Fake Subscription Renewal Phishing
Fraudsters send fake renewal notices for popular services — streaming platforms, antivirus software, cloud storage — to trick you into handing over card details or making payments.
Last reviewed: 1 June 2026
What this scam is
Fake subscription renewal phishing attacks impersonate the renewal notifications sent by legitimate services you are likely to use. Because subscription renewals are genuinely routine — most people have at least one service that renews automatically — a renewal notice from a recognisable brand name triggers familiarity rather than suspicion.
The impersonated brands are typically high-recognition services: major streaming platforms, cloud storage providers, antivirus and security software, or productivity suites. The fraudster does not need to know whether you actually subscribe to the service. Because these services are so widely used, a phishing message impersonating one of them has a reasonable chance of reaching someone who does subscribe and who is therefore primed to believe it is genuine.
The goal is typically one of two things. In the credential-harvesting variant, the fake renewal notice directs you to a spoofed login page where entering your details captures both your login credentials and, on a subsequent screen, your payment card details. In the direct payment variant, the message claims your payment has failed, your subscription is about to lapse, or you are owed a refund, and directs you to a payment page that captures your card details.
Some variants are more targeted: if the attacker knows from a data breach that you subscribe to a specific service, they may craft a more convincing message tailored to your actual account. Others are mass-sent with no targeting, relying on volume to find recipients who do subscribe to the named service.
How it works
The attack begins with a message — email, SMS, or sometimes a push notification — that closely mimics a real renewal communication from a well-known service. The sender name and email address are spoofed to appear legitimate, and the message body uses the brand's actual logo, colour scheme, and formatting where the attacker has copied it.
The message content takes one of several angles: your subscription is due to renew and your payment needs to be confirmed; your recent payment failed and your access will be suspended unless you update your details; you are eligible for a refund on an overcharge; or your subscription has been renewed and if you did not authorise this you should click a link to cancel and receive a refund.
Each angle is designed to create urgency and prompt action. Clicking the link takes you to a convincing but fraudulent website that asks for your login credentials, card details, or both. Details entered are harvested by the attacker.
In refund variants specifically, the fraudster may attempt a more elaborate fraud in which they ask for your bank details to process the refund, then attempt to make a withdrawal rather than a deposit — sometimes asking you to confirm a transfer you believe is incoming but is actually outgoing.
Why this scam works
Subscription phishing succeeds because renewal emails are one of the most automated and expected categories of business communication. Consumers are conditioned to receive them and to act on them — confirming payment, updating details — without applying significant scrutiny. The fraudster inserts their message into this conditioned behaviour by matching the format and brand identity of messages the victim already trusts.
Common red flags
- Renewal notice arrives when your renewal is not due
- Sender email address does not match the official service domain
- Message asks you to click a link to confirm payment details
- Urgency language — 'your account will be suspended', 'act within 24 hours'
- Link in the message goes to a domain that is not the official service URL
- Message claims you are owed a refund for an overcharge you do not recall
- Grammar, spelling, or formatting inconsistencies compared to genuine communications
- Login page URL has a different domain from the real service
- Request for card details or bank account details to process a refund
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Your [Service] subscription renews in 48 hours. Update your payment method at [fake link] to avoid interruption.
We were unable to process your [Service] payment. Please update your billing details at [fake link] within 24 hours.
You have been charged [amount] for [Service]. If you did not authorise this, click here to cancel and receive a refund: [fake link].
Your [Service] annual plan is renewing today at [amount]. To review or cancel, visit [fake link].
Action required: your [Service] account will be suspended in 24 hours. Verify your payment at [fake link].
Common variations
- Refund phishing — claims you are owed money to capture bank or card details
- Payment failure phishing — claims your card was declined to prompt detail re-entry
- Suspension warning — threatens access loss to create urgency
- Annual renewal overpayment — claims you were charged incorrectly for an annual plan
- New device activity — fake security alert claiming a new device has accessed your account
How to verify before you act
The safest rule for any billing, payment, or renewal message is never to use a link provided in the message itself. Always navigate to the service directly by typing the URL or using a saved bookmark, then check your account. If the problem described in the message is real, it will appear in your account. If it does not appear, the message was not from the real service.
Payment methods used
- Card
- Payment apps
- Bank transfer
Who is usually targeted
- Subscribers to major streaming, software, or cloud services
- Anyone with an active digital subscription
- People who receive genuine renewal emails from the impersonated service
What to do immediately
- Do not click any link in the message
- Log in to the real service directly by typing its address in your browser and check your account status
- If you have already clicked a link and entered details, change your password on the real service immediately
- If card details were entered, contact your bank immediately to cancel the card and dispute any charges
- Report the phishing message to your email provider using the report-phishing function
- Forward the phishing email to your national cybercrime reporting body's phishing reporting address
How to prevent it
- Never click billing or renewal links in emails — always go directly to the service
- Check the sender email address for any domain that is not the official service domain
- Set up two-factor authentication on all subscription accounts
- Know your actual renewal dates so unexpected renewal messages stand out
- Use a password manager so you recognise genuine login pages by the saved credentials
Evidence to preserve
- The original phishing email or SMS in full, including headers
- Screenshot of the fake login or payment page if accessed
- The URL of any website you were directed to
- Bank statements if any charges were made
- Records of any credentials or card details that were entered
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
I clicked the link and entered my card details — what should I do now?
Contact your bank immediately to cancel the card and dispute any charges. Also change the password on the real service account, as your credentials may have been harvested at the same time. Enable two-factor authentication on the account to prevent further unauthorised access.
How do I tell if a renewal email is genuine?
Check the sending address — not just the display name — and confirm it ends in the official domain of the service. Log into the real service through your browser and check whether the issue described in the email appears in your account. Genuine renewals will be reflected in your account's billing history.