Share
FRANCE PHISHING VERDICT

Doctolib phishing SMS scam in France 2026: is the refund or reschedule text real?

If you book a doctor in France, you almost certainly use Doctolib. That is exactly why a text that says "Doctolib" with a small refund or an urgent appointment change feels so easy to trust.

SafeBrowz Threat Research Security ResearchJune 28, 20269 min read

Is the Doctolib SMS real?

Verdict: a Doctolib SMS or email that offers a refund, asks you to pay to confirm an appointment, or threatens to restrict your account is a phishing scam. Doctolib does not process medical refunds (your CPAM or mutuelle does that) and never sends a refund through an SMS link. The only real website is doctolib.fr. Genuine messages show "Doctolib" as the SMS sender and come from addresses on doctolib.fr (for example [email protected]), never from a mobile number and never asking for your card or password. A lookalike such as doctolib-remboursement.com is fake. To check, open a new tab and type doctolib.fr yourself instead of tapping the link.

The headline

Since spring 2026, France has seen repeated waves of fake Doctolib SMS and emails: a "€23 refund pending", an "urgent appointment to reschedule", or an "account restriction". Each one leads to a clone site that copies Doctolib perfectly and harvests your login, card, and health details. The campaign is made worse by a January 2026 leak of French patient data that lets scammers send accurate, personalised messages. Doctolib has stated its own systems were not breached.

Why the Doctolib scam works so well in France

Doctolib is woven into daily life in France. The platform is used by more than 45 million people to book GP visits, specialists, vaccines, and lab tests, and to receive real appointment reminders by SMS and email. A message branded "Doctolib" is not unusual, it is routine. That familiarity is the scam's entire engine. The fake text does not need to be clever. It just needs to look like the dozens of legitimate reminders you have already received.

The three bait stories are all calibrated to feel ordinary, not alarming. A small refund of a few euros is too trivial to question and just plausible enough that you assume a doctor overcharged you. An "appointment to reschedule" taps the fear of losing a hard-won specialist slot, which in France can take weeks. An "account restriction" or "identity verification" notice plays on the worry of being locked out of your medical bookings. None of them screams "fraud", and that is the point.

What pushed this from background noise to a national alert in 2026 is data quality. When a scam text already knows your name, your phone number, and sometimes the name of a clinic you visited, the usual giveaways disappear. It no longer reads like a clumsy mass blast. It reads like Doctolib actually contacting you.

The 2026 patient-data leak that feeds the targeting

On 4 January 2026, a hacker posted files on a criminal forum containing the personal data of more than 150,000 French patients, including names, dates of birth, email addresses, phone numbers, and postal addresses. The data was branded as a "Doctolib base", which is why early reports linked it to the platform.

The fuller picture is more specific. According to French press coverage, the leak traced back to two healthcare providers, a private hospital in Belfort and an ophthalmology practice in Sallanches, that had exported their patients' data after ending their contract with the platform. The breach happened on those providers' own systems, not on Doctolib's. Doctolib has firmly denied that any of its own systems were compromised or that its database leaked.

For the victim, the legal blame is academic. What matters is that real contact details and medical context are now circulating, and they are exactly what a phishing crew needs to send ultra-targeted "Doctolib" messages. This is the difference between a generic spam wave and a campaign that can quote enough true detail to disarm you.

How the fake Doctolib scam actually works

The scam runs in two formats, SMS and email, and both end on the same kind of page: a clone of Doctolib built to capture whatever you type.

The refund version. A text or email arrives reading something like "Doctolib: un remboursement complémentaire de 23 euros est en attente. Confirmez vos informations: [link]". To "receive" the refund you are asked to log in and then enter your card details so the money can be "credited". There is no refund. The card form simply records your number, expiry, and CVV.

The reschedule version. A message says a recent or upcoming appointment must be moved and presses you to act fast before the slot is lost: "Votre rendez-vous doit ĂȘtre reprogrammĂ©. Confirmez ici sous 24h." The link opens a fake Doctolib login. Enter your email and password and the attackers now own your account, your appointment history, and any health information attached to it.

The account version. A "security" notice claims your Doctolib account is restricted or needs identity verification, and asks for your login plus, in some variants, an ID document or card. This one is built to harvest the maximum amount of data in a single pass.

Once a card is captured, attackers typically run a small test charge within minutes, then a larger one, sometimes pushing a fake bank confirmation page that asks you to read back a real 3D Secure code your bank just sent. Once a login is captured, it is reused immediately against the real Doctolib and against email accounts that share the password.

The exact phrases the fake messages use

Once you have seen these, they stand out in any inbox. Real Doctolib reminders do not write like this.

  • "Un remboursement de 23 euros est en attente, confirmez vos coordonnĂ©es bancaires"
  • "Votre rendez-vous doit ĂȘtre reprogrammĂ© sous 24h, cliquez ici"
  • "Votre compte Doctolib est restreint, vĂ©rifiez votre identitĂ©"
  • "Action requise: confirmez votre carte pour valider votre rendez-vous"
🛡 LIVE CHECK

Test a suspicious link right now

Got a phishing email or text? Click any red-dotted domain above, or paste your own suspicious link. Our 3-layer engine (Local + APIs + AI) returns a verdict in ~3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

The wording feels official because the crews copy real Doctolib templates, but two things are always wrong: the money flow and the urgency. Real Doctolib never asks for a card to "confirm" or "validate" an appointment, and it never offers a medical refund. And while a real reminder may nudge you to confirm attendance, it does not run a 24-hour countdown that threatens to delete your account or your booking.

What a real Doctolib message looks like vs a fake

This is the section to memorise. Four facts separate every real Doctolib message from every fake one.

Fact 1: the SMS sender is the name "Doctolib", never a mobile number. Genuine Doctolib texts are sent from the registered sender ID "Doctolib". If a "Doctolib" message arrives from a 06 or 07 French mobile number, or from a random international number, it is fake. Doctolib does not text you from a personal phone.

Fact 2: real emails come from doctolib.fr addresses. Legitimate Doctolib email is sent from addresses on its own domain, for example [email protected] for appointment management, and addresses on doctolib.com or its email subdomains for general information. The display name "Doctolib" can be faked, so check the full address after the @, not the name. Anything ending in a different domain (doctolib-fr.com, doctolib-remboursement.com, secure-doctolib.net) is hostile.

Fact 3: the only real website is doctolib.fr. Not doctolib-rdv.com, not doctolib.fr.secure-login.net, not any hyphenated or subdomain variation. The real platform lives at doctolib.fr. If the address bar shows anything else, leave.

Fact 4: Doctolib does not handle medical refunds and never asks for your card to confirm a booking. Reimbursement for care in France is processed by your CPAM (the public health insurance, via ameli.fr) and your mutuelle, not by Doctolib. Doctolib has no mechanism to refund you a few euros by SMS. Any message that ties a refund or a card payment to a Doctolib appointment is a scam by definition.

Lookalike URLs to watch for

These are the kinds of domains that fit 2026 Doctolib phishing patterns. The list is not exhaustive, attackers register new ones constantly, but the structure repeats: take the word "doctolib", add a refund or login or security word, and hang it off a non-doctolib.fr address, or bury the real name in a subdomain.

  • doctolib-remboursement.com (real is doctolib.fr, and Doctolib does not refund)
  • doctolib-rdv.com (real appointments live only on doctolib.fr)
  • secure-doctolib.net ("secure-" prefix is a classic phishing tell)
  • doctolib-fr.com (real domain is doctolib.fr, not doctolib-fr.com)
  • doctolib.fr.verif-compte.com (subdomain trick, the real domain is verif-compte.com)
  • mon-doctolib-paiement.com (real Doctolib has no "paiement" portal for refunds)

On a phone the address bar is short and easy to ignore, which is why SMS is the attackers' favourite channel. Before you type anything, read the domain right after https:// and before the first slash. If it is not exactly doctolib.fr, stop.

Red flags: how to spot it in 30 seconds

  • A refund is offered. Doctolib does not refund medical fees. Your CPAM and mutuelle do.
  • You are asked for a card to "confirm" an appointment. Booking on Doctolib is free and never needs your card to validate.
  • The SMS comes from a mobile number, not the "Doctolib" sender name.
  • The link domain is not doctolib.fr. Hyphens, "secure-", or a subdomain trick are all fakes.
  • There is a countdown. "Sous 24h" or "votre compte sera supprimĂ©" is manufactured panic.
  • It asks for your password, ID document, or full card on one page. The real site never does this in a message link.
  • The email address after the @ is not doctolib.fr. Ignore the display name.

Any single one of these is enough to delete the message. Two or more and you are looking at a confirmed phishing attempt.

What to do (the safe routine)

If you think the message might relate to a real appointment, do not tap anything in it. Open a new browser tab. Type doctolib.fr directly into the address bar, or open the official Doctolib app you already installed. Log in there and check your appointments and messages. If there is nothing matching the text, the message was a scam.

For anything about reimbursement of care, go to your own health channels, not a Doctolib link. Public reimbursement is handled at ameli.fr (or the Ameli app), and complementary reimbursement by your mutuelle. Neither of them communicates through a Doctolib refund SMS.

If a relative forwards you a "Doctolib" text asking "is this real?", run the same 30-second check for them. The sender name, the domain, and the refund question give it away every time.

What to do if you already entered your details

Speed matters, because attackers often move within minutes.

  1. If you entered card details, call your bank immediately and block the card. Use the opposition hotline on the back of your physical card or inside your banking app.
  2. If you entered your Doctolib password, change it now on the real doctolib.fr, and change it on any other account that used the same password. Turn on two-factor authentication where offered.
  3. Dispute any unauthorised charge. Under European PSD2 rules and Article L133-18 of the French Code Monétaire et Financier, your bank must refund unauthorised card transactions unless it proves gross negligence, and you have up to 13 months to dispute.
  4. Report it to Cybermalveillance.gouv.fr. The official French cybercrime platform at cybermalveillance.gouv.fr gives you a written reference and next steps.
  5. File a complaint (plainte) at your local commissariat or gendarmerie with screenshots of the message, the fake URL, and any transaction. This is often needed to push a bank refund through.
  6. Watch your statements daily for a month. Some attackers wait before running larger fraud, hoping you have stopped checking.

How to report the scam

Reporting protects the next person. Each step takes under two minutes.

  • Fake SMS: forward the text to 33700, the free French anti-spam short code, then delete it.
  • Phishing site URLs and email: report at cybermalveillance.gouv.fr under "Signaler une cybermalveillance".
  • Tell Doctolib: forward suspicious messages to [email protected] so the platform can flag the campaign.
  • If your data may have leaked: stay alert for follow-up phishing, since leaked contact details are reused across waves.

Updated June 28, 2026.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. The Android app on Google Play and the browser extension both check a link before the clone page can load, which is exactly the moment that matters with a Doctolib SMS, because the danger is the page the link opens, not the text itself.

  • Layer 1 - Local detection: 60+ URL patterns and 550+ brand-specific signatures (including French health and government impersonation patterns like doctolib-{variant}.{tld} and secure-doctolib-{variant}) plus whitelist and blacklist, all running on-device before the page renders. doctolib.fr and ameli.fr are in the brand database, so a lookalike such as doctolib-remboursement.com triggers a block before the fake login page finishes loading.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, and scam-TLD intelligence to catch known malicious Doctolib lookalike domains the moment they are reported.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis recognises a cloned Doctolib login or refund page by its structure, brand cues, and credential-harvest fields, and catches new variants the moment they go live, even before they appear on any blocklist.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. No per-user browsing history is stored.

Block the fake Doctolib page before you log in

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge, with a Safari version on the way and a live Android app on Google Play, that blocks fake Doctolib login and refund pages automatically. It recognises 550+ brands including Doctolib, Ameli, FranceConnect, La Poste, and impots.gouv.fr, all auto-blocked when a page tries to impersonate them. AI content analysis works in French and 100+ other languages and spots new phishing domains the moment they go live, even ones not yet on any blocklist. Free forever, no account needed. Premium is $14.99/year. Questions: [email protected].

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

Frequently asked questions

Is the Doctolib refund SMS real?

No. Doctolib does not process medical refunds and never sends a refund through an SMS link. Reimbursement for care in France is handled by your CPAM via ameli.fr and by your mutuelle, not by Doctolib. Any SMS or email that offers a Doctolib refund and then asks for your bank or card details is a phishing scam. To check, open a new tab and type doctolib.fr yourself, or open the official app, and look at your account directly.

Does Doctolib ever ask for my card to confirm an appointment?

No. Booking an appointment on Doctolib is free and never requires your card to validate or confirm it. Any message that says you must "confirm your card" or "pay to validate" a Doctolib appointment is fake. The clone page that follows is built to steal your card number, expiry, and CVV.

What does a real Doctolib SMS look like?

A genuine Doctolib text shows the sender name "Doctolib", not a mobile number, and is limited to appointment reminders and confirmations. It does not offer refunds, does not demand your password or card, and does not run a 24-hour countdown threatening to delete your account. If a "Doctolib" message arrives from a 06 or 07 number or asks for sensitive data, it is a scam.

What is the only real Doctolib website?

The only real website is doctolib.fr. Legitimate emails come from addresses on doctolib.fr, such as [email protected]. Anything like doctolib-remboursement.com, doctolib-rdv.com, secure-doctolib.net, or a subdomain trick such as doctolib.fr.verif-compte.com is a fake. Always read the domain right after https:// and before the first slash.

Was there a Doctolib data leak in 2026?

In January 2026 a hacker posted data on more than 150,000 French patients, branded as a "Doctolib base". French press reporting traced it to two healthcare providers that had exported patient data after leaving the platform, and the breach occurred on those providers' own systems. Doctolib has firmly denied that any of its own systems were compromised. Either way, the leaked contact details are now being used to send accurate, targeted "Doctolib" phishing messages.

Where do I report a fake Doctolib message?

Forward a fake SMS to 33700, the free French anti-spam short code, then delete it. Report phishing sites and emails at cybermalveillance.gouv.fr under "Signaler une cybermalveillance", and forward suspicious messages to [email protected] so Doctolib can flag the campaign. If you entered card or login details, block your card, change your password, and dispute any charge with your bank.

Related reading