BRAND IMPERSONATION

Roku account locked and billing scam email: how to spot the fake suspension notice

The Roku "account locked, update your billing" email and text is a high-volume streaming phishing scam aimed at one of the largest connected-TV audiences in the world.

SafeBrowz Threat Research Security ResearchJune 15, 20268 min read

VERDICT

A Roku email or text about a locked account or failed payment with a link is almost certainly a scam. The real Roku only uses roku.com (your account lives at my.roku.com), and Roku never asks for full card details or a "reactivation fee" by email or text. Urgency plus a link to "update billing" is the scam, not the bank.

What the Roku account locked scam looks like

The message arrives with the purple Roku logo lifted from Roku's own marketing, an urgent subject line ("Action required: your Roku account is locked" or "Roku payment failed - update billing"), and a button labeled "Update billing", "Verify account", or "Reactivate subscription." The body is short and aimed straight at the wallet:

Your Roku account has been locked because we could not process your payment. Update your billing information within 24 hours to avoid losing access to your channels and subscriptions.

The button leads to a counterfeit Roku sign-in page that captures your email and password, then a second page asking for the full card number, expiration, CVV, and billing zip - sometimes framed as a small "reactivation fee." Within minutes the attacker has your Roku login plus a working credit card. Because Roku accounts store a payment method that can be used to buy channel subscriptions and content on the platform, a stolen Roku login has direct cash value on its own.

Real Roku billing emails exist. They never ask you to "verify" your card through an email or text link. They ask you to sign in directly at my.roku.com and update your payment method inside your account. Every fake version links to a third-party domain that is not roku.com.

How the scam actually works, step by step

Urgency. A 24 to 48 hour countdown ("your account will be permanently closed", "channels will be removed") to stop you from pausing to check.
A fake "verify" or "update billing" link. The link text may read "roku.com" but the real destination is a lookalike domain, a wrong top-level domain, or roku tucked in as a subdomain of a foreign site.
A lookalike Roku page. The login form is a pixel copy of the real Roku sign-in screen. Some campaigns relay your login to the real Roku in the background so the page "works" while quietly stealing your session.
Harvest. The page collects your Roku email and password, then your full card number, expiry, CVV, and zip. The login and card are sold or used within hours.

Roku has tens of millions of active accounts worldwide, which is exactly why it is a heavy phishing target. A template that fools even one recipient in a thousand still pays when the send list is enormous.

🛡 LIVE CHECK

Test a suspicious link right now

Got a Roku phishing email or text? Paste the suspicious link below. Our 3-layer engine (Local + APIs + AI) returns a verdict in ~3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

The tells: how to spot the fake in seconds

1. The link is never roku.com. The real Roku domain is roku.com and your account dashboard is my.roku.com. The scam link is something else: a random string, the wrong TLD, or roku used as a subdomain on a foreign domain. roku-billing-update[.]com, roku-account-verify[.]top, and roku.com.reactivate[.]xyz are all fake. In that last one the real domain is reactivate[.]xyz, not roku.com - read the part right before the first single slash.
2. It demands full card details. Roku does not email or text you to re-enter your full card number, CVV, and zip to "verify" an account. If a page wants all of that, it is harvesting, not verifying.
3. It charges a "reactivation fee." Roku does not charge a fee to unlock or reactivate a basic account. A "small fee to restore access" is a scam tell, not a Roku policy.
4. Urgency and a countdown. "Within 24 hours or your account is deleted" is pressure designed to skip your judgment. Real billing notices are calm and do not threaten permanent deletion on a timer.
5. Generic greeting and odd sender. "Dear Roku User" instead of your name, and a sender address that is not roku.com after the @ symbol. Display names like "Roku Support" prove nothing.

How real Roku communicates with you

Two reliable channels. First, your account dashboard at my.roku.com, where you can see your subscriptions, your payment method, and any genuine billing flag. Second, the Roku device or app itself, which surfaces real account messages on screen. Roku never asks for your password through an email or text link, and never asks you to enter full card details to "verify" or "reactivate" an account. Both behaviors are diagnostic of phishing.

The 5-step Roku verification, before you click anything

Do not click the email or text link. Close the message and open Roku yourself instead.
Type roku.com manually in the address bar, or open the Roku app on your phone or TV. Do not search "Roku login" on Google during a phishing wave; sponsored results occasionally include typosquats with paid placement.
Sign in at my.roku.com and check Subscriptions and Payment method. The real status of your account, your subscriptions, and any genuine payment problem all appear here. No flag means no issue, regardless of what the message said.
Contact Roku only through the official Support site reached from roku.com, not a phone number or email pasted in the suspicious message. Numbers in phishing messages route to call-center attackers running the next stage.
Check your card statement for a real Roku charge. If a Roku charge posted normally, there was no payment failure and the message is fake. The statement is your source of truth, not the email. Screenshot the suspicious message before deleting it so you have a record to report.

The trap: lookalike domains and session capture

The destination is never roku.com. It is something close enough to skim past a tired reader: roku-billing-update[.]com, roku-account-verify[.]top, roku.com.reactivate[.]xyz, or a homograph that renders visually similar to roku.com in some fonts. The subdomain-chain trick (roku.com.reactivate[.]xyz) is especially effective because the brand name appears first and the real registered domain hides at the end.

The more sophisticated campaigns use an Adversary-in-the-Middle (AiTM) proxy. The fake page silently relays your sign-in to the real roku.com, captures the resulting session, and forwards the response back to you. From your side everything works. From the attacker's side they now hold a logged-in session, can change your email and password, and can alter the payment method on file.

If you already entered your card or password

Speed matters. Stolen streaming-package card data is often sold in batches and used within 24 to 72 hours. Move now, in this order:

Lock the card in your bank app immediately. Use the one-tap "lock card" or "freeze" feature first, then order a replacement card with a new number.
Change your Roku password by opening the Roku app or signing in directly at my.roku.com and going to your account security settings. Use a long, unique password you have not reused anywhere.
Remove or replace the saved card in your Roku account so the attacker cannot make purchases against it, and review your subscriptions for anything you did not add.
Turn on 2-step verification for the email tied to your Roku account. If the attacker has your Roku password they may try it on your email next, so protect the inbox that can reset everything.
Monitor your bank statements daily for two weeks. Card fraud often starts as small test charges before bigger purchases.
If you reused the Roku password anywhere else, change it there too. Credential-stuffing tries stolen passwords against Amazon, Gmail, banks, and crypto exchanges within hours.

The same template hits every major streaming brand

The Roku account locked scam is part of a wider streaming impersonation template. Same body copy, same urgency window, same fake-billing flow - only the logo and color palette change:

Netflix: "Your Netflix account is on hold. Update your billing within 48 hours."
Peacock: "Your Peacock subscription has been suspended due to payment failure."
HBO Max / Max: "We were unable to process your Max payment. Update billing within 48 hours."
Disney+: "Your Disney+ subscription has been suspended due to payment failure."
Hulu: "Your Hulu account has been suspended due to a billing issue."
Spotify: "Your Spotify Premium has been suspended due to a payment problem."

Recognize the Roku version and you recognize all of them. The defense is the same regardless of which logo the message is wearing.

How browser-layer defense catches this earlier

Email and SMS filters miss most streaming phishing because sender domains and short links rotate daily and attackers buy new lookalike domains faster than blocklists update. The defense that consistently works is at the click destination. When the user lands on the fake Roku billing page, a browser-layer scanner can recognize "Roku branding on a non-roku.com domain" and block the page before any input field is interactive.

SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders. Its brand database includes Roku, Netflix, Peacock, Max, Disney+, Hulu, Spotify, and 550+ others. When it detects a fake streaming page, it shows a full-screen warning before any input loads. Install SafeBrowz free for browser-layer defense across every brand you log into.

How SafeBrowz blocks this threat

SafeBrowz flags any page that uses the Roku name on a non-official domain, content-free, so a fake Roku billing page is caught on the domain alone before a single word is read. It catches the subdomain-chain trick (roku.com.reactivate[.]xyz) by parsing the real registered domain rather than the brand prefix, and it runs AI content analysis so a cloned Roku login page is caught even when it looks pixel-perfect. This is a methodology built on a brand database and URL structure, not on watching where you browse.

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including homograph variants) + community whitelist/blacklist, running directly in the extension before the page renders. Catches roku-billing-{tld}, roku-account-verify patterns, and subdomain-chain fakes instantly.
Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains.
Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel cloned-login variants in seconds.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge

Frequently asked questions

Is the Roku account locked email real or a scam?

It is almost certainly a scam. Roku does not lock your account and demand that you "update billing" through a link in an email or text. Real billing issues appear when you sign in to my.roku.com or open the Roku app. Any message with a countdown ("update within 24 hours or lose access") and a link to a page that is not roku.com is phishing. When in doubt, do not click the link - open Roku yourself and check your account directly.

What is the real Roku website and account page?

The real Roku domain is roku.com, and your account dashboard is my.roku.com. Any link that does not have roku.com as the actual registered domain (the part immediately before the first single slash after https://) is not Roku. A domain like roku.com.reactivate[.]xyz is NOT Roku - its real domain is reactivate[.]xyz. A domain like roku-billing-update[.]com is also not Roku; it just contains the word.

Does Roku charge a fee to unlock or reactivate an account?

No. Roku does not charge a "reactivation fee" or "unlock fee" to restore a basic account, and it does not ask for one by email or text. The only money Roku collects is for subscriptions and content you knowingly buy, managed inside your account at my.roku.com. Any message asking for a small fee to "restore access" or "reactivate" your account is a scam designed to capture your card details.

I clicked the Roku link but did not enter anything. Am I safe?

Almost certainly yes. Most Roku phishing pages are simple HTML forms, not malware, and just visiting does not install anything on a modern browser. Close the tab, do not return to the link, and do not enter any details. If the page prompted you to download a file and you did, run a virus scan with your built-in security tool or a reputable free scanner. If you entered only an email address, you revealed a fact the attacker likely already had, so the risk is low.

What should I do if I entered my Roku password or card details?

Act fast. Lock the card in your bank app immediately and order a replacement, then change your Roku password by signing in directly at my.roku.com. Remove or replace the saved card in your Roku account, review your subscriptions for anything you did not add, and turn on 2-step verification for the email tied to your Roku account. Watch your bank statements daily for two weeks, since card fraud often begins with small test charges. If you reused the Roku password elsewhere, change it there too.

How do I check my Roku account safely without clicking the email?

Never use the link in the message. Open a new browser tab and type roku.com manually, or open the Roku app on your phone or TV. Sign in at my.roku.com and look at your Subscriptions and Payment method - a genuine billing problem will show there. If nothing is flagged, the email was fake. For extra safety, a browser-layer scanner like SafeBrowz will block a fake Roku page before any login field is interactive.