You receive an email warning that your website’s domain name is about to expire. Renew now, it says, or your website and email could stop working. The link opens a professional-looking page that already knows your domain name, displays your registrar and expiry date, and starts a countdown timer.
It feels urgent and personal, so it feels real.
The site, branded Renovarix, doesn’t renew domains. Instead, it pushes visitors through a series of pages that collect personal information and eventually payment details.
How the scam works
Domain names really do expire, and losing one can be a serious problem. For many people and businesses, a domain is more than a web address. It’s your brand, your email, your search rankings, and the name customers type in when they want to find you. If it lapses, your website and email can stop working. If someone else registers it before you get it back, recovery can be difficult or impossible. That’s a lot to lose, and scammers know it.
This scam takes advantage of that fear with a convincing fake renewal process.
The email and website are fake. The “live registry data” is only partly real. Clicking Renew Now doesn’t renew your domain. Instead, it sends you through a chain of websites that first collect your name, address, phone number, and email, then eventually ask for payment details.
If you deleted the email, there’s nothing to worry about. If you clicked the link, simply close the page. If you entered personal or payment information, follow the guidance above.
The email that starts it
The scam begins with an email, although the presentation varies. Some are crude: a plain “Domain Renewal Reminder” from a generic “Domain Services Inc.” with an invoice number and an amount due.
Others are much more polished, using the Renovarix brand, a reference number, and a respectable-looking London business address.
But they share the same giveaway. The “official” Renovarix renewal notice was sent from an ordinary Gmail address. A company claiming a London office and 24/7 support isn’t likely to send billing notices from Gmail. When the branding looks professional but the sender doesn’t match, that’s a major red flag.
A page that knows too much
The link opens a page that immediately performs a “lookup,” narrating its progress with messages such as “connecting to registry” and “fetching WHOIS records” before displaying your domain name, registrar, and expiry date.
That makes it look as though the site has queried the official domain registry. Some of the information may come from genuine public records, but much of what makes the page appear authoritative is invented. For example, the displayed “Registry ID” isn’t retrieved from any registry. It’s generated locally in your browser from your domain name and exists purely to look official.
Everything is designed to push your panic button
Once that dashboard loads, the whole page becomes a funnel built to rush you.
A red banner claims your domain expires in “03 days,” regardless of its real expiry date. A second countdown says a “special price” of €2.00, reduced from €9.99, expires in fifteen minutes. Try closing the page and a pop-up appears warning, “Wait — Your Domain Is At Risk!” with a dismiss button that reads, “No thanks, I’ll risk it.”
Legitimate registrars don’t rely on countdown timers or guilt-inducing pop-ups. The pressure is the scam.
The “renewal” renews nothing
Here’s the clearest sign something is wrong: clicking Renew Now doesn’t contact your registrar or process a renewal. It simply redirects your browser to another website.
Some versions even display a cheerful “Renewal Complete!” confirmation with a new expiry date, confirmation number, and a message claiming a receipt has been emailed. None of it reflects a real transaction. Everything is generated in your browser.
Where your details actually go
The button sends you, through a marketing affiliate link, to a page called “Secure Checkout.”
The page asks for your name, address, postcode, city, phone number, and email address. Once submitted, you’re passed through additional pages where payment is eventually requested.
Two details suggest this is a recycled scam kit rather than a genuine domain service. It can automatically populate your details from the link you clicked, and its fake five-star reviews still refer to “HappyPrizes” and how easy it was to “win something nice”—leftover text from an earlier prize scam that used the same template.
Why people fall for it
The scam works because it exploits a genuine concern. The scam starts with a believable premise. Domain renewals are a normal part of running a website, so an expiry notice doesn’t seem out of place. The scammers build on that with convincing branding, public domain information, and manufactured urgency.
It also feels personal. Many people wonder how scammers knew about their specific domain. The answer is that they don’t know you personally. Every registered domain appears in public WHOIS/RDAP records, which include the domain name, registrar, important dates, and sometimes a contact email address. Scammers collect this information in bulk, then generate links that display your own domain details back to you. Seeing familiar information makes the page feel legitimate, even though it came from public records.
Finally, the scam creates urgency. Countdown timers, warnings that your domain is at risk, and a €2.00 “special offer” are all designed to make you act before you stop to verify the claim. The low price isn’t the objective. Your personal information and payment details are.
None of this makes a victim careless. It makes them human, targeted by people who know how a worried site owner reacts.
What to do
If you receive an email like this, simply delete it. The safest way to handle any domain renewal is simple:
- Don’t click on the email’s link. Go to your registrar through your own bookmark or by typing the address yourself and check your real expiry date there. If you clicked the link, close the page. Looking at it doesn’t put your domain at risk.
- Know who your registrar is. Renewal happens in the account you already have, not on a website you’ve never heard of.
- Treat urgency as a warning sign, not a reason to hurry. Real renewals aren’t fifteen-minute emergencies.
- Check the sender. Billing notices from a Gmail address, or a brand name that doesn’t match your actual provider, are red flags.
- Malwarebytes Browser Guard is free and can help block scam and phishing pages while you browse.
If you already entered personal information (such as your name, address, phone number, or email address):
- Be prepared for follow-up scams. Attackers may contact you by phone or email, claiming to be your registrar or referring to your domain, an “order,” or a “renewal.”
- Don’t trust unsolicited calls or emails, even if they seem to know details about your domain.
- If you need to contact your registrar or bank, use contact details from their official website, not those provided in the email or on the scam page.
If you entered payment card details:
Turn on transaction alerts so you’re notified as soon as your card is used.
Contact your bank or card issuer immediately. Tell them you entered your card details on a fraudulent website and ask whether they recommend blocking and replacing the card, even if you don’t see any unauthorized charges yet.
Monitor your account closely. Scammers sometimes make small “test” charges before attempting larger transactions.
Indicators of compromise
renovarix[.]org— fake domain renewal pagexe54ghj[.]com— redirectorpaysuccessful[.]site— personal-data capture pagemolipy8trk[.]com— redirectortopprogressstores[.]online— final offer landing
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
