BRAND IMPERSONATION

SiriusXM subscription renewal scam email and calls: spotting the fake "renew now" notice

The SiriusXM renewal scam is a long-running pattern aimed at car owners: an expired-subscription warning or a too-cheap renewal offer that ends at a card-harvesting page or a fake agent.

SafeBrowz Threat Research Security ResearchJune 15, 20268 min read

Verdict: Scam

A SiriusXM email, text or call about an expired subscription or a cheap renewal that pushes a link or callback number is almost certainly a scam. The real SiriusXM only uses siriusxm.com and never demands gift cards or a fee to keep your service.

What the SiriusXM renewal scam looks like

The message arrives in your inbox, as a text, or as a robocall while the brand is fresh in your mind, often weeks after you buy a used car or while a free trial winds down. The email carries the SiriusXM logo and an urgent line: "Your SiriusXM subscription has expired," "Auto-renewal failed, update your payment to keep listening," or the bait version, "Renew now for just 50 cents a day." A button or a phone number invites you to "renew," "reactivate," or "claim your discount."

The button leads to a counterfeit SiriusXM billing page that captures your email, password, and full card details. The phone variant routes you to a fake "SiriusXM agent" who reads from a script and collects the same details by voice, sometimes pushing a gift-card payment to "lock in the discount." Either path ends with your card and login in the attacker's hands within minutes.

Real SiriusXM renewal emails exist, but they never ask you to "verify" a card through an email link or a phoned-in number. They direct you to sign in at siriusxm.com and manage your plan inside your account. Every fake version sends you somewhere else.

How the scam works, step by step

The mechanics are consistent across the email, text, and call variants:

Urgency or a fake bargain. Either your subscription "expired" and service stops today, or a renewal is suddenly available at a price too good to be true. Both short-circuit careful thinking.
A lookalike page or a callback. The link goes to a domain dressed up to look like SiriusXM, or the number connects you to a scripted "agent." Neither is the official channel.
Card and login harvest. The page or the agent collects your SiriusXM login plus full card details. The cheaper the advertised renewal, the more eager people are to type their card.
Reuse and resale. The stolen card is tested with small charges and then used or sold. The login is tried against email and shopping accounts in case you reused the password.

🛡 LIVE CHECK

Test a suspicious link right now

Got a phishing email or text? Paste the suspicious link below. Our 3-layer engine (Local + APIs + AI) returns a verdict in ~3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

The tells: how to spot a fake SiriusXM message

The domain is not siriusxm.com. The real SiriusXM site and login live at siriusxm.com. A scam link is never that exact domain. It is a lookalike like siriusxm-renew[.]com, siriusxm-billing[.]top, or a subdomain trick like siriusxm.com.account[.]xyz where the real domain is account[.]xyz. Read the part right before the first single slash after https://.
The phone number is not the official one. A number pasted into an email or text is not proof of anything. The only number to trust is the one printed on siriusxm.com after you navigate there yourself.
Gift cards or wire transfers. SiriusXM never asks you to pay with gift cards, crypto, or a wire to "keep service." Any request like that is a scam, full stop.
A renewal that is suspiciously cheap. "50 cents a day" or "90 percent off to reactivate" is bait. A genuinely deep SiriusXM offer is applied inside your real account, not unlocked by typing your card into a page a stranger sent you.
Urgency and threats. "Service ends today" or "final notice" pressure exists to stop you from checking. Real renewal reminders are calm and point you to your account.
Generic greeting and odd sender. "Dear Customer" plus a sender address that is not @siriusxm.com is a strong tell. Display names like "SiriusXM Billing" can be forged; the address after the @ is what counts.

The "too cheap to be true" renewal bait

The discount version is dangerous because it does not feel like a threat. Used-car buyers in particular get a real, short SiriusXM trial and are used to low promotional rates, so "renew for 50 cents a day" reads as plausible. The fake checkout asks for a card "to lock in the rate," and the card is then drained or sold. If an offer can only be claimed through a link or number a message handed you, treat it as a scam and claim any real offer inside your own account.

What to do if you already paid or entered your card

Stolen card data is often used within 24 to 72 hours, so move quickly, in this order:

Lock the card in your bank app immediately, then order a replacement with a new number. Most banks have a one-tap lock.
Call SiriusXM directly using only the number listed on siriusxm.com, never a number from the suspicious message, and tell them your account may be compromised.
Dispute the charge. Report the transaction to your bank or card issuer as fraud and ask them to reverse it. The sooner you flag it, the easier the chargeback.
Change your SiriusXM password by signing in directly at siriusxm.com, and change it anywhere else you reused it.
Watch your statements daily for two weeks. Small test charges often appear before larger ones. Report any to your bank right away.
Report the scam. Forward phishing emails to your provider's abuse channel and report financial loss to the FTC at reportfraud.ftc.gov. Robocall numbers can be reported to the FTC as well.

How to check safely, every time

The safe pattern never changes. Do not click the link and do not call the number in the message. Open a new browser tab, type siriusxm.com by hand, and sign in. Your real subscription status, renewal date, and any genuine offer all live inside your account. If there is a real billing issue it shows there. If there is not, the message was fake regardless of how official it looked.

How SafeBrowz catches the fake SiriusXM page

Email and text filters miss most of these because the attackers register fresh lookalike domains faster than blocklists update. The defense that holds is at the click destination. When the link opens, a browser-layer scanner can recognize the SiriusXM brand sitting on a domain that is not the official one and warn you before any field is interactive.

SafeBrowz, which launched in 2026, is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders. It runs a 3-layer detection architecture, Local plus APIs plus AI:

Layer 1, Local detection: the SiriusXM name on a non-official domain is flagged content-free, and the subdomain-chain trick (siriusxm.com.renew[.]xyz) is unpacked to its real registered domain, all inside the extension before the page loads.
Layer 2, API checks: known-bad domains are cross-referenced against established threat-intelligence feeds and scam-TLD lists.
Layer 3, AI deep scan: content analysis recognizes a cloned SiriusXM billing page even when the domain is brand new and not yet on any blocklist.

Detection signatures come from threat-intelligence research and brand-database analysis, not from user browsing data. SafeBrowz never collects your browsing history and per-user URL history is never stored.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge

Frequently asked questions

Is the "your SiriusXM subscription expired, renew now" email real?

Almost never when it pushes you to a link or a phone number. The real SiriusXM points you to sign in at siriusxm.com and manage your plan inside your account. It does not ask you to "verify" a card through an email link, and it never demands gift cards or a fee to keep service. Open siriusxm.com yourself and check.

What is the real SiriusXM website and email domain?

The official site and account login are at siriusxm.com, and genuine emails come from that domain. A lookalike such as siriusxm-renew or siriusxm-billing on a different domain, or a subdomain chain where SiriusXM is only a prefix, is not SiriusXM. Read the actual registered domain, not the display name.

Why am I getting SiriusXM renewal messages after buying a used car?

Many used cars include a short SiriusXM trial, which makes recent buyers a known target. Scammers time "trial expired, renew now" or "50 cents a day" messages to when the brand is on your mind. Claim any genuine offer by signing in to your own account at siriusxm.com, not through a link someone sent you.

Is a "50 cents a day" SiriusXM renewal a scam?

If it can only be claimed through a link or callback number from an email, text, or call, treat it as a scam. The unusually low price is bait to make you type your card quickly. A real promotional rate is applied inside your account at siriusxm.com, so go there yourself to check.

I gave my card to a "SiriusXM agent" on the phone. What now?

Act fast. Lock the card in your bank app and order a replacement, then dispute the charge as fraud. Call SiriusXM using only the number on siriusxm.com, change your password if you gave login details, and watch your statements daily for two weeks. Report the loss to the FTC at reportfraud.ftc.gov.

How does SafeBrowz know a SiriusXM page is fake?

SafeBrowz flags the SiriusXM brand name on a domain that is not the official one, which works even before a blocklist catches it. It also unpacks subdomain-chain tricks to the real registered domain, and its AI layer analyzes page content to recognize a cloned billing page. SafeBrowz does not collect your browsing history.