A new phishing campaign is impersonating SiriusXM in an attempt to steal credit card information. The scam begins with an email claiming your SiriusXM subscription payment has failed and that your account will be removed today. The message uses fake account IDs, false urgency, and a fabricated cancellation warning to pressure victims into clicking a link that leads to a fraudulent website.
This campaign is not associated with SiriusXM. Scammers use these emails to direct victims to credential harvesting pages that request full billing details, including name, address, card number, expiration date, and CVV.
The Scam Email
The phishing message typically includes the following claims:
- Your SiriusXM payment failed
- Your subscription has been canceled
The email comes from an address such as z2sceag30q@3wqxl75905.uod which is routed through a suspicious domain. Scammers label these emails as “Trusted Sender” to bypass weaker filters, but none of the sender information belongs to SiriusXM. The unsubscribe addresses listed in the message are also fake.
The Phishing Websites
Clicking the link in the email redirects victims to two connected phishing pages. These sites mimic service renewal pages and subscription checkout portals but are designed only to collect personal and financial information.
Fake Checkout Page
The first page displays a clean checkout form that requests:
- First and last name
The page lists a fake charge of $9.99 and presents it as a renewal fee. The design is intentionally simple to reduce suspicion.
Fake Promotional Subscription Page
The second page impersonates a music subscription service and displays a countdown timer, celebrity images, and a “Subscribe Now” button for a one year subscription costing $9.95. This layout is commonly used in reward style fraud campaigns and has no connection to SiriusXM.
The Domain Behind the Scam
The phishing pages are hosted on ultimate-search-low-space.autos, a recently registered domain with no affiliation to SiriusXM. WHOIS data indicates that the domain is registered through NameSilo and uses Cloudflare name servers. Domains like this are frequently deployed in short lived phishing campaigns because they can be replaced quickly when taken down.
This domain was created in October 2025 which aligns with the timing of the email campaign. The scammers rely on new domains to avoid blocklists and to maximize the number of victims before the site is reported.
Why This Scam Works
Scammers use well known brands because victims are more likely to respond. The SiriusXM scam uses several tactics to increase effectiveness:
These techniques create the illusion of legitimacy while directing victims into entering their credit card information.
Red Flags in This Scam
What To Do If You Receive This Email
- Do not click any links
- Delete the message
- Block the sender
- If you provided any card information, contact your bank immediately
Payment failure phishing scams remain one of the most common methods used to steal credit card details. Always verify suspicious messages by visiting the official SiriusXM website directly rather than clicking links in unsolicited emails. For more scam alerts, visit the Botcrawl Scams section.
