MailGuard has intercepted a phishing email campaign that abuses the Disney+ brand to trick recipients into handing over their email credentials and payment card details.
The email claims that the recipient’s Disney+ membership has been placed “on hold” due to incomplete information and urges them to “update” their account. In reality, clicking the link takes users to a series of fake Disney+ web pages designed to harvest sensitive data.
What the Email Looks Like
The body of the email claims that the recipient’s account has been temporarily suspended because their information is “incomplete” and must be verified. It includes a prominent call-to-action button labelled “Update Account Now”, along with links to “Privacy Policy”, “Terms of Use” and “Help Center” to reinforce the illusion of legitimacy.
Example phishing content shown using Disney+ branding. Not affiliated with Disney+.
How The Scam Works
Clicking the button leads to a webpage designed to mimic the official Disney+ sign‑in portal. The page requests the user’s email address.
Example phishing content shown using Disney+ branding. Not affiliated with Disney+.
After entering an email address, victims are taken to a second page requesting their password. The page includes Disney+ branding and footer links to appear authentic.

Example phishing content shown using Disney+ branding. Not affiliated with Disney+.
The next page links to verifying login credentials that may be reused across other personal or business accounts.

Example phishing content shown using Disney+ branding. Not affiliated with Disney+.
The next page escalates the attack by requesting full credit card details, including card number, expiry date, CVV and cardholder name.

Example phishing content shown using Disney+ branding. Not affiliated with Disney+.
Once details are submitted, the site displays a “Verifying Payment” loading screen. In testing, the page did not progress beyond this point.
Example phishing content shown using Disney+ branding. Not affiliated with Disney+
The attacker is attempting to keep victims engaged while silently capturing their data.
Why This Campaign Is Concerning
Brand‑impersonation scams remain effective because they exploit services people interact with routinely. Many users are accustomed to receiving subscription updates, account alerts, billing notices and login prompts from streaming platforms. This campaign leverages that familiarity to create urgency without appearing overtly suspicious.
The claim that the Disney+ membership has been placed “on hold” introduces time pressure, while the request to “update your account” feels like a routine maintenance step rather than a high‑risk action. That combination is dangerous.
A simple login request can be used to harvest email credentials, and a small, seemingly standard payment verification step can be used to collect full card details. The surrounding Disney+‑themed pages also gather enough personal information to support further fraud, identity theft or targeted scams.
For businesses, these campaigns also represent a workforce risk. Employees receiving personal subscription notifications during the workday may click quickly, particularly if the message appears familiar, low‑value and aligned with everyday digital habits.
Warning Signs to Watch For
There are several warning signs in this campaign:
-
The email is not sent from an official Disney+ domain.
-
The sender address uses disney@westberging.com, which is unrelated to Disney.
-
The email asks the recipient to click a button to “update” or “verify” their membership.
-
The link leads to a fake Disney+ login page hosted on a non‑Disney domain.
-
The website is not hosted on the legitimate Disney+ or Disney corporate domains.
-
The site requests an email address, password and full credit card details.
-
The payment request is framed as part of a routine account update or verification process.
-
The final “verification” screen loops indefinitely to make the process appear genuine.
Recipients should never enter personal or payment details through links in unexpected subscription or account‑related emails. Instead, they should visit the official Disney+ website or app directly and sign in using their known credentials.
This campaign is a reminder that phishing does not always rely on complex technical deception. Often, it relies on routine behaviour.
A familiar brand. A membership alert. A quick login prompt. A payment page that looks secure. Each step appears ordinary in isolation, but together they create a pathway for scammers to collect personal and financial information.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.




