Phishing campaigns spike around real renewal windows. The fakes use real logos, real deadlines, and the same urgency the real provider uses. If you don't already know your actual renewal date, sorting them apart is much harder than it should be.
Done in seconds. No sign-up required.
Real hosting renewal emails come from your provider's billing domain, link only to that domain, and match the renewal date and amount shown in your account dashboard. Phishing emails fail at least one of those checks. The fastest way to confirm is to ignore the email and log in directly through the provider's main URL.
A reminder you set yourself for the actual renewal date adds a second layer: any "renewal due now" email that doesn't match your known date is suspicious by default.
Any one of these is enough to treat the email as phishing.
"billing@hostingerr.com" or "support@host1nger.com" instead of the real domain. Always check the part after the @ symbol, not the display name. Display names are trivial to fake.
"Your hosting expires today" when your account dashboard shows a renewal date months away. Phishers use false deadlines because urgency suppresses careful reading.
Hover over the renewal button without clicking. The actual URL is shown in the corner of most email clients. If it doesn't match your provider's domain exactly, it's a phish.
"Dear Customer" or "Dear Domain Owner" instead of your name or account ID. Real providers know who you are. Phishers usually don't.
Real providers send you to a familiar dashboard. Phishing pages drop you into a card-entry form that doesn't match anything you've seen before. If the layout feels unfamiliar, leave.
Real provider emails never ask you to type a 2FA code into the email itself or hand it back. Any request for a verification code is a high-confidence phish, even if everything else looks right.
Phishers exploit one thing more than anything else: you don't remember the exact date your hosting renews. They send "renewal due now" emails year-round, knowing some fraction of recipients will believe the date is plausible.
A hosting renewal reminder set 30 days before the real expiry date breaks that. The actual date is in your own inbox, in your own calendar, in your own memory. When a "your hosting expires today" email arrives in March and your reminder is set for September, you know which one is real without having to investigate.
It's not a substitute for the other red flag checks, but it's the fastest one. Your own reminder doesn't lie about timing. The phisher does.
It happens. The fix is fast action, in this order:
Go directly to the real provider URL, not via any email. Reset your hosting password. Reset any password reused elsewhere. Enable two-factor authentication if it's not on already.
If you entered card details, call the number on the back of the card. Flag any unauthorized charge, request a card replacement, and ask for a fraud alert on the account.
Forward the original to your hosting provider's abuse address and to reportphishing@apwg.org. Don't click any link in the email again, including unsubscribe.
So the next phishing wave finds you with the actual date already known. See the hosting renewal reminder pillar for setup, or the auto-renewal page if you want to think through whether to keep auto-renew on or off.
Check the sender address against your provider's real billing domain. Hover over every link without clicking and confirm it points to the provider you actually use. Log in directly through the provider's main URL, not the email link. If your account dashboard shows the same renewal date and amount, it's real. If anything is off, treat it as phishing.
Domain registration data is partly public through WHOIS, and contact details from older registrations are widely scraped. Scammers pull addresses, fabricate "renewal" notices, and time the campaigns around known billing windows. The flood is not personal, it's automated. Anyone with a domain or hosting account gets these.
They use the real provider's logo, urgent subject lines like "your hosting expires today" or "final notice," and a button that points to a lookalike payment page. The grammar is often slightly off. The sender domain is similar but not identical to the real one. Some now also ask for two-factor codes after capturing the password.
Change your hosting account password immediately, from the real provider site. Enable two-factor authentication if you haven't already. If you entered card details, contact the card issuer to flag the charge and consider a card replacement. Forward the original email to your provider's abuse address and to reportphishing@apwg.org.
A reminder you set yourself, weeks in advance, anchors the renewal date in your own inbox. When a "your hosting expires today" email shows up out of sync with that date, you know immediately something is wrong. The phisher's urgency only works if you don't know the real timeline. The reminder removes their leverage.
Yes, briefly. Forward the email to your hosting provider's abuse address (usually abuse@providername.com) and to the Anti-Phishing Working Group at reportphishing@apwg.org. Delete the email after reporting. Don't reply, don't click, don't unsubscribe — the unsubscribe link is often part of the phish.
Set a free hosting renewal reminder so the real date lives in your own inbox. Any 'urgent renewal' email that doesn't match it is a phish.
Set My Hosting ReminderLast modified: