.com/settings/subscription directly to check your subscription and billing status
- Never click links in DMs claiming to be from X Support — X handles billing through account settings only
- Enable two-factor authentication on your X account
- Check that any X-branded email comes from an @x.com or @twitter.com address
- Report and block any account sending unsolicited billing-related DMs
How to report it
- Report the DM or account in X using the three-dot menu and selecting 'Report'
- Forward phishing emails impersonating X to your email provider's spam/phishing reporting tool
- File a complaint with the Anti-Phishing Working Group at [email protected]
Frequently asked questions
Does X ever send billing notices through DMs?
No — X manages subscriptions and billing through your account settings, not through Direct Messages. Any DM claiming to be from X about billing or payment is a phishing attempt.