ESPN+ billing scam email: how to spot the fake subscription renewal notice in 2026

Q: I clicked the link but did not enter my card. Am I safe?

Card is safe, but if you entered an email and password, your ESPN+ and Disney bundle login is compromised. Change your ESPN+ password immediately by signing in directly at plus.espn.com. If you reused the password anywhere else, change those too. If you only landed on the page and closed it, you are almost certainly fine.

Q: What is the real ESPN+ billing email address?

Real ESPN+ billing emails come from @espnplus.com, @plus.espn.com, or @disneystreaming.com. Those three sender domains cover Disney Streaming billing for ESPN Plus. Anything outside those is impersonation.

Q: Can attackers see or replay my ESPN+ watch history?

If they have your password, yes. ESPN+ watch history is tied to the account, and a signed-in attacker can see which events you streamed, which teams you follow, and which devices you used. Sign out all devices from Account then Devices and change the password to cut the attacker off.

Q: How do I report an ESPN+ phishing email so the page gets taken down?

Forward the full email with headers to phishing@disneystreaming.com. Use Forward as attachment to preserve headers. You can also forward US-targeted streaming phishing to reportphishing@apwg.org and report monetary loss to the FTC at reportfraud.ftc.gov.

What the ESPN+ billing scam looks like

The email arrives with the red ESPN logo and a subject line built for panic: "Action required: ESPN+ subscription failed to renew" or "Your live sports access expires in 2 hours." The body text targets the wallet and the calendar at the same time:

Your ESPN+ subscription failed to renew. Reactivate before your live sports access expires. Tonight's UFC main card requires an active subscription.

The button leads to a counterfeit ESPN+ sign-in page on a domain that is not plus.espn.com. It captures email and password, then a second page captures card number, expiration, CVV, and billing zip. Within minutes the attacker has your Disney ecosystem login (the same credential covers Disney+ and Hulu) and a working credit card.

Real ESPN+ billing notices never demand you "verify" your card through an external link, and never tie the renewal to a single named event. The Disney Streaming Help Center documents the real flow: silent retries first, then an in-app banner, then an email pointing you to plus.espn.com/account after a normal sign-in.

The 5 message variants in active rotation

1. The classic billing renewal failure

"We were unable to process your ESPN+ subscription renewal. Update your payment method within 24 hours to avoid losing live sports access." "Action required" and "Subscription renewal failed" are the two most-reported subject lines for ESPN+ phishing in FTC Consumer Sentinel streaming-fraud submissions through early 2026.

2. The PPV access expired alert

"Your access to tonight's pay-per-view event has expired due to a billing issue. Reactivate before the main card to keep watching." The highest-converting version. UFC numbered events and Top Rank boxing drive bursts of these emails timed to fight week.

3. The Disney+ bundle renewal

"Your Disney+, Hulu, and ESPN+ bundle is being migrated to the new combined billing system. Verify your payment method to keep all three services active." Real bundle subscribers find this plausible because Disney has consolidated billing.

4. The annual-plan upgrade scam

"Save more than 15 percent on your ESPN+ subscription by switching to the annual plan. Confirm your payment method to lock in the lower price." Upgrade framing replaces panic with greed. The card-capture page at the end is identical.

5. The live game blackout notice

"We detected a regional restriction on your ESPN+ account that may block tonight's live game replay. Verify billing to clear the restriction." Sports fans understand blackouts as a real ESPN concept (MLB and NHL local-market rules), so the fake restriction sells.

Why ESPN+ phishing converts faster than other streaming scams

Three structural factors make ESPN+ unusually effective:

Live-event urgency is real. A Netflix subscriber can verify tomorrow. An ESPN+ subscriber who thinks they will miss tonight's UFC main event clicks first and verifies later. AARP's 2025 and 2026 fraud-watch reports specifically called out "event-timed" streaming phishing because the urgency in the message is also urgency in real life.
Disney bundle confusion. ESPN+ is bundled with Disney+ and Hulu under a single Disney Streaming charge. Subscribers do not always know which entity bills them, so a fake "ESPN+ Billing" email with a bundle reference feels structurally correct.
Card on file is usually high-limit. ESPN+ subscribers skew toward adults with active PPV purchase history. Cards on file frequently authorize $80 to $100 PPV transactions, signaling headroom and a recent legitimate streaming charge that test-charges can hide behind.

The 7 red flags that expose every ESPN+ phishing email

1. Sender domain is not @espnplus.com, @plus.espn.com, or @disneystreaming.com. Anything else (@espn-billing.com, @espnplus-renewal.net) is fake. Check the address after the @, not the display name.
2. Urgency tied to a specific event. Real ESPN never writes "main card starts in 2 hours" inside a billing email. Promotional and billing emails stay separate. Any email that combines them is a scam tell.
3. Generic greeting. "Dear ESPN+ Subscriber" or "Hello Customer" is a scam. Real Disney Streaming emails address you by the first name on the account.
4. Link destination does not contain plus.espn.com or my.espn.com. Hover without clicking. The real domain must be plus.espn.com or my.espn.com immediately before the first single slash after https://. plus.espn.com.billing-restore.xyz and espnplus-billing.com are NOT ESPN.
5. Asks for your password through the email link. ESPN+ never asks you to "confirm your password" via email. Password changes happen inside Account Settings after a normal sign-in.
6. Mentions a specific PPV without real account details. A real ESPN+ note about a PPV references the event you purchased, the date, and the device list. Scams say "tonight's PPV" with no specifics because the attacker does not know what you bought.
7. Threats to lose replay access or watch history. Real ESPN+ does not threaten replay-rights loss inside a billing email. Replay access is tied to subscription state, not a single missed payment.

Real ESPN+ communication channels

ESPN+ reaches subscribers in three legitimate places:

In-app banners on the ESPN app (iOS, Android, smart TVs, consoles). No in-app banner means no real issue.
The account page at plus.espn.com showing plan, renewal date, card on file, and any payment flags.
Email from @espnplus.com, @plus.espn.com, or @disneystreaming.com. Anything else is impersonation.

The 5-step ESPN+ verification (before you click anything)

Do not click the email button. Close the email and open the ESPN app or a new browser tab. The fight starts at the same time regardless of what the email said.
Type plus.espn.com manually or open the ESPN app on phone, tablet, smart TV, or console. Do not search "ESPN Plus login" on Google during a PPV week; sponsored placements during peak phishing waves are sometimes typosquats with paid ads.
Sign in normally and check the Subscription page. Account → Subscription shows status, renewal date, card on file, and any payment flags. No flag means no real issue.
Contact Disney Streaming support via the Help Center. Open help.disneyplus.com or plus.espn.com/help. Never call a phone number from the suspicious email.
Check your credit card statement. Real ESPN+ renewals show as "Disney Streaming Service" or "ESPN Plus" on most US issuers. If the renewal posted normally, the "billing failure" email is fake by definition. Screenshot the email for any later report.

If you already entered your card or password

Speed matters. Stolen streaming-package card data is often used within 24 to 72 hours, sometimes faster during a PPV week when test charges hide behind real streaming activity. Move in this order:

Lock the card in your bank app immediately using the one-tap lock feature in every major bank app. Order a replacement with a new number.
Change your ESPN+ and Disney bundle password by signing in directly at plus.espn.com → Account → Security → Change password. The bundle shares credentials across Disney+ and Hulu, so one change covers all three.
Sign out of all devices from Account → Devices. This kicks any attacker session off every TV, console, and phone.
Monitor bank statements daily for two weeks. Card-not-present fraud often begins with small test charges disguised as fake "ESPN+" or "Hulu" line items at $1 to $5.
If you reused the password anywhere else, change those too. Credential-stuffing tries stolen passwords against Amazon, Gmail, banks, and crypto exchanges within hours, per UK Action Fraud's 2025 advisories.
Report the phishing email by forwarding the full message with headers to phishing@disneystreaming.com. Use "Forward as attachment" to preserve headers. Also forward to reportphishing@apwg.org and report monetary loss to the FTC at reportfraud.ftc.gov.

The same template hits Disney+, Hulu, Peacock, HBO Max, Paramount+, and Apple TV+

The ESPN+ scam is part of a wider streaming impersonation template. Same urgency, same fake-billing flow, only the logo changes:

Disney+: "Your Disney+ subscription has been suspended due to payment failure."
Hulu: "Your Hulu account has been suspended due to a billing issue."
Peacock: "Your Peacock Premium subscription is on hold."
HBO Max / Max: "Unable to process your Max payment. Update billing within 48 hours."
Paramount+: "Paramount+ payment failed. Reactivate now to keep watching."
Apple TV+: "Your Apple TV+ subscription could not be renewed. Verify your payment method."

Cisco Talos's 2026 phishing-trend reports note streaming impersonation has overtaken several bank impersonations in raw email volume.

How browser-layer defense catches this earlier

Email filters miss most streaming phishing because sender domains rotate daily and PPV-week volume spikes faster than spam classifiers retrain. The defense that consistently works is at the click destination. When you land on the fake ESPN+ page, a browser-layer scanner recognizes "ESPN+ logo on a non-espn.com domain" and blocks before any input field is interactive.

SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before render. Its brand database includes ESPN+, Disney+, Hulu, Max, Peacock, Paramount+, Apple TV+, and 530+ others. Install SafeBrowz free.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches espn-billing.{tld}, myespnplus.{tld}, fake PPV access denial subdomain patterns instantly.
Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains.
Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge

Frequently asked questions

Does ESPN+ really cancel my subscription in the middle of a PPV?

No. ESPN+ does not pull live access during an event you are watching. Real renewals retry the card silently across several days, surface a banner inside the app, and only then send a billing email pointing you to plus.espn.com/account. The mid-PPV cancellation framing exists only in phishing emails. The Disney Streaming Help Center documents the real retry-and-grace-period flow.

I clicked the link but did not enter my card. Am I safe?

Your card is safe, but if you entered an email and password, your ESPN+ and Disney bundle login is compromised. Change your ESPN+ password immediately by signing in directly at plus.espn.com. If you reused that password anywhere else (Hulu, Disney+, Gmail, Amazon), change those too. If you only landed on the page and closed it, you are almost certainly fine; visiting an HTML phishing page does not install anything on a modern browser.

What is the real ESPN+ billing email address?

Real ESPN+ billing emails come from @espnplus.com, @plus.espn.com, or @disneystreaming.com. Those three cover Disney Streaming's billing operations for ESPN Plus. Anything outside is impersonation. Check the address after the @, not the display name.

Why does the scam email mention my Disney bundle?

Because Disney runs ESPN+, Disney+, and Hulu as a real combined bundle with consolidated billing. Attackers use the bundle reference as a credibility cue. It only proves the attacker reads Disney's pricing page. Verify by signing in to the Disney bundle dashboard directly, never by clicking the email.

Can attackers see or replay my ESPN+ watch history?

If they have your password, yes. A signed-in attacker can see which events you streamed, which teams you follow, and which devices you used. That data is sometimes resold as part of profile bundles for targeted future phishing. Sign out all devices from Account → Devices and change the password.

How do I report an ESPN+ phishing email so the page gets taken down?

Forward the full email with headers to phishing@disneystreaming.com. Use your email client's "Forward as attachment" option so headers stay intact. You can also forward to reportphishing@apwg.org and report monetary loss to the FTC at reportfraud.ftc.gov.