HBO Max account locked email scam: how to spot the fake suspension notice in 2026

Q: Is it Max or HBO Max in 2026?

Both. Warner Bros Discovery rebranded HBO Max to Max in 2023, then re-emphasized the HBO Max name in 2025 marketing while keeping the max.com domain. As of 2026 the company itself uses both names depending on market. The streaming app is at play.max.com and official emails come from @max.com or @mail.max.com regardless of which brand name the message body uses.

Q: What is the real Max billing email address?

Genuine Max billing notifications come from @max.com or @mail.max.com. The display name might read Max, HBO Max, or Max Customer Service, but the actual sender address after the @ symbol is always one of those two domains. Anything else is fake.

Q: How do I report phishing to Max so the page gets taken down?

Forward the full email with headers to phishing@max.com. Use Forward as attachment to preserve original headers - ordinary forwarding strips them. You can also report US-targeted streaming phishing to reportphishing@apwg.org and file with the FTC at reportfraud.ftc.gov if you entered card or personal details.

What the HBO Max account locked scam looks like

The service launched as HBO Max in 2020, rebranded to "Max" in 2023, then re-emphasized the "HBO Max" name in 2025 marketing while keeping the max.com domain. Scammers exploit that inconsistency by switching between "HBO Max" and "Max" inside the same email.

The email arrives with the Max logo (or the older HBO Max logo), an urgent subject line ("Action required: your Max account has been suspended"), and a button labeled "Update billing" or "Reactivate now." The body text is short and aimed at the wallet:

Your Max (HBO Max) account has been suspended due to a billing failure. Verify your payment method within 24 hours to avoid permanent loss of access to your watchlist, downloads, and HBO Originals.

The button leads to a counterfeit Max sign-in page that captures email and password, then a second page for the card number, expiration, CVV, and billing zip. In many 2026 variants the fake page is an AiTM (adversary in the middle) proxy that mirrors the real play.max.com in real time, so the victim sees their actual account name appear after entering credentials - making them feel safer right before the card-entry step. Cisco Talos's 2025 reporting on streaming phishing kits documents this AiTM pattern across multiple brand templates.

Real Max payment-failure emails do exist. They never ask you to "verify" your card through an email link; they ask you to sign in to play.max.com and update billing inside the Subscription dashboard. The fake emails always link to a third-party domain.

The 5 message variants in active rotation

1. The classic billing failure

"Your Max (HBO Max) subscription has been suspended due to a billing failure. Update your payment method within 24 hours to avoid permanent loss of access." The most common version. "Account suspended" and "Final notice: HBO Max" are two of the most-reported subject lines in FTC Consumer Sentinel streaming-phishing complaint data for 2025 and 2026.

2. The Max and Discovery+ merger transition

"As part of the ongoing Max and Discovery+ billing consolidation, we need you to re-confirm your payment method to keep your combined subscription active." Exploits the real Warner Bros Discovery merger and billing-system changes communicated throughout 2024 and 2025. Users have seen genuine emails about it, so a follow-up feels plausible.

3. The ad-free tier upgrade required

"Important: changes to your Max plan. To continue with ad-free streaming and 4K Ultra HD, confirm your payment method at the new $16.99 rate." Max has restructured tiers (Basic with Ads, Standard, Premium) multiple times since launch. Price-change emails are expected, so this variant slips past the normal "is this real?" filter.

4. The foreign-country login alert

"We detected an unusual sign-in to your Max account from [country]. If this was not you, secure your account now." The country named is whichever flag scares the recipient most. Same template as the Apple ID and Microsoft variants documented in AARP Fraud Watch Network's 2025 streaming alerts.

5. The refund offer reversal

"Your Max account has been credited a partial refund due to a recent service issue. Confirm your card details to receive the refund within 3 business days." Inverts the urgency frame from loss to gain, catching users who would never click a "suspension" email but feel comfortable claiming a refund. The card-entry page works the same way.

Why HBO Max phishing hits harder than other streaming scams

The rebrand cycle trained users to expect confusing emails. Genuine HBO Max-to-Max transition emails landed throughout 2023 and 2024, followed by partial-revert messaging in 2025. After two years of inconsistent branding, subscribers no longer have a clear mental model of what a real email should look like.
Premium-tier pricing complexity. Max Premium at $16.99, Standard at $9.99, Basic with Ads at $9.99, and older HBO Max grandfathered rates all coexist. Subscribers cannot easily verify "is $16.99 the right number?" from memory.
Family plans and shared cards. Max accounts often have a parent's higher-limit credit card on file, sometimes a corporate card via a benefit program. Capturing that card is worth more than the login, which is why every Max phishing flow ends at a card-entry page.

The 7 red flags that expose every HBO Max phishing email

1. Sender domain is not @max.com or @mail.max.com. Anything else (@hbomax-account.com, @max-billing.net, @warnerbros-support.com) is fake. Display names can say anything; the address after the @ is what matters.
2. 24 to 48 hour urgency. "Within 24 hours" or "your account will be permanently suspended" is the single most reliable scam indicator. Max retries failed cards silently before sending any email.
3. Generic greeting. "Dear Max Subscriber" or "Hello Valued Customer" is a scam. Real Max billing emails address you by the first name on the account and reference the actual last-4 of your card.
4. Link destination is not max.com or play.max.com. Hover over the button. The destination must contain max.com as the actual domain - the part immediately before the first single slash after https://. max.com.update-billing.xyz is NOT Max. max-account.com is also not Max.
5. Mentions only the old "HBO Max" brand with no current reference. Real Max emails from 2025 onward say "Max" or "HBO Max (formerly Max)" with current branding. Scam templates often copy-paste outdated "HBO Max" copy from 2022, or mention only "HBO Max" because the attacker assumes you still use that name.
6. Asks for the password through an email link. Max never asks you to "confirm your password" by clicking an email link. Password changes happen inside Account → Security after a normal sign-in on play.max.com.
7. Fake "Warner Bros Discovery" branding without proper attribution. Real footers include the legal entity (Warner Bros. Discovery, Inc.), a physical mailing address in New York or Atlanta, and CAN-SPAM compliance links. Scam emails either omit the legal block or attach random "Warner Bros Discovery" wordmarks. Anything bolted-on rather than printed is a flag.

How real Max communication works

Genuine account notices appear as in-app banners (TV, phone, tablet, or browser) the moment you launch Max. Account → Subscription on play.max.com is the source of truth for plan, next billing date, payment method, and any failed-payment flags. Real billing emails come only from @max.com or @mail.max.com. Support is reached through the help center at help.max.com after sign-in, not from a link in a suspicious email.

The 5-step Max verification (before you click anything)

Do not click the email button. Close the email and open the Max app or a new browser tab.
Open the Max app or type play.max.com manually in the address bar. Do not search for "Max" or "HBO Max" on Google; sponsored results during phishing waves can be typosquats with paid placement.
Sign in normally. If there is a real billing issue, Max shows it as a banner at the top of the home screen or in the Account section. No banner means there is no issue.
Go to Account → Subscription and Billing. Verify the card on file is yours, the renewal date looks right, and there are no failed-payment flags. Compare any amount the email mentioned to what your subscription page actually shows.
Check your credit card statement. If the email claims a payment failed, your card statement will either show the genuine failed charge or not. Screenshot the suspicious email for reporting before deleting.

If you already entered your card or password

Speed matters. Stolen streaming-bundle card data is often sold in batches and used within 24 to 72 hours. Move now, in this order:

Lock the card in your bank app immediately. Every major bank in the US, UK, EU, and most Gulf countries has a one-tap "lock card" or "freeze card" feature. Use it first, then order a replacement card with a new number.
Change your Max password by opening the Max app or signing in directly at play.max.com and going to Account → Security → Change password. Use a long unique password you have not reused.
Sign out of all devices from Account → Devices. This kicks any attacker session out before they can change recovery email or add a new payment method.
Monitor your bank statements daily for two weeks. Card-not-present fraud usually shows up as small test charges first ($1.05, $2.50) before bigger purchases follow.
Change any reused passwords. If you used the same password on Amazon, Gmail, PayPal, Hulu, Disney+, or any bank, change those too. Credential-stuffing attacks try stolen passwords on dozens of services within hours, per UK Action Fraud's 2025 streaming-credential reuse report.
Report the phishing email to Max by forwarding the full message with headers to phishing@max.com. Use "Forward as attachment" to preserve headers. You can also forward US-targeted streaming phishing to reportphishing@apwg.org and file with the FTC at reportfraud.ftc.gov.

The same template hits Netflix, Disney+, Hulu, Spotify, Peacock, Paramount+, and Apple TV+

The HBO Max scam is part of a wider streaming-impersonation template. Same body copy, same urgency window, same fake-billing flow - only the logo and color palette change:

Netflix: "Your Netflix account is on hold. Update your payment method to avoid cancellation."
Disney+: "Your Disney+ subscription has been suspended due to a payment failure."
Hulu: "Your Hulu account has been suspended due to a billing issue."
Spotify: "Your Spotify Premium subscription has been suspended."
Peacock: "Your Peacock Premium subscription is on hold."
Paramount+: "Paramount+ payment failed. Reactivate now to keep watching."
Apple TV+: "Your Apple TV+ subscription could not be renewed. Verify your payment method."

Recognize the HBO Max version and you recognize all of them. The defense pattern is identical: never click the email link, verify in the app or by typing the real domain manually.

How browser-layer defense catches this earlier

Email filters miss most streaming phishing because sender domains rotate daily. The defense that consistently works is at the click destination - when the user lands on the fake Max billing page, a browser-layer scanner can recognize "Max logo on a non-max.com domain" and block the page before any input field becomes interactive. SafeBrowz is a free Chrome, Firefox, and Edge extension whose brand database includes Max, HBO, Netflix, Disney+, Hulu, Spotify, Peacock, Paramount+, Apple TV+, and 530+ others. Install SafeBrowz free for browser-layer defense across every brand you sign in to.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches max-billing.{tld}, hbomax-account.{tld}, fake Warner Bros Discovery subdomain patterns instantly.
Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains.
Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge

Frequently asked questions

Is it Max or HBO Max in 2026?

Both. Warner Bros Discovery rebranded HBO Max to "Max" in 2023, then re-emphasized "HBO Max" in 2025 marketing while keeping the max.com domain. The company itself uses both names depending on market. The streaming app is at play.max.com and official emails come from @max.com or @mail.max.com regardless of which brand name the message body uses. Scammers exploit the inconsistency by switching between "HBO Max" and "Max" inside the same email.

I clicked the link but did not enter info. Am I safe?

Almost certainly. Most HBO Max phishing pages are simple HTML forms or AiTM proxies that capture credentials only after you type them. Just visiting does not install anything on a modern browser. Close the tab and move on. If you downloaded a file, run a virus scan with Windows Defender, Malwarebytes free, or your system's built-in protection.

What is the real Max billing email address?

Genuine Max billing notifications come from @max.com or @mail.max.com. The display name might read "Max", "HBO Max", or "Max Customer Service", but the actual sender address after the @ symbol is always one of those two domains. Anything else - including plausible variants like @hbomax.com, @max-mail.com, or @account-max.com - is fake.

Why does the email reference Warner Bros Discovery?

Warner Bros. Discovery, Inc. is the real parent company that owns Max, so legitimate billing emails do include a corporate footer mentioning it. Real footers include a full mailing address (typically New York or Atlanta), CAN-SPAM compliance links, and a clean legal block. Scam emails either skip the footer entirely or paste a fake "Warner Bros Discovery" wordmark with no real corporate detail.

Can attackers see my watch history if they get into my Max account?

Yes. Once signed in, an attacker sees your watch history, watchlist, profiles, payment method last-4, billing address, and the email on the account. They cannot see the full card number on file but they can change the payment method, add new profiles, or change the account email to lock you out. This is why "sign out of all devices" and "change password" need to happen within minutes of realizing you were phished.

How do I report phishing to Max so the page gets taken down?

Forward the full email with headers to phishing@max.com. Use "Forward as attachment" to preserve original headers - ordinary forwarding strips them and slows takedown. You can also report US-targeted streaming phishing to the Anti-Phishing Working Group at reportphishing@apwg.org and file with the FTC at reportfraud.ftc.gov if you entered card or personal details.