We protect your inbox from 583+ types of email scams. Here's what we're looking for.

Impersonates banks, PayPal, Apple, or Google claiming your account is suspended. Demands a click to "restore" access and harvests your credentials.

Forges or compromises a business email to trick employees into wiring money. The FBI reports BEC as the costliest cybercrime at $3B+ per year.

Phishing targeting crypto holders to steal seed phrases or wallet credentials. Legitimate exchanges never ask for seed phrases or recovery words.

Impersonates OneDrive, SharePoint, Google Drive, or Dropbox notifications. Wraps a credential-harvest link as a "view document" button.

Spoofs the CEO or boss and asks the victim to buy gift cards and send the codes. No legitimate email ever combines "buy gift cards" with "send me the codes."

Fake password-expiry notices impersonating Microsoft or Office 365. Multilingual coverage across 5 languages.

Part of a man-in-the-middle 2FA attack. Emails victims asking them to forward or share a verification code. Legitimate services never ask for codes via email.

Impersonates ADP, Workday, Gusto, or Paychex and asks employees to "re-enter" their direct deposit banking details before payroll runs — redirecting paychecks to attacker accounts.

Emerging 2024-2025 attack: emails with QR codes for "MFA enrollment" or "account verification" that bypass desktop URL scanners. Volume up 400%+ in 2024.

Threatens to release webcam recordings or expose passwords, demands Bitcoin or gift card payment. Uses a stronger 3-pillar detection system.

Impersonates IRS, HMRC, or Skatteverket with fake refund claims or identity verification links. Real tax authorities never email refund links.

Promotes a fake "official" cryptocurrency giveaway promising to double any Bitcoin, Ethereum, or USDT sent to a wallet address — often impersonating Elon Musk, Binance, or Coinbase. FBI IC3: crypto giveaway/doubling scams caused $300M+ in losses in 2024.

Impersonates a debt collector and threatens arrest warrants, criminal charges, wage garnishment, or bank account freezes for debts that are often fabricated, phantom, or time-barred — designed to panic victims into paying immediately. FTC 2024: fake debt collectors are the #3 consumer complaint category.

Targets Medicare beneficiaries with unsolicited "free" medical equipment offers — knee braces, CPAP supplies, diabetes test strips — harvesting Medicare ID and date of birth to bill Medicare fraudulently. CMS OIG: DME fraud costs Medicare $3B+ annually.

Impersonates the IRS and demands immediate payment of back taxes or tax debt via gift cards (Google Play, iTunes, Amazon), prepaid debit cards, or Bitcoin — combined with arrest threats to create panic. The IRS never requests gift card payment. FTC 2024: #1 government-impostor fraud type, $5.5B lost.

Impersonates Microsoft (Outlook, Office 365) or Google (Gmail, Drive) claiming suspicious sign-in activity or account suspension — directing victims to click a link and enter credentials on a phishing page. APWG Q1 2025: Microsoft is the #1 impersonated brand globally (31% of all phishing).

Impersonates Amazon with a fake order confirmation, unauthorized charge, or account suspension — directing victims to enter Amazon credentials or payment info on a phishing page. APWG Q1 2025: Amazon is the #2 most impersonated brand globally; Amazon phishing increased 47% in 2024.

Impersonates Apple claiming the victim's Apple ID is locked, disabled, or compromised — or their iCloud account is suspended — directing them to a fake Apple sign-in page to harvest credentials. APWG 2025: Apple is a consistent top-5 most-impersonated brand; Apple ID phishing grew 38% in 2024.

Impersonates USPS, FedEx, UPS, DHL, or other carriers claiming a package could not be delivered, is on hold, or requires a customs or redelivery fee — directing victims to a phishing page to harvest payment details or home addresses. FTC 2024: package delivery scams are the #1 impersonation category by volume.

Impersonates Facebook, Instagram, or Meta claiming the victim's account or page has been disabled, suspended, or flagged for a policy or copyright violation — directing them to a fake appeals page to harvest Meta credentials. Meta Transparency Report 2025: account-suspension phishing grew 52% YoY.

Impersonates an executive, vendor, or finance contact to demand an urgent wire transfer — often with social engineering cues (confidentiality, can't be reached by phone, changed bank account details). Classic Business Email Compromise. FBI IC3 2024: BEC/wire fraud caused $2.9B in reported losses — the #1 cybercrime category by dollar impact.

Impersonates PayPal or Venmo claiming the victim received a payment, has an unauthorized charge to cancel, or needs to verify their account — directing them to a phishing page to harvest credentials. FTC 2024: payment-app impersonation caused $210M in losses; PayPal is the #1 impersonated payment brand.

Impersonates HR or payroll to request the victim update their direct deposit bank account before the next pay period — a BEC variant that redirects salary to attacker-controlled accounts. FBI IC3 2024: payroll redirect BEC caused $2.7B in losses with an average incident cost of $130,000.

Claims a Norton, McAfee, Geek Squad, or antivirus subscription was auto-renewed for a large amount — urging the victim to call a toll-free number to cancel. The "support" agent then gains remote access or steals payment info. FTC 2024: tech support scams caused $924M in losses; subscription renewal is the #1 sub-type.

Email from a fabricated online romantic partner requesting money via wire transfer, gift cards, or payment app for a crisis — stuck overseas, medical emergency, customs fee, military deployment. Also used in pig-butchering crypto schemes. FTC 2024: romance scams caused $1.14B in losses — the highest of any impersonation category.

Claims the recipient won a lottery, sweepstakes, raffle, or lucky draw — then demands a "processing," "release," or "administrative" fee, or asks for personal details to claim. No legitimate lottery requires advance fees to claim winnings. FTC 2024: prize/lottery scams caused $168M in reported losses.

Offers a job (remote, data entry, nanny, caregiver) requiring payment of a registration, training, background check, or equipment fee to get hired. Legitimate employers never charge workers upfront. FTC 2024: job/employment scams caused $501M in losses; advance-fee variant is the #1 sub-type by volume.

Offers a rental property at a suspiciously low price, with a landlord "overseas" who cannot show the property — requiring deposit via wire, Western Union, MoneyGram, or gift card before handing over keys. No legitimate landlord accepts these payment methods. FTC 2024: rental scams caused $145M in losses.

Proposes a secret fund transfer, unclaimed inheritance, or stranded royal funds — asking for bank account details or an advance fee in exchange for a cut of the money. Classic advance-fee / 419 fraud. IC3 2024: advance-fee fraud caused $55M in reported losses; near-100% scam rate for this pattern.

Impersonates a tax authority (IRS, HMRC, Skatteverket, etc.) claiming the recipient qualifies for a tax refund — directing them to provide bank details or click a link before the refund "expires." Multilingual: supports English and Swedish. NCSC 2024: HMRC refund phishing is the #1 UK government-branded phishing threat.

Promotes a fraudulent cryptocurrency scheme — guaranteed returns, celebrity-endorsed Bitcoin giveaways ("send BTC, get double back"), cloud mining daily passive income, or pig-butchering platforms introduced by a new online contact. IC3 2024: crypto fraud caused $5.6 billion in losses, the #1 fraud category by dollar amount.

Impersonates a bank (Barclays, Chase, Wells Fargo, Nordea, Swedbank, etc.) claiming the account is suspended or locked due to suspicious activity — then directing the recipient to click a link and enter banking credentials. Supports English and Swedish. APWG Q1 2025: banking is the #1 phished industry category at 24% of all attacks.

Email impersonating a grandchild (or their lawyer) claiming to be in jail, hospital, or stranded abroad — urgently requesting bail or wire transfer funds while demanding secrecy from other family members. A form of elder-targeted impersonation fraud. IC3 2024: elder fraud impersonation caused $1.76 billion in losses.

Email impersonating a Microsoft, Windows, or Apple security alert claiming the recipient's PC or Mac is infected — directing them to call a toll-free number to reach "certified technicians." Harvests payment card details or installs remote-access tools. FTC 2024: tech support scams cost US consumers $924 million in losses.

Email impersonating an IRS agent, debt collector, court, or federal agency threatening a lawsuit, arrest warrant, wage garnishment, or criminal charges — then directing the recipient to call a dispute hotline or click a link immediately. FTC 2024: impostor scams caused $2.7 billion in losses, the #1 fraud category.

Email impersonating Amazon, Walmart, Best Buy, Target, or another major retailer claiming an unauthorized order was placed — then directing the recipient to call a phone number to dispute or cancel it. A callback fraud scheme where scammers pose as customer service to harvest payment card details. FTC 2024: imposter scams were the #1 fraud category with $2.7 billion in consumer losses.

Email impersonating Visa, Mastercard, American Express, Chase, Discover, or Capital One claiming unclaimed cashback rewards or expiring loyalty points — directing the recipient to click and verify card details. A payment card credential harvest. APWG 2024: financial services phishing = 24% of all attacks, the #1 industry category.

Email impersonating USPS, FedEx, UPS, DHL, or Royal Mail claiming a package could not be delivered and demanding a small fee ($0.99–$5) to release the shipment. The payment page harvests credit card credentials. APWG 2024: shipping brand impersonation accounts for ~12% of all consumer phishing lures, surging during peak shipping seasons.

Email requesting your crypto wallet seed phrase, recovery phrase, or private key — framed as wallet recovery, security verification, or an airdrop claim. No legitimate wallet or exchange ever requests this. Sharing it results in instant, irreversible loss of all funds. FBI IC3 2024: crypto fraud cost Americans $5.6B, with wallet phishing the top vector.

Email impersonating the IRS claiming you owe back taxes with an active tax lien or lawsuit — threatening immediate arrest, property seizure, or law enforcement dispatch unless you pay via gift cards, wire transfer, or cryptocurrency. The real IRS always contacts by postal mail first and never demands gift-card payment. Treasury OIG: 2M+ IRS impersonation contacts per year.

Email from a self-described lawyer, banker, or widow claiming access to millions in unclaimed/deceased funds, offering you a 30–40% share, and requesting an upfront fee or banking details to "initiate the transfer." Classic Nigerian-prince / 419 fraud (30+ years running). FBI IC3 2024: advance fee fraud = $55M+ in reported losses; average victim loss exceeds $15,000.

Email impersonating a grandchild/family member in crisis (arrested, in an accident, stranded abroad) — a lawyer or doctor calls on their behalf demanding bail/medical money and insisting you keep it secret from the rest of the family. FBI IC3 2024: grandparent scams = $220M in reported losses; seniors over 60 are the primary target. Always call the family member directly on a known number first.

Unsolicited email promoting a forex trading system, binary options signal group, or crypto trading bot promising guaranteed monthly returns of 15–100%+ with no experience needed. Requires a minimum deposit to join a VIP program. CFTC/SEC: forex and binary options scams cause $600M+ annual losses; these 'brokers' make withdrawals impossible after deposit.

Unsolicited email claiming the recipient won a foreign lottery — Spanish El Gordo, EuroMillions, UK Football Pools, Canadian Mega Draw — despite never entering. Demands upfront processing fees, release taxes, or customs duties (£100–£800) via Western Union or wire transfer to collect the prize. FTC 2024: foreign lottery scams extracted $117M from US victims. No real lottery charges fees to release winnings.

Email offering "guaranteed" loan modification, principal reduction, or foreclosure rescue for an upfront fee of $500–$2,500 — falsely invoking HARP/HAMP programs. Instructs homeowners to stop paying their mortgage (accelerating foreclosure) or transfer the deed to a third party. FTC/CFPB 2024: mortgage relief scams cause $150M+ annually. HUD-approved counselors and real bank programs are always free.

Email impersonating the IRS claiming outstanding tax liability with an arrest warrant — demanding immediate payment via iTunes/Google Play gift cards, wire transfer, or prepaid debit cards to avoid prosecution or asset seizure. The IRS only contacts taxpayers by US mail and never accepts gift cards. FBI IC3 2024: IRS impersonation scams caused $96M in reported losses. Never pay taxes via gift cards.

Email impersonating the SSA claiming your Social Security number has been suspended due to criminal activity — threatening arrest by federal marshals unless you call an "SSA officer" or buy gift cards to protect your assets. The real SSA never suspends SSNs or threatens arrest by email. FTC 2024: government impersonation scams (led by SSA) caused $1.1B in losses — the single largest reported fraud category.

Email claiming you've been approved for a federal grant, unclaimed COVID relief, stimulus check, or SNAP refund — but requiring a processing or administrative fee ($75–$250) before funds can be released. No legitimate government benefit requires an upfront fee. FTC 2024: fake grant and unclaimed benefit scams caused $492M in losses. The fee is the scam — no funds exist.

Email impersonating a court clerk claiming you missed jury duty and have an active arrest warrant — demanding payment of an $800–$1,500 fine via prepaid card, gift card, or Western Union to avoid arrest. Real courts never email payment demands for jury duty warrants. FTC/FBI 2024: fake arrest warrant scams are a top senior fraud category — combining authority, urgency, and untraceable payment is the classic social engineering triad.

Work-from-home 'job offer' as a payment processor, reshipping coordinator, or financial agent — where the job is receiving fraud proceeds into your personal bank account, then wiring them abroad or reshipping packages internationally, keeping a % commission. This is money laundering recruitment. FBI 2024: money mule networks move $1B+ annually; the 'coordinator' faces federal criminal charges even if unaware of the fraud source.

Email claiming to be from a title company or escrow agent providing 'updated' wire instructions with new routing/account numbers — timed to intercept a real estate closing. BEC attackers spoof title companies to redirect down payments and closing funds. FBI IC3 2024: real estate wire fraud caused $446M in losses; funds are typically irretrievable within hours. Always verify wire instructions by phone before wiring.

Email claiming an 'accidental overpayment' via cashier's check — ask you to deposit the check and wire back the 'excess' or send gift card codes. The check is counterfeit; when it bounces days later, you're liable for what you already sent. FTC 2024: fake check scams caused $456M in losses; median loss $1,900. If anyone sends a check and asks for money back, it's always fraud.

Sextortion email falsely claiming the sender hacked your device, installed spyware, and recorded you visiting adult websites — threatening to send the footage to all your contacts unless you pay Bitcoin within 24–72 hours. Often includes a real breached password to seem credible. The footage doesn't exist. FBI IC3 2024: sextortion scams caused $80M+ in losses. Never pay — passwords come from public data breaches, not your device.

Email from a self-described 'barrister,' 'solicitor,' or estate banker claiming a deceased person with your surname left millions and you are the 'next of kin' — requiring bank details and advance fees to claim the estate. Also known as 419 / Nigerian prince scam in estate form. FBI IC3 2024: advance fee fraud caused $134M in losses. Real probate is initiated by official court notices, never unsolicited emails.

Fake cryptocurrency trading platform promising guaranteed daily returns — deposit USDT/Bitcoin to activate your account, watch fake profits grow on a dashboard, then get asked to pay a 'withdrawal fee' or 'tax clearance fee' to release your money. The platform is fraudulent; all deposits are stolen. Also used in pig butchering scams (romance → investment). FBI IC3 2024: crypto investment fraud caused $5.8B in losses; average pig butchering victim loses $35,000.

Email impersonating the IRS, HMRC, or a 'tax authority' claiming you have an unclaimed tax refund or stimulus payment — directing you to click a link and enter bank account details, SSN, or card numbers to receive it. Real tax authorities contact you by postal mail, never by email requesting financial details. IRS: phishing surges 400%+ during January–April tax season. The tell: external domain, urgency window, bank details via click.

Fake job offer requiring upfront payment — framed as a 'background check fee,' 'screening fee,' 'training materials fee,' or 'equipment purchase' the company promises to reimburse. No job exists. FTC 2024: job scams are the #2 fraud category for people under 30; median loss is $2,000. Red flags: immediate approval with no real interview, payment via gift cards/Zelle/money orders.

Fake bank/PayPal/Venmo notice claiming your account is frozen due to suspicious activity — requiring an 'unlock fee,' 'reinstatement fee,' or 'reactivation fee' ($15–$50) via gift cards or wire transfer. Real financial platforms never charge fees to restore account access. Payment via gift cards is the definitive scam indicator.

Fake insurance settlement, class action payout, or data breach compensation notice claiming you have an approved payout — but must pay a 'processing fee,' 'release fee,' or 'tax clearance fee' ($75–$500) upfront to receive it. Real settlements never require upfront payment. These scams exploit real class action settlements (Equifax, data breaches) to appear credible. FBI IC3 2024: advance fee fraud via fake settlements caused $134M in losses.

Email impersonating Medicare or a 'Medicare-approved supplier' offering free back braces, CPAP machines, knee braces, glucose monitors, or diabetic supplies — requiring your Medicare beneficiary number, SSN, or date of birth to 'verify eligibility.' The collected data is used for identity theft and fraudulent Medicare billing. Real Medicare never cold-contacts beneficiaries offering free equipment. OIG estimates Medicare DME fraud costs $1–2 billion annually.

Cold-email claiming you've been selected for lower energy rates, a government energy saving scheme, or are owed an energy bill refund — then requesting your bank direct debit details (sort code and account number) to 'complete the switch' or 'process the refund.' Real energy switches never require providing bank details by email. Ofgem 2024: energy tariff scams spiked 340% following the energy price cap crisis, with victims losing an average of £450.

Targets people who already lost money to crypto scams. Scammers pose as 'blockchain forensics specialists' or 'crypto recovery firms' claiming they can trace and recover stolen funds for an upfront engagement fee or 10–20% of recovered funds. No recovery occurs — the fee is the scam. FBI IC3 2024: double-dip scams targeting prior fraud victims caused $67M in losses, with crypto recovery scams the fastest-growing subcategory.

Victims are recruited to rate Amazon products or like TikTok videos for pay. After completing trial tasks, the platform shows an accumulated balance but requires a crypto deposit (USDT/USDC) to 'unlock earnings,' 'unfreeze the account,' or 'complete a task set.' Each deposit generates a new demand — the balance never materializes. FBI IC3 2024: task scams targeting social media platforms are the fastest-growing fraud type among 18–35 year-olds.

Targets timeshare owners with promises to 'cancel your contract permanently' or 'free you from maintenance fees' for a large upfront fee ($1,500–$5,000+). Red flags: guaranteed results, instructions not to contact the resort, and advance payment required. Real timeshare exits go through the resort's official deed-back program. FTC 2024: timeshare exit scams generated over $100M in consumer losses, with the average victim losing $4,000.

Email claiming you've been approved for a personal loan ($5K–$50K) regardless of credit — requiring an upfront 'insurance fee,' 'processing fee,' or 'origination fee' ($99–$500+) before funds are released. No loan exists; the fee is the scam. Legitimate lenders never require upfront payment before disbursement. FTC 2024: advance fee loan fraud caused $62M in reported losses, disproportionately targeting people with poor credit.

Phishing email impersonating Google Drive, Dropbox, OneDrive, or iCloud claiming your storage is full and your account/files will be permanently deleted — directing you to click a link and enter payment card credentials. Real cloud providers don't delete files immediately on storage limit or send threats from external domains. These campaigns harvest payment card numbers and cloud account credentials.

Scammers contact auction bidders claiming the winning buyer backed out — then request payment OUTSIDE the auction platform via wire transfer, gift cards, or Bitcoin. The item doesn't exist or the seller is fraudulent; payment outside the platform eliminates buyer protection. FBI IC3 2024: online marketplace payment fraud caused $392M in reported losses. The defining red flag: any instruction to bypass the platform's payment system.

Cold email claiming your email, SSN, or credit card was 'found on the dark web' in a breach — directing you to click a link to see the 'breach report' and pay for an 'identity protection plan' or 'dark web monitoring' subscription. Legitimate breach alerts come from existing relationships (bank, credit bureau), not cold-contact with paid upsells. FTC 2024: dark web removal services are specifically called out as largely fraudulent.

"Pig butchering" romance fraud — scammer builds a fake romantic connection online, introduces a crypto trading "mentor," and invites the victim to deposit funds on an exclusive platform with guaranteed returns. When the victim tries to withdraw profits, their account is frozen and they must pay a "tax" or "withdrawal fee" to unlock it — which vanishes. FBI 2023: $3.96B in losses from this scam type alone.

Phishing emails impersonating Amazon claiming your account is suspended, payment declined, Prime cancelled, or Seller Central account flagged — linking to a fake domain to steal your Amazon credentials and payment card. Real Amazon never sends credential-entry links from external domains. Amazon is the most-impersonated brand in phishing campaigns globally.

Emails impersonating Microsoft, Apple, Windows Defender, Norton, or McAfee claiming your PC is infected or account compromised — urging you to call a toll-free number and install AnyDesk/TeamViewer so 'technicians' can remotely steal banking credentials or sell fake virus removal plans ($99–$499). FTC 2024: tech support scams cost Americans $924M, making this the #2 fraud category by loss.

Victims are recruited as 'package inspectors' or 'quality control specialists' to receive stolen goods at their home address and reship them overseas — unknowingly acting as money mules. Participants face federal criminal liability for receiving and transporting stolen property. FBI: reshipping scams result in federal mail fraud charges for unwitting participants.

Two variants: (1) 'You won a $500 Amazon gift card — pay $4.99 shipping to claim' — harvests credit card details; (2) CEO/boss impersonation: buy Google Play/iTunes/Amazon gift cards urgently and email the codes — boss promises reimbursement. FTC 2024: gift card scams are the #1 payment method in all fraud types combined, totalling $217M in losses.

Fake debt collectors threaten immediate arrest or criminal prosecution for alleged unpaid payday loans or IRS tax debts — demanding same-day payment via gift cards or wire transfer. Key fact: civil loan debt cannot result in criminal arrest in the US or UK. The IRS never calls threatening arrest and never accepts gift card payment. FTC 2024: fake debt collection scams caused $1.1B in losses.

Illegal online pharmacies selling Viagra, Cialis, Ozempic, opioids, Xanax, and Adderall without a prescription — shipped 'discreetly' from overseas with no doctor needed. 50% of medications sold online are counterfeit (WHO). Purchasing controlled substances online without a prescription is a federal crime. Legitimate telehealth services require a physician consultation.

Seniors 62+: access $200K in home equity tax-free, no monthly payments, guaranteed approval — just pay a $495 application fee. Legitimate reverse mortgages (HECM) never require upfront fees. CFPB reports this fraud disproportionately targets older adults, often costing victims their entire housing wealth. Verify with a free HUD-approved counselor (1-800-569-4287).

Scammer claims to have intimate/nude/explicit photos or a compromising video and threatens to send them to the victim's contacts, employer, and family unless paid in Bitcoin, cryptocurrency, or gift cards within 24-72 hours. In most cases no real material exists — the threat is pure bluff designed to cause panic. Warning signs: claims of compromising content, Bitcoin/gift card demand, tight deadline, threat to contact employer or family. Never pay — contact the FBI's IC3 at ic3.gov instead.

Phishing emails impersonating AT&T, Verizon, or T-Mobile falsely claiming a SIM swap or port-out request was initiated on your account. Creates urgency — 'cancel within 24 hours or your number will be permanently transferred' — and directs victims to verify their account PIN or Social Security Number digits. Goal: harvest credentials to complete the real SIM swap and seize 2FA-protected accounts (email, bank, crypto). FCC: SIM swap fraud surged 400% from 2021–2024. Real carriers NEVER request PINs or SSNs via email links. Warning signs: non-carrier sender domain, PIN/SSN request, urgency window, click-to-cancel link.

Fake renewal invoices impersonating Norton 360, McAfee Total Protection, Geek Squad / Best Buy Total Tech, or generic 'Advanced PC Protection' with a fabricated auto-renewal charge ($249–$399) and a toll-free callback number. Calling connects to a scammer who requests remote desktop access (AnyDesk/TeamViewer) to 'process the refund' — then empties bank accounts or installs ransomware. FTC 2024: tech support impersonation caused $1.3B in losses; Norton, McAfee, and Geek Squad are the top three impersonated brands. Real antivirus companies NEVER include callback phone numbers in renewal emails. Warning signs: non-official domain, callback number, large unexpected charge, urgency window.

A scammer posing as a buyer, renter, or recruiter asks you to share a 6-digit verification code they 'sent to your phone.' The code is actually a Google Voice setup code — sharing it hands them control of your phone number. They then use your number to scam other people or bypass two-factor authentication on your accounts. FTC 2024: #1 account takeover technique on Craigslist/Facebook Marketplace — 1 in 3 classified ad scam reports involve a 'code verification' request. Real buyers/employers NEVER need you to share a verification code. Warning signs: any request to share an SMS code 'for verification.'

Fraudulent emails promoting cloud mining contracts, DeFi staking pools, liquidity yield farming, or hash-rate rentals with implausibly high guaranteed returns — '2% daily', '180% APY', '15% weekly'. These are Ponzi schemes or exit scams with no real mining hardware or smart-contract yield. The SEC and FTC have prosecuted BitConnect, OneCoin, Hashflare, and dozens more, costing victims over $5 billion combined. Real Ethereum staking yields ~3–4% APY, fluctuating with network conditions — never guaranteed. Warning signs: guaranteed fixed returns, daily payout promises, minimum deposit requirement, urgency framing.

Fraudulent 'sugar daddy' or 'sugar mommy' emails offering a weekly or monthly allowance but demanding an upfront payment first: buy gift cards and send codes, receive an overpayment check and wire part back (the check bounces, leaving you liable), or provide bank account / Venmo / Zelle credentials. No genuine financial arrangement requires advance gift cards, a commitment deposit, or account details to send you money. FTC 2023: 70,000+ reports, $1.3B total losses, median loss $2,400. Warning signs: unsolicited offer, any gift-card or wire-back request before you receive a single payment.

Business Email Compromise (BEC) variant where an attacker impersonates a CEO, CFO, or HR employee and asks a payroll processor to redirect the next paycheck to a fraudster-controlled bank account. The email includes new routing and account numbers with urgency framing ('before end of day', 'before Friday payroll run'). FBI IC3 2023: $446M in payroll diversion BEC losses, average $175,000 per incident. Legitimate HR systems never accept direct deposit changes by email. Warning signs: routing/account numbers in the email body, urgency before next payroll, external or lookalike sender domain.

Phishing emails impersonating Instagram, Facebook, TikTok, or X (Twitter) claiming your account has been approved for a verified blue badge, then demanding your account password and payment method to 'complete the verification.' Surged in 2023–2025 after paid verification became mainstream. Real platforms verify identity through in-app flows only — they never ask for your password by email. Giving credentials to these portals grants the attacker full account access. Warning signs: any email asking you to confirm your password to receive a badge, non-official sender domain, '24-hour expiry' urgency.

Fraudulent emails claiming you qualify for lower car insurance rates, then requesting your Social Security number, driver's license number, and date of birth to 'verify eligibility.' This SSN + DOB + driver's license combination is sufficient for full identity theft. The FTC reported a 58% increase in insurance-related data harvesting between 2021 and 2024. Legitimate insurers never request SSNs by email for quote generation. Warning signs: unsolicited 'lower rates' email, request for SSN and driver's license, 'complete your quote' without prior relationship.

Phishing emails impersonating Microsoft claiming your Microsoft 365 or Office 365 subscription has expired and that access to email, OneDrive, Teams, Word, or Excel will be lost unless payment details are updated immediately. Microsoft 365 has 345M+ paid seats — making it the most-impersonated SaaS product in B2B phishing. Real Microsoft renewal emails come only from microsoft.com or office.com, always reference an existing payment method, and link to account.microsoft.com — never to external billing portals. Warning signs: email from any non-Microsoft domain, urgency about immediate access loss, request to 'enter' credit card details.

Phishing emails claiming your wallet has been whitelisted or allowlisted for an exclusive NFT mint, presale drop, or free NFT claim — directing you to connect MetaMask, Trust Wallet, or Phantom within a tight deadline. The 'connect wallet' flow triggers a malicious smart contract that drains all crypto and NFTs via a blanket approval (setApprovalForAll). More aggressive variants request your seed phrase directly. Chainalysis 2023: NFT wallet-drain attacks caused $100M+ in annual losses. Legitimate NFT platforms never notify whitelist spots by email and never ask for wallet connections or seed phrases via email. Warning signs: MetaMask connection request, 'whitelist confirmed' from an unknown project, 24-hour deadline.

Phishing emails impersonating Uber, Lyft, DoorDash, Instacart, Grubhub, or Shipt threatening permanent deactivation of your driver or shopper account unless identity documents are verified through a fraudulent portal within 24–72 hours. Gig workers depend on these platforms for income — making deactivation threats extremely high-compliance lures. 73M+ Americans participate in the gig economy, creating a vast target pool. Real gig platform account issues are handled through official apps and domains with proper authentication — never via unsolicited emails with external verification links. Warning signs: email from a non-official domain, 'permanently deactivated' urgency, link to an external portal.

Phishing emails impersonating USPS, FedEx, UPS, DHL, or Amazon claiming a package is on hold or pending customs clearance and requiring payment of a small fee ($1–$5) to release delivery. The payment portal harvests full credit card details for large unauthorized charges. The tiny fee is deliberate — it lowers the psychological barrier to entering card details. USPS Inspection Service 2024: 1.3M+ package delivery scam reports, a 70% year-over-year increase. Real carriers never request customs fees via email. Warning signs: non-carrier domain, 'pay fee to release package' urgency, link to an external payment portal.

Phishing emails impersonating the Department of Education, Federal Student Aid, or servicers (MOHELA, Navient) claiming student loans have been approved for forgiveness or cancellation — then harvesting FSA credentials, Social Security numbers, or charging enrollment fees. FTC 2023: student loan relief scams cost borrowers $95M, average loss $2,000. The real forgiveness process runs only through studentaid.gov — the DoE never emails requesting FSA credentials or fees. Enrollment fees for federal loan forgiveness are illegal under the Higher Education Act. Warning signs: unsolicited 'forgiveness approved' email, FSA credential or SSN request, any processing fee.

Emails claiming you won a large cash prize in a lottery, sweepstakes, or prize draw you never entered — requiring upfront processing, administration, legal, or withholding-tax fees before the prize can be 'released.' Fees escalate indefinitely. FTC 2023: $301M+ in lottery/prize advance-fee losses, median individual loss $850. It is a federal crime (18 U.S.C. § 1302) to require any fee as a condition of prize delivery — any 'prize' with an upfront fee is fraudulent by definition. Key tell: the 'keep this confidential' instruction. Warning signs: prize for a contest you never entered, any upfront fee, Western Union/gift card payment request.

Emails from purported attorneys, barristers, or solicitors claiming you are the next of kin of a deceased stranger with a large unclaimed estate — requiring legal or transfer fees to release the funds. Also the 'foreign partner' variant seeking your bank details to help move frozen millions. FBI IC3 2023: 21,751+ reports, $83M+ in losses, median victim loss $3,000+ — the highest median loss of any email fraud category. Real estate attorneys contact next of kin by certified mail, not cold emails. Warning signs: inheritance from a deceased stranger you've never heard of, any upfront fee, 'strictly confidential' framing.

Fraudulent emails claiming the recipient has been approved or selected for a government grant or stimulus payment that 'never needs to be repaid,' then requiring an upfront processing fee or requesting bank account details to 'disburse' funds that never arrive. FTC 2023: government impostor fraud caused $462M+ in losses. No US government agency notifies individuals of unsolicited grant approvals by email — all legitimate grants require a formal application through grants.gov. Warning signs: unsolicited 'grant approved' email from a non-.gov domain, any fee to release grant funds, bank account/routing number request.

Emails impersonating Microsoft, Apple, Norton, McAfee, or Windows Defender falsely claiming a virus, malware, or unauthorized access was detected on your computer — urging you to call a toll-free number, avoid restarting, or install TeamViewer/AnyDesk so a 'technician' can take remote control. FTC 2023: tech support scams caused $924M in losses — the #1 fraud category by dollar loss for adults 60+, median loss $500. Microsoft and Apple explicitly state they never send unsolicited security alerts urging phone calls or remote access. Warning signs: toll-free call-to-action, 'do not restart your computer,' TeamViewer/AnyDesk download request, non-official sender domain.

Phishing emails impersonating Coinbase, Binance, Kraken, or Gemini claiming the recipient's account has been locked, suspended, or flagged for suspicious activity — harvesting login credentials or government ID through a phishing portal. Crypto theft is irreversible by nature. FBI IC3 2023: $3.94B in total cryptocurrency fraud; exchange impersonation is a top initial access vector. Real exchanges never request government ID uploads by email — KYC is done through official apps. Warning signs: email from any non-official domain, 'account suspended' or '24 hours to verify,' government ID upload request by email.

Phishing emails impersonating Chase, Wells Fargo, Bank of America, Citibank, or Capital One falsely claiming your account has been suspended, locked, or frozen due to suspicious activity — directing you to click a link and verify credentials through a harvesting portal. Chase, BofA, and Wells Fargo are consistently the top-3 most impersonated bank brands (APWG/Verizon DBIR 2024). Legitimate banks never ask you to re-enter credentials via email links. Warning signs: non-bank domain sender, click-to-verify link, request for full account credentials, urgency about being locked out.

Phishing emails impersonating the Department of Labor, EDD, or state unemployment agencies falsely claiming your benefits have been approved or are pending — directing you to provide SSN and bank routing details or update direct deposit through a fraudulent portal. COVID-19 unemployment fraud exceeded $135B (DOL OIG 2023). Legitimate agencies never request banking details via email or impose 48-hour benefit expiry deadlines. Warning signs: unsolicited benefit email, SSN + bank details request, non-.gov portal link, expiry deadline threat.

Social engineering attacks requesting your WhatsApp 6-digit verification code, OTP, or registration code to 'complete a transfer' or 'verify a new device' — then using that code to hijack your WhatsApp account. WhatsApp hijacking is prevalent globally; Europol has issued specific warnings. Once hijacked, attackers impersonate you to request urgent money from family and friends — a very high-success fraud variant. WhatsApp will never ask you to share your verification code with anyone. Warning signs: any request to share a WhatsApp code with a person or link.

Fraudulent emails from scammers posing as romantic interests met on dating apps — claiming to be military contractors, oil rig workers, or overseas professionals — fabricating emergencies (medical crises, arrests, stranded abroad, visa problems) to solicit wire transfers, gift cards, or bitcoin. The FTC reported $1.3B in romance scam losses in 2022 with a median individual loss of $4,400 — the highest median of any FTC fraud category. The scam uses prolonged grooming (weeks of relationship-building) before the first money request, making victims emotionally invested. Cryptocurrency and gift cards are preferred because they're irreversible — no chargeback possible. Warning signs: romantic interest requesting money, emergency requiring wire transfer or gift cards, no video calls possible, requests for secrecy.

Fraudulent emails impersonating Microsoft, Apple, Norton, McAfee, or Geek Squad — claiming your computer has been compromised, infected with malware, or your license expired — directing you to call a fake number, grant remote access via TeamViewer/AnyDesk, or pay by gift card. The FTC logged $800M in tech support scam losses in 2022; victims skew 60+. Remote access is the most dangerous variant: once granted, scammers steal banking credentials, install keyloggers, or transfer money directly. Microsoft and Apple explicitly state they never make unsolicited security contact by email or request gift card payment for any service. Warning signs: unsolicited security alert, phone number to call, remote access request, gift card payment for license or cleanup.

Extortion emails claiming the sender was paid to kill or harm you, but offering to 'call off' the contract for $2,000–$5,000 in Bitcoin. Completely fabricated — no real hitman communicates by email or offers to betray their client for a few thousand dollars. FBI IC3 2022: 84,000+ extortion/blackmail complaints totalling $107M; this hitman variant is consistently top-3 in FBI email extortion by volume. The FBI advises ignoring and reporting at IC3.gov — engaging or paying marks you as a viable target and escalates demands. Warning signs: no real personal details, generic 'I've been watching you' language, Bitcoin demand, 'do not contact police.'

Phishing emails impersonating Apple security notices, claiming your Apple ID was locked or suspended due to unusual sign-in activity — driving to a credential-harvest page mimicking Apple's sign-in portal. Apple is a top-5 most impersonated brand (APWG); FBI IC3 2023: Apple impersonation scams caused $300M+ in losses. Compromised Apple ID credentials unlock iCloud backups, Apple Pay, App Store purchases, and Keychain passwords — making them exceptionally high-value targets. Real Apple security emails come from apple.com, never threaten permanent deactivation via a link, and always reference the specific device or location of the suspicious activity. Warning signs: sender not apple.com, permanent deactivation threat, link to non-Apple domain.

Phishing emails impersonating Microsoft security notices claiming your Microsoft 365, Office 365, Teams, or Outlook account has been suspended, locked, or has an expired password — driving to a credential-harvest page mimicking Microsoft's sign-in portal. APWG 2024: Microsoft is the #1 most impersonated brand in business email phishing, appearing in 20%+ of all brand-phishing emails; FBI IC3 2023: Microsoft-impersonation BEC caused $2.9B in losses. Microsoft 365 credentials unlock email, SharePoint, Teams, Azure AD, and all integrated business apps — enabling rapid BEC wire fraud. Real Microsoft security alerts come from microsoft.com, deep-link to account.microsoft.com, and never threaten permanent deactivation via a standalone link. Warning signs: sender not microsoft.com, link to non-Microsoft domain, no device/location details about the suspicious sign-in.

Phishing emails impersonating Google claiming your Google Ads or Google Merchant Center account has been suspended due to payment failure or a policy violation — driving to a credential or card-harvest page. SMBs lose thousands per day when Google Ads access is cut, prompting immediate action. APWG Q4 2024: business platform impersonation phishing surged 38%. Warning signs: sender not a google.com domain, no Google Ads account ID, link to non-google.com domain, urgency about permanent closure within hours.

Phishing emails impersonating QuickBooks Online (Intuit), FreshBooks, Xero, or Wave claiming the subscription payment failed and threatening to permanently delete your financial data within 24–48 hours unless payment is updated. Proofpoint 2024: QuickBooks is the most impersonated accounting software brand. The 'data deletion' threat bypasses rational verification — years of invoices, payroll, and tax records feel irreplaceable. Warning signs: sender not intuit.com/xero.com, no payment method details, data deletion countdown, link to non-official portal.

Phishing emails impersonating Linear or Basecamp claiming the project management subscription has failed and the workspace is suspended, issues and projects are inaccessible, or team messaging and to-do lists are no longer active. Linear: 150K+ users ($8-16/user/month), used by Vercel, Notion, Loom, and most Y Combinator startups; Basecamp: 100K+ teams ($99/month flat). Distinct from Monday/Asana/ClickUp billing phishing — targets developer-centric and remote-first teams. Linear workspace suspension blocks issue tracking, sprint cycles, and engineering roadmap visibility for all team members simultaneously. Basecamp's flat per-company pricing means suspension affects every employee and client simultaneously — including all client-facing project visibility. Credentials expose the full engineering roadmap, customer bug reports, and internal team communications. Warning signs: sender not linear.app/basecamp.com.

Phishing emails impersonating Zoom claiming the Pro or Business subscription payment has failed and meetings are limited to 40 minutes, cloud recording is suspended, webinars are disabled, or Zoom Rooms are at risk. Zoom: 220K+ paying customers ($15-20/user/month), 150M+ daily participants. Distinct from fake Zoom meeting-invitation credential phishing — targets Zoom billing suspension specifically. The '40-minute meeting limit' hook is uniquely recognizable to every Pro subscriber who remembers the free tier cap. Cloud recording suspension threatens all recorded meeting archives (customer calls, all-hands, sales demos). Zoom Webinar suspension ($149-400/month add-on) threatens scheduled large-scale events. Credentials expose all cloud recordings, webinar registrant lists (customer contact databases), and Zoom Rooms admin access. Warning signs: sender not zoom.us or zoom.com.

Phishing emails impersonating Clari or Revenue Grid claiming the revenue forecasting subscription payment has failed, deal inspection is suspended, forecast submissions are disabled, or pipeline intelligence is no longer active. Clari: 1,500+ enterprise customers ($50K-300K+/year). Revenue Grid: 500+ enterprise customers. Suspension blinds VP Sales and CRO to deal risk at quarter-end when commit forecasts are due to the board. The 'forecast submissions disabled' hook breaks the weekly forecast rollup cycle — individual reps cannot submit their commit numbers and managers cannot roll up the organizational forecast. Clari deal inspection exposes which deals have gone dark and which champions are disengaged — losing this mid-quarter means forecasting reverts to gut feel. Credentials expose the complete pipeline with deal values, AI-generated risk scores, historical forecast accuracy, and private conversation analytics. Warning signs: sender not clari.com or revenuegrid.com.

Phishing emails impersonating Gainsight or ChurnZero claiming the customer success platform subscription payment has failed, customer health scores are suspended, renewal playbooks are disabled, churn risk alerts are no longer active, or NPS surveys are paused. Gainsight: 1,000+ enterprise customers ($50K-500K+/year). ChurnZero: 1,000+ SaaS companies. Suspension blinds CS teams to at-risk accounts and breaks renewal workflows at the moment quarterly business reviews and renewals are due. The 'churn risk alerts disabled' hook means accounts that cross into high-risk status do not generate the alert that prompts CSM intervention before the renewal decision. A company managing 1,000 enterprise accounts at $100K ARR each loses visibility across the entire portfolio simultaneously. Credentials expose customer health trends, NPS history, churn probability scores, and internal save play histories. Warning signs: sender not gainsight.com or churnzero.com.

Phishing emails impersonating dbt Labs (dbt Cloud) or Hightouch claiming the data transformation or reverse ETL subscription payment has failed, dbt models are suspended, dbt runs are no longer active, or audience syncs are disabled. dbt Labs: 30,000+ deployments ($100-500+/month teams). Hightouch: 500+ enterprise customers. dbt suspension stops all nightly transformation jobs — every downstream BI dashboard and ML feature table goes stale. The 'dbt runs suspended' hook is acutely urgent: finance teams' P&L dashboards require overnight model runs to complete by 7am for morning standups. Hightouch suspension stops all audience syncs — Salesforce enrichment freezes, Facebook lookalike audiences stop refreshing, Braze personalization segments go stale. Credentials expose the complete data transformation architecture: every model SQL revealing company metric definitions and business logic. Warning signs: sender not getdbt.com or hightouch.com.

Phishing emails impersonating Looker or Metabase claiming the BI platform subscription payment has failed, Looks and dashboards are suspended, LookML models are inaccessible, dashboards and questions are no longer active, or scheduled reports have been disabled. Looker: 1,500+ enterprise customers ($50K-500K+/year, Google Cloud). Metabase: 50,000+ active deployments. Suspension makes every business dashboard and scheduled report unavailable for every non-technical stakeholder simultaneously. The 'scheduled reports disabled' hook cuts off operations managers who depend on daily Metabase/Looker digest emails for their only visibility into operational metrics. Embedded Looker analytics in customer-facing products go dark for paying customers. Credentials expose the full LookML semantic layer defining how the company calculates revenue and churn, plus database connection credentials. Warning signs: sender not looker.com or metabase.com.

Phishing emails impersonating Datadog or New Relic claiming the observability platform subscription payment has failed, licenses are suspended, or monitoring and dashboards are disabled. Datadog: 28,000+ customers ($30K-3M+/year), 26 of the Fortune 100 — infrastructure monitoring, APM distributed tracing, log management, security monitoring, synthetic testing; 'licenses no longer active' takes all real-time dashboards, APM traces, log indexing, and on-call alerting offline simultaneously. New Relic: 14,000+ customers ($25K-1.5M+/year) — APM, Browser monitoring, Infrastructure, New Relic AI anomaly detection. Both deeply integrated into incident response: alerts push to PagerDuty/Opsgenie/Slack; a suspension email arriving during an active incident exploits incident-response mode where engineers are less likely to inspect sender domain carefully. Credentials expose complete production topology, all APM trace data, alert threshold configurations (showing exactly what triggers pages), and API keys integrated with CI/CD pipelines. Warning signs: sender not datadoghq.com or newrelic.com.

Phishing emails impersonating Salesforce claiming the CRM org is suspended and all users are locked out — every sales rep loses access to every prospect, opportunity, and account simultaneously. Salesforce serves 150K+ customers; a credential compromise exposes the complete revenue intelligence including every deal, close probability, and executive contact, enabling precision BEC attacks with perfect context.

Phishing emails impersonating Twilio or SendGrid claiming the communications API is suspended — SMS 2FA stops, voice calls fail, transactional emails are blocked. Twilio serves 300K+ businesses including 10 of the top 10 US banks; phone number release is irreversible urgency. Credentials enable sending fraudulent SMS from verified business numbers and intercepting incoming authentication codes.

Phishing emails impersonating Stripe claiming the payment processing account is suspended or payouts disabled — the business literally cannot receive revenue. Stripe serves 3M+ businesses with $1T+ annual payment volume; credentials expose all customer payment records, API keys embedded in production code, and full billing management access across every integrated service.

Phishing emails impersonating HubSpot claiming the CRM portal is suspended or contact database disabled — all email campaigns stop, sales sequences freeze, and the pipeline dashboard goes dark. HubSpot serves 200K+ customers; credentials expose the complete go-to-market strategy: every lead, every deal, every campaign template, and OAuth tokens for Google Ads, Facebook Ads, and Salesforce.

Phishing emails impersonating Shopify or BigCommerce claiming the store subscription payment failed and the storefront is suspended offline — directing merchants to a credential-harvesting portal. Store suspension means immediate revenue loss and customer-facing brand damage; 4M+ Shopify merchants receive genuine billing alerts, making this hook maximally plausible. Credentials expose complete customer PII, order history, and API keys for fulfillment integrations.

Phishing emails impersonating Zendesk or Freshdesk claiming the customer support subscription payment failed and the account is suspended — directing victims to a credential-harvesting portal. Support platform suspension means agents cannot respond to customer tickets, SLA clocks continue ticking, and frustrated customers escalate publicly. Credentials expose complete customer relationship history including all ticket content, agent notes, and CRM integrations.

Phishing emails impersonating Snowflake claiming Data Cloud compute credits are suspended or virtual warehouses paused due to billing failure — directing victims to harvest credentials. Snowflake's consumption-based billing makes "credits suspended" phishing uniquely plausible; credentials expose the entire organizational data estate including customer PII, ML datasets, and Delta Lake tables.

Phishing emails impersonating Databricks claiming the Lakehouse Platform workspace is suspended, clusters paused, or Unity Catalog access disabled due to billing failure — directing victims to harvest credentials. Affects data engineering, ML, and analytics teams simultaneously; credentials expose complete AI/ML intellectual property including MLflow models, Delta Lake training datasets, and proprietary notebooks.

Phishing emails impersonating Vercel or Netlify claiming the hosting platform subscription payment has failed, deployments are suspended, or sites are disabled. Vercel: 100,000+ paying teams ($20-50+/user/month) — deployment suspension takes the entire web application offline for all users globally, creating an immediate production outage; cannot deploy hotfixes. Netlify: 3M+ developers ($19-99/user/month) — 'sites disabled' affects client websites, creating urgency beyond the developer's own business. Both auto-deploy from GitHub; suspension breaks every PR deploy preview. Credentials expose environment variables containing all production secrets: database strings, Stripe, SendGrid, OpenAI, and auth provider keys. Warning signs: sender not vercel.com or netlify.com.

Phishing emails impersonating Atlassian, Jira Software, or Confluence claiming the project management subscription payment has failed, licenses are no longer active, or team wiki access is suspended. Atlassian: 300,000+ paying customers with Jira Software ($8.15-16/user/month) and Confluence ($5.75-11/user/month) — licenses no longer active is uniquely plausible because Atlassian genuinely sends license renewal reminders for Data Center; Jira suspension makes all active sprints and open tickets inaccessible simultaneously. Credentials expose sprint histories, architecture decision records, Confluence runbooks, and OAuth tokens for Slack, GitHub, PagerDuty, and Bitbucket integrations. Warning signs: sender not atlassian.com or jira.com.

Phishing emails impersonating Linear or Notion claiming the productivity workspace subscription payment has failed, workspace members are suspended, or team pages are disabled. Linear: 25,000+ companies ($8-16/user/month) — dominant issue tracker for engineering-led companies; 'members will be suspended' hook affects every team member simultaneously. Notion: 35M+ users, 4M+ paying teams ($10-18/user/month) — company wiki containing salary bands, equity structures, board materials, and all product roadmaps with unannounced features. Credentials expose Linear API keys embedded in GitHub Actions and Slack workflows; Notion exposes the complete internal knowledge base. Warning signs: sender not linear.app or notion.so.

Phishing emails impersonating HashiCorp or Terraform Cloud claiming the infrastructure and secrets management subscription payment has failed, licenses are no longer active, or workspace access is suspended. HashiCorp: 3,500+ enterprise customers with Terraform Cloud ($20-70/user/month) and Vault Enterprise ($30K-1M+/year) — workspace suspension halts all infrastructure provisioning pipelines and makes Terraform state files inaccessible; Vault suspension creates a Tier 0 incident as every service dynamically fetching secrets loses access immediately. Terraform state files expose the complete cloud infrastructure topology: every AWS account, VPC, database, IAM role, Kubernetes cluster — a blueprint for lateral movement. Warning signs: sender not hashicorp.com or terraform.io.

Phishing emails impersonating PagerDuty or Opsgenie claiming the incident management subscription payment has failed, licenses are no longer active, or on-call schedules are disabled. PagerDuty: 19,000+ customers ($19-59/user/month), 65% of the Fortune 500 — 'licenses no longer active' implies no one gets paged when the next production incident fires, a critical operational gap engineers recognize immediately. Opsgenie: 10,000+ teams, Atlassian-native, deeply integrated with Jira Service Management — exploits the Atlassian trust relationship. Both platforms expose the complete incident response architecture: escalation policies, all monitoring integration keys (Datadog, Splunk, CloudWatch), runbook URLs, and historical incident data. Warning signs: sender not pagerduty.com or opsgenie.com.

Phishing emails impersonating GitHub or GitLab claiming the repository hosting subscription payment has failed, organization repositories are suspended or archived, or enterprise licenses are disabled. GitHub: 90M+ developer accounts, 16,000+ Enterprise organizations ($21-31/user/month); repository archiving stops all members from pushing code, pulling requests, and running CI/CD simultaneously — the entire development pipeline halts. GitLab: 30M+ users, 2,500+ enterprise customers ($19-99/user/month); 'licenses no longer active' hook is uniquely plausible because GitLab genuinely sends instance license renewal reminders. Both platforms are OAuth providers for dozens of third-party services (Vercel, Netlify, Linear, Jira, Slack) — a credential compromise grants access to every 'Sign in with GitHub/GitLab' authorized service. Credentials expose all private source code, CI/CD pipeline configs with embedded cloud credentials and API keys, GitHub Actions secrets and GitLab CI variables, and webhook configs. Warning signs: sender not github.com or gitlab.com.

Phishing emails impersonating Splunk or Elastic claiming the SIEM platform subscription payment has failed, enterprise licenses are suspended, or security analytics access is disabled. Splunk: 15,000+ enterprise customers ($50K-3M+/year), 92 of the Fortune 100 — PCI DSS, HIPAA, and SOX compliance SIEM of record; suspension stops all real-time security event correlation and compliance dashboards simultaneously. Elastic: 18,000+ commercial customers ($15K-1M+/year) — cloud-native SIEM integrated with Kubernetes, AWS, Azure; suspension stops all log ingestion from every monitored cloud service. Compliance gap: both platforms retain security event logs required by PCI DSS (12 months), HIPAA (6 years), SOX — a suspension creating a log retention gap must be reported to auditors. Credentials expose all detection correlation rules (complete blueprint of what attack patterns are monitored), every Splunk forwarder data source, and service account credentials collecting logs from servers and firewalls. Warning signs: sender not splunk.com or elastic.co.

Phishing emails impersonating Cloudflare or Fastly claiming the CDN subscription payment has failed, domain protection is suspended, or SSL and DDoS protection access is no longer active. Cloudflare: 5M+ paying customers protecting 20%+ of the internet ($20/yr Pro → $200K+/yr Enterprise) — domain suspension implies entire website goes offline AND browser SSL warning fires for all visitors (immediate e-commerce revenue = zero). Fastly: 2,500+ enterprise customers ($50K-5M+/year) — CDN for The New York Times, GitHub, Spotify, Stripe; suspension takes site offline globally with no cached fallback. Cloudflare Workers/Pages suspension takes down entire edge-hosted applications with no origin server fallback. Credentials expose every domain's origin server IP (normally hidden behind Cloudflare proxy), all WAF firewall rules, Workers source code with embedded API keys, and complete DDoS protection configuration. Warning signs: sender not cloudflare.com or fastly.com.

Phishing emails impersonating Paylocity or Paycom claiming the mid-market payroll platform subscription payment has failed, payroll licenses are suspended, payroll processing is disabled, or HCM access is no longer active. Paylocity: 5,500+ clients ($50-200/employee/year) — healthcare, retail, professional services; differentiator is On Demand Pay (earned wage access), making suspension hooks acute because employees lose access to earned wages before payday. Paycom: 35,000+ clients ($20-80/employee/year), 12,000+ new clients/year — rapid onboarding means many customers are still learning platform communication patterns, making 'account suspension' phishing more credible. Both platforms file payroll taxes on behalf of clients, so suspension creates dual liability: missed direct deposits + IRS payroll tax deposit penalties starting at 2%. Credentials expose all employee bank routing/account numbers, year-to-date earnings, tax elections, and the employer EIN with state tax account numbers. Warning signs: sender not paylocity.com or paycom.com.

Phishing emails impersonating Rapid7 or Wiz claiming the cloud security platform subscription payment has failed, licenses are suspended, InsightVM vulnerability scanning is disabled, or cloud security posture management is no longer active. Rapid7: 10,000+ customers ($20K-500K+/year) — InsightVM (vulnerability management), InsightIDR (SIEM/UBA), InsightAppSec (DAST); a single suspension takes down vulnerability scanning, SIEM, and application security simultaneously, creating a compound PCI/SOC2/ISO compliance gap. Wiz: 4,000+ customers including 40% of the Fortune 100 ($50K-5M+/year) — agentless CSPM that continuously monitors every cloud resource without agent deployment; suspension stops real-time cloud security monitoring and takes down the Wiz Security Graph that maps complete attack paths from internet-exposed entry points to crown jewel data. Rapid7 credentials expose InsightVM service account credentials used to authenticate against every server. Warning signs: sender not rapid7.com or wiz.io.

Phishing emails impersonating Palo Alto Networks or Fortinet claiming the network security platform subscription payment has failed, licenses are suspended, firewall protection is disabled, or FortiCare support is no longer active. Palo Alto Networks: 80,000+ customers ($50K-5M+/year), 85 of the Fortune 100 — NGFW, GlobalProtect VPN, Prisma Cloud. Fortinet: 750,000+ customers, 20% of all enterprise firewall deployments — FortiGate, FortiManager, FortiCare. 'Firewall subscriptions no longer active' implies all cloud-delivered threat prevention (WildFire, DNS Security, Advanced Threat Prevention) are offline simultaneously. GlobalProtect suspension locks out the entire remote workforce from internal resources. FortiCare is a recurring renewal task for every Fortinet admin — 'support suspended' is immediately credible. Prisma Cloud suspension creates a compliance monitoring gap across the entire cloud estate. Credentials expose every firewall policy rule, network segmentation design, VPN configurations, and complete IT asset inventory. Warning signs: sender not paloaltonetworks.com or fortinet.com.

Phishing emails impersonating Tenable or Qualys claiming the vulnerability management platform subscription payment has failed, licenses are suspended, vulnerability scanning is disabled, or Nessus and asset management access is no longer active. Tenable: 44,000+ customers ($10K-500K+/year), 60% of the Fortune 500 — Tenable.io, Tenable.sc, Nessus Professional. Qualys: 10,000+ customers ($20K-1M+/year) — VMDR, TotalCloud. 'Nessus licenses no longer active' is immediately recognizable to every Tenable admin. PCI DSS Requirement 11.3 mandates quarterly scans — a suspension disrupting the quarterly cycle creates a formal QSA audit finding. Qualys VMDR suspension takes down both vulnerability scanning AND cloud security monitoring simultaneously. Credentialed scan configs contain service account credentials used to authenticate against every server and database. Credentials expose complete IT asset inventory, every unpatched CVE ranked by exploitability, and API tokens integrated with ServiceNow, Jira, SIEM platforms, and patch management tools. Warning signs: sender not tenable.com or qualys.com.

Phishing emails impersonating ADP claiming the Workforce Now or Run payroll subscription payment has failed, payroll licenses are suspended, or payroll processing is disabled. ADP: 800,000+ clients, processes payroll for 1 in 6 U.S. workers — the most universally recognized payroll brand, making suspension hooks credible even to non-direct customers (accountants and PEOs who process on behalf of clients). Wednesday suspension notice with Friday pay date = 48-hour crisis window. ADP also files payroll taxes on clients' behalf — 'suspended account' implies missed 941 tax deposits, triggering IRS penalties starting at 2% plus simultaneous employment liability. Credentials expose every employee's bank routing/account numbers for direct deposit, garnishment orders, year-to-date earnings, and employer EIN with state tax account numbers. Warning signs: sender not adp.com; ADP never sends payment failure emails requiring immediate action via link.

Phishing emails impersonating CrowdStrike or SentinelOne claiming the endpoint security platform subscription payment has failed, licenses are suspended, endpoint protection and detection are disabled, or agents are no longer active. CrowdStrike: 29,000+ customers ($50K-2M+/year), 298 of the Fortune 500. SentinelOne: 10,000+ customers ($30K-1M+/year). This is uniquely catastrophic: compromised EDR credentials give attackers direct intelligence about the organization's security posture — every monitored endpoint, all detection policy configurations showing which attack behaviors are currently blocked, every active incident and investigation in progress, and the complete IT asset inventory. Security teams who click the phishing link to 'resolve billing' provide attackers the blueprint to design a successful intrusion that evades every active detection. Credentials also expose API tokens integrated with SIEM, SOAR, and ticketing systems. Warning signs: sender not crowdstrike.com or sentinelone.com.

Phishing emails impersonating SAP SuccessFactors claiming the enterprise HCM subscription payment has failed, licenses are suspended, talent management and workflows are disabled, or instance access is no longer active. SAP SuccessFactors: 6,000+ customers, 200M+ users — de facto HR system for SAP ERP customers, covering Employee Central, Recruiting, Onboarding, Performance, Learning, Succession, and Compensation in one suite. License suspension language matches legitimate SAP licensing compliance notices, immediately credible to SAP Basis teams. Q4 performance calibration suspension freezes every in-progress review and merit increase workflow at year-end. Cascade: Employee Central master data feeds SAP S/4HANA Finance, Concur, and Ariba — suspension breaks data integrity across the entire SAP landscape. Credentials expose full succession plans, all merit increase recommendations by department, offer pipeline data, and integration credentials to SAP S/4HANA. Warning signs: sender not successfactors.com or sap.com.

Phishing emails impersonating Ceridian or Dayforce claiming the payroll and HCM platform subscription payment has failed, payroll licenses are suspended, workforce management is disabled, or Dayforce access is no longer active. Ceridian: 6,000+ customers ($50K-1M+/year) in retail, healthcare, manufacturing. Dayforce's real-time continuous payroll calculation differentiator creates a unique suspension risk: hours worked during the suspension period cannot be retroactively recovered without manual re-entry, creating payroll data integrity gaps. Benefits administration suspension during open enrollment prevents employees from making elections and may create health insurance coverage gaps if carrier deadlines are missed. Credentials expose bank account numbers for direct deposit, year-to-date earnings, tax elections, garnishment orders, and carrier EDI integration credentials for health/401k/dental providers. Warning signs: sender not ceridian.com or dayforce.com.

Phishing emails impersonating Workday claiming the HCM and enterprise payroll platform subscription payment has failed, tenant licenses are suspended, payroll and workflows are disabled, or Workday tenant access is no longer active. Workday: 10,000+ enterprise customers ($300K-5M+/year) including Bank of America, Netflix, and Amazon — runs payroll, HR, financial management, and workforce planning in a single tenant. Tenant suspension on Thursday before Friday payroll = missed payroll for all employees across all jurisdictions, creating immediate legal employment liability. HR ops cannot process any employee lifecycle events (hires, terminations, promotions). Credentials expose every employee SSN, bank account for direct deposit, salary and compensation history, performance ratings, succession plans, and compensation bands by level. Warning signs: sender not workday.com or myworkday.com.

Phishing emails impersonating UKG or Kronos claiming the workforce management and time and attendance platform subscription payment has failed, licenses are suspended, timekeeping and scheduling are disabled, or workforce management access is no longer active. UKG: 80,000+ customers ($15K-500K+/year) including Target, BMW, and Marriott — dominant platform for hourly shift-based workforces. Suspension during a shift means timeclocks stop accepting punches, managers lose real-time staffing visibility, and the payroll integration export fails — requiring manual hour reconstruction for every employee. Healthcare organizations face patient safety implications from staffing visibility loss. Credentials expose every employee time punch record used for labor law compliance, all shift schedules, labor cost analytics, and integration credentials to ADP/Ceridian/Workday. Warning signs: sender not ukg.com or kronos.com.

Phishing emails impersonating ServiceNow claiming the ITSM and workflow automation platform subscription payment has failed, instance licenses are suspended, workflows and automations are disabled, or Now Platform access is no longer active. ServiceNow: 7,700+ enterprise customers ($100K-10M+/year), 85% of the Fortune 500 — not just ITSM but the workflow operating system running IT, HR, customer service, security operations, and field service in a single instance. Instance suspension creates IT operational paralysis: every incident ticket, change request, approval chain, and HR onboarding workflow stops simultaneously. Downstream cascade: ServiceNow workflows trigger Active Directory provisioning, deployment pipeline approvals, and SIEM alert routing — all break. Credentials expose the CMDB (the complete IT asset map), every open security vulnerability ticket, and integration credentials to AD, CI/CD, and HRIS. Warning signs: sender not servicenow.com.

Phishing emails impersonating Automation Anywhere claiming the RPA platform subscription payment has failed, bot licenses are suspended, control room access is disabled, or automation workflows are no longer active. Automation Anywhere: 3,500+ customers ($20K-500K+/year) including Deloitte, EY, and Wells Fargo. Control Room suspension stops every attended and unattended bot simultaneously — financial services organizations running overnight batch automation (reconciliation, regulatory reporting, accounts payable) face silent batch failures with no manual fallback because headcount was eliminated post-automation. The Friday afternoon suspension email is a targeted attack vector: it implies the weekend batch window will be missed, creating Monday morning regulatory reporting failures. Credentials expose the Credential Vault with encrypted passwords for core banking systems, trading platforms, and regulatory portals. Warning signs: sender not automationanywhere.com.

Phishing emails impersonating Celonis or UiPath claiming the process mining or RPA subscription payment has failed, licenses are suspended, or robots and automation workflows are disabled. Celonis: 1,000+ enterprise customers ($200K-2M+/year) including Siemens and Vodafone — process mining on top of SAP/Oracle/Salesforce, suspension disables ERP conformance dashboards and Action Engine automations simultaneously. UiPath: 10,500+ customers ($15K-500K+/year) — Orchestrator suspension stops every unattended robot with no manual fallback because headcount was eliminated post-automation. Credentials expose the Orchestrator asset vault with encrypted login credentials for every system the bots access (banking portals, vendor portals, HRIS, ERP), plus process mining models revealing where operational controls are weakest. Warning signs: sender not celonis.com or uipath.com.

Phishing emails impersonating Verint or NICE CXone claiming the workforce engagement management subscription payment has failed, licenses are suspended, quality management and recording are disabled, or workforce optimization access is no longer active. Verint: 10,000+ customers ($50K-500K+/year) — suspension stops the scheduling engine, all call/screen recording, quality evaluations, and speech analytics simultaneously. NICE CXone: 25,000+ customers — recording suspension creates immediate regulatory compliance emergency for finance, healthcare, and utilities contact centers with mandatory 100% call recording requirements under FINRA, MiFID II, HIPAA. Credentials expose call recordings containing customer PII and financial data, agent performance rankings, and workforce management schedules. Warning signs: sender not verint.com or niceincontact.com.

Phishing emails impersonating Medallia or Qualtrics claiming the experience management platform subscription payment has failed, platform licenses are suspended, surveys and feedback programs are disabled, or experience management access is no longer active. Medallia: 1,000+ enterprise customers ($200K-2M+/year) including Delta and Marriott. Qualtrics: 18,500+ customers ($1.5K-500K+/year) including BMW and U.S. federal government — XM platform covers CX, EX, product research, and brand research. Suspension halts all active survey distributions mid-fieldwork, creating permanent sample loss for time-windowed studies. Credentials expose entire enterprise feedback architecture: active survey instruments, all employee respondent PII from HR surveys, current NPS/CSAT scores, text analytics models, and integration tokens to Salesforce, SAP, and Slack. Warning signs: sender not medallia.com or qualtrics.com.

Phishing emails impersonating Talkdesk or Genesys Cloud claiming the CCaaS subscription payment has failed, agent licenses are suspended, or cloud contact center operations are no longer active. Talkdesk: 1,800+ enterprise customers ($75-125+/agent/month) including IBM and Accenture. Genesys: 11,000+ customers ($75-150+/agent/month) including Toyota and FedEx — market leader by seat count. Suspension takes every agent desktop offline simultaneously: inbound queues stop, IVR flows break, outbound dialers halt, and supervisor dashboards go blank. No alternative path for agents to handle contacts. Credentials expose IVR routing logic, outbound call lists with customer PII, call recording archives containing financial information, and workforce management configurations. Warning signs: sender not talkdesk.com or genesys.com.

Phishing emails impersonating Contentsquare or Heap claiming the digital experience analytics subscription payment has failed, session recordings and heatmaps are suspended, data capture tracking is disabled, or product analytics access is no longer active. Contentsquare: 800+ enterprise customers ($50K-300K+/year) including Walmart and LVMH. Heap: 8,000+ customers ($15K-150K+/year) including Microsoft and Eventbrite. Suspension halts all behavioral data capture simultaneously — ongoing UX investigations and A/B test analyses lose both current capture and the historical replay library. Heap's unique autocapture retroactive analysis capability creates distinct urgency: analysts fear losing historical event data. Credentials expose real user session recordings including authentication and payment flows, funnel definitions, high-value cohort segment logic, and integration tokens to Salesforce, Segment, and advertising platforms. Warning signs: sender not contentsquare.com or heap.io.

Phishing emails impersonating Sprinklr or Brandwatch claiming the enterprise social media management or social listening subscription payment has failed, platform licenses are suspended, social listening queries are disabled, or mentions monitoring is no longer active. Sprinklr: 1,000+ enterprise customers ($100K-1M+/year) including McDonald's, Microsoft, and Nike — unified platform means publishing, engagement, customer care, and paid social all go offline simultaneously. Brandwatch: 2,000+ enterprise customers ($1K-10K+/month) — Boolean queries tracking brand sentiment, share of voice, and competitive intelligence all stop with no retroactive gap recovery. Credentials expose OAuth tokens for every branded social account, the query library revealing crisis monitoring and competitive intelligence strategies, and integration tokens for advertising and CRM platforms. Warning signs: sender not sprinklr.com or brandwatch.com.

Phishing emails impersonating Tableau or Power BI claiming the BI platform subscription payment has failed, licenses are suspended, or dashboards and reports are no longer active. Tableau: 100,000+ organizations ($15-75/user/month). Power BI: 250,000+ organizations. Together they account for over 60% of enterprise BI deployments. License suspension hits all users simultaneously. Power BI workspace suspension takes entire business unit analytics offline — Finance, Sales, Operations dashboards all go dark at once. The 'licenses are no longer active' hook is plausible because IT admins receive legitimate license renewal reminders. Credentials expose every workbook, report, data source connection, proprietary DAX/calculated-field business logic, and row-level security configuration. Warning signs: sender not tableau.com, powerbi.com, or microsoft.com.

Phishing emails impersonating WorkRamp or Docebo claiming the LMS subscription payment has failed, training licenses are suspended, or e-learning courses are disabled. WorkRamp: 1,000+ enterprise customers ($20K-200K+/year), built for sales onboarding and enablement. Docebo: 3,000+ enterprise customers ($25K-500K+/year), supports external training audiences including customers and partners. Suspension hits mid-cycle training programs and compliance-mandated courses with deadlines — GDPR awareness, anti-harassment, and security training SLAs create HR and legal urgency beyond IT disruption. Companies using Docebo for customer education lose new customer onboarding capability. Credentials expose all course content, learner progress, assessment scores, and certification status. Warning signs: sender not workramp.com or docebo.com.

Phishing emails impersonating Fivetran or Airbyte claiming the data pipeline and ETL subscription payment has failed, data connectors are suspended, sync jobs are no longer active, or warehouse sync has been disabled. Fivetran: 5,000+ customers ($15K-200K+/year). Airbyte: 40,000+ deployments. Suspension stops all data flowing into the warehouse simultaneously — every downstream dashboard, ML model, and reporting pipeline runs on stale data. Teams with explicit freshness SLAs (finance reporting by 6am, real-time inventory, daily attribution) immediately breach SLAs. The warehouse begins accumulating data gaps that require hours or days of re-sync to recover after restoration. Credentials expose the complete data architecture: every connected operational system, sync frequency, schema mappings, and destination warehouse credentials. Warning signs: sender not fivetran.com or airbyte.com.

Phishing emails impersonating Tealium or mParticle claiming the customer data platform subscription payment has failed, data collection tags are suspended, event streams are disabled, or audience segments are no longer active. Tealium: 1,000+ enterprise customers ($100K-$1M+/year). mParticle: 300+ enterprise brands ($50K-500K+/year). Suspension disables all managed tags simultaneously — Google Analytics stops collecting, Facebook Pixel stops firing, Adobe Analytics stops tracking, and every martech platform that depends on tag delivery goes blind at once. Facebook retargeting audiences stop updating; Google Ads remarketing lists freeze — ad spend waste resumes immediately for existing customer audiences. mParticle is the central event routing hub: suspension stops all forwarding to Braze, Amplitude, Snowflake, and AppsFlyer simultaneously. Credentials expose the full data layer spec, routing rules, audience segment logic, and advertising platform activation mappings. Warning signs: sender not tealium.com or mparticle.com.

Phishing emails impersonating Seismic or Highspot claiming the sales enablement platform subscription payment has failed, the sales content library is suspended, sales playbooks are disabled, or content engagement analytics are no longer active. Seismic: 2,000+ enterprise customers ($50K-300K+/year). Highspot: 1,000+ enterprise customers. Suspension makes every piece of approved sales content inaccessible for every rep simultaneously — reps in active deals cannot pull competitive battlecards, ROI calculators, or approved case studies at the moment of need. Highspot content engagement analytics (which slides buyers viewed, how long, whether they shared internally) drive deal follow-up strategy — suspension cuts both content delivery and buyer engagement intelligence. Credentials expose complete competitive intelligence: every battlecard, pricing strategy per industry segment, and buyer engagement analytics. Warning signs: sender not seismic.com or highspot.com.

Phishing emails impersonating LaunchDarkly or Split.io claiming the feature flag management subscription payment has failed, feature flags are suspended, kill switches are disabled, feature rollouts are no longer active, or A/B tests have been temporarily suspended. LaunchDarkly: 5,000+ enterprise customers ($20K-200K+/year). Split: 1,000+ teams. Suspension disables the ability to turn off broken features, roll back bad deployments, or safely control feature exposure in production — the engineering team loses its primary incident response tool. The 'kill switches suspended' hook is the highest-urgency vector: a production incident causing 500+ errors/minute that would normally be resolved in 30 seconds via a flag toggle instead requires a full code deployment. Split suspension also stops A/B experiment measurement, losing accumulated statistical data. Credentials expose every active feature flag, rollout percentage rules, and user targeting configuration. Warning signs: sender not launchdarkly.com or split.io.

Phishing emails impersonating Outreach.io or SalesLoft claiming the sales engagement subscription payment has failed, sales sequences are suspended, cadences are paused, or meeting booking is disabled. Outreach.io: 6K+ enterprise customers ($100-150+/user/month). SalesLoft: 5K+ customers. A suspended Outreach workspace stops every active sequence for every rep simultaneously — a 50-rep SDR team with 200 prospects each loses 10,000 active prospect touches at once. The 'meeting booking disabled' hook breaks the conversion step in every rep's active email at the same time. Very urgent at end-of-quarter when pipeline targets depend on booked meetings. Credentials expose complete sales outreach architecture including sequence templates, pricing tested, and full prospect engagement data. Warning signs: sender not outreach.io or salesloft.com.

Phishing emails impersonating PandaDoc or Proposify claiming the proposal and contract management subscription payment has failed, pending proposals and contracts are suspended, document templates are inaccessible, or electronic signatures are at risk. PandaDoc: 50K+ customers. Proposify: 10K+ customers. Suspension blocks deals from closing — contracts awaiting signature show 'document not available' errors for prospects. At end-of-quarter when $500K in open contracts need signatures, suspension risks losing deals entirely if prospects lose interest. Credentials expose complete sales and pricing strategy: every proposal reveals pricing tiers, discount levels, and contract terms offered to different customer segments. Warning signs: sender not pandadoc.com or proposify.com.

Phishing emails impersonating Klaviyo or Attentive claiming the subscription payment has failed, email flows are suspended, abandoned cart emails are no longer sending, post-purchase flows are paused, or SMS campaigns are disabled. Klaviyo: 150K+ paying customers, dominant email/SMS for Shopify/BigCommerce merchants. Attentive: 8K+ enterprise brands. The 'abandoned cart flows suspended' hook is uniquely concrete: merchants know exactly what it costs — a $500K/month store with 15% cart recovery rate loses ~$25K/month when flows stop. Attentive SMS suspension kills text marketing programs driving 10-25% of e-commerce revenue. Credentials expose complete customer email/SMS lists with purchase history and full LTV data. Warning signs: sender not klaviyo.com or attentive.com.

Phishing emails impersonating Weights & Biases (W&B) or Comet ML claiming the MLops subscription payment has failed, experiment runs are suspended, model training logs are no longer being captured, or hyperparameter sweeps are disabled. W&B: 50K+ ML practitioners, 1K+ enterprise teams, used by OpenAI and 90% of top AI labs. Comet ML: 100K+ ML practitioners. The 'model training logs no longer captured' hook carries extreme urgency: a hyperparameter sweep costing $10K-50K in compute still runs but produces zero usable data — every GPU-hour during the suspension is wasted. W&B is embedded in training scripts via 2-line SDK integration, making suspension invisible until the team checks the dashboard. Credentials expose complete ML research portfolio: every architecture tried, hyperparameter config tested, and trained model weights. Warning signs: sender not wandb.ai or comet.ml.

Phishing emails impersonating Auth0 (Okta Developer) or Firebase Authentication claiming the subscription payment has failed, the Auth0 tenant is suspended, authentication flows are no longer active, or users cannot log in to the application. Auth0: 100,000+ organizations, 70M+ daily authentications. Firebase Auth: 5M+ apps, 45% of all mobile apps. A suspended Auth0 tenant means every user of the developer's application immediately cannot log in — the login page fails for all users simultaneously, causing support surges and visible product downtime from the customer's perspective. The 'users cannot log in to your application' hook is the most catastrophic possible authentication failure for any live SaaS product. Credentials expose the complete user identity database: every registered user's email, login history, MFA enrollment, and OAuth tokens. Warning signs: sender not auth0.com or firebase.google.com.

Phishing emails impersonating Apollo.io or ZoomInfo claiming the B2B sales intelligence subscription payment has failed, contact credits are suspended, email sequences have been paused, or prospecting credits are at risk. Apollo.io: 500K+ users, 275M B2B contacts, $49-119/month. ZoomInfo: 35K+ enterprise customers at $15K-50K+/year. The 'email sequences have been paused' hook is especially urgent mid-campaign — SDRs lose every in-flight outbound sequence targeting warm prospects simultaneously. ZoomInfo suspension removes access to the contact database that entire sales and marketing teams depend on for ICP targeting and ABM. Credentials expose the complete B2B prospecting strategy: target account list, sequence content, and which decision-makers are being pursued. Warning signs: sender not apollo.io or zoominfo.com.

Phishing emails impersonating OpenAI or Anthropic claiming the API subscription payment has failed, API keys have been suspended or revoked, GPT-4 or Claude API access is no longer active, AI features are disabled for production apps, or AI models are inaccessible. OpenAI: 3M+ developers and 2M+ API customers. Anthropic: 50,000+ API customers. A single suspended API key instantly disables every AI-powered feature in production software — chatbots, summarization, code completion, recommendations — creating immediate customer-visible impact. The 'API keys are no longer valid and AI features are no longer active' hook carries extraordinary urgency. Credentials expose the complete AI integration architecture including proprietary prompts and system instructions. Warning signs: sender not openai.com or anthropic.com.

Phishing emails impersonating Heap or PostHog claiming the product analytics subscription payment has failed, event tracking is suspended, session replay is disabled, product analytics are no longer active, feature flags are deactivated, or A/B tests have been disabled. Heap: 8,000+ companies (enterprise pricing). PostHog: 50,000+ teams with product analytics + feature flags + A/B testing in one platform. A suspended PostHog account simultaneously disables the event pipeline, feature flag API, and all running A/B experiments — teams lose the ability to roll back features or gradually release to users. The 'A/B tests and feature flags will be disabled' hook is especially urgent during live rollouts. Credentials expose complete user behavioral data and experimentation roadmap. Warning signs: sender not heap.io or posthog.com.

Phishing emails impersonating Chargebee, Recurly, or Paddle claiming the subscription billing platform payment has failed, customer subscriptions cannot be renewed, recurring billing is disabled, or invoice generation has stopped. Chargebee: 6,500+ SaaS companies ($249-599+/month). Recurly: 2,000+ companies. Paddle: 4,000+ software companies. A uniquely meta attack: impersonates the tool the target uses to collect revenue from its own customers. 'Customer subscriptions cannot be renewed' is existential — the company's primary revenue engine stops. Credentials expose the complete recurring revenue architecture: every customer subscription, MRR/ARR data, churn rates, dunning configuration, and the full customer financial relationship. Warning signs: sender not chargebee.com/recurly.com/paddle.com.

Phishing emails impersonating Jasper, Copy.ai, or Writesonic claiming the AI writing tool subscription payment has failed, AI content generation is suspended, brand voice templates are inaccessible, or AI copywriting workflows are disabled. Jasper: 100,000+ users ($39-125/month). Copy.ai: 100,000+ users. Writesonic: 1M+ users. A distinct category targeting AI content creation platforms embedded in marketing workflows. The 'brand voice templates suspended' hook targets high-effort assets representing weeks of brand strategy work. Credentials expose complete content strategy: every messaging document reveals positioning, brand voice templates expose marketing guidelines, and AI output history shows which messages are being tested. Warning signs: sender not jasper.ai/copy.ai/writesonic.com.

Phishing emails impersonating Expensify, Ramp, or Navan claiming expense report submission is blocked, reimbursements are on hold, corporate cards are suspended, or spend management is no longer active. Expensify: 12M+ users. Ramp: 25K+ companies. Navan: 8K+ companies. A distinct attack category targeting expense and spend management platforms. Uniquely cross-organizational: expense platform suspensions are felt by every employee simultaneously, creating distributed pressure that reaches the finance admin from all directions at once. Ramp suspension disables corporate card categorization and accounting automation across every card. Navan suspension blocks both new travel bookings AND expense submissions simultaneously. Credentials expose complete corporate spend history. Warning signs: sender not expensify.com/ramp.com/navan.com.

Phishing emails impersonating Workato or Tray.io claiming the enterprise iPaaS subscription payment has failed, automation workflows have stopped, enterprise integrations are suspended, or business workflow automation is no longer running. Workato: 17,000+ customers ($10K-100K+/year). Tray.io: 1,000+ enterprise customers. A distinct category targeting enterprise integration platforms that automate mission-critical workflows across Salesforce, NetSuite, Workday, and hundreds of enterprise apps. A single Workato recipe may process 100K+ records/day — a recipe outage is a business operations emergency. Credentials expose every API key and OAuth token stored across all connected enterprise systems. Warning signs: sender not workato.com/tray.io.

Phishing emails impersonating Pendo, WalkMe, or Appcues claiming the product adoption subscription payment has failed, in-app guidance is suspended, digital adoption platform is offline, or user onboarding flows are disabled. Pendo: 8,000+ companies ($7K-200K+/year). WalkMe: 2,000+ enterprises. Appcues: 1,500+ SaaS companies. A distinct category targeting product adoption platforms embedded live in production products — suspension takes all in-app tooltips, walkthroughs, and onboarding flows offline for every live user simultaneously. User-visible disruption: new users get no onboarding, power users see missing tooltips, and product analytics go dark. Credentials expose complete behavioral data for every user of the product. Warning signs: sender not pendo.io/walkme.com/appcues.com.

Phishing emails impersonating Braze, Iterable, or Customer.io claiming the marketing automation subscription payment has failed, customer engagement campaigns are suspended, push notifications are no longer being delivered, or lifecycle and triggered messages have stopped. Braze: 1,900+ enterprise customers ($50K-1M+/year). Iterable: 1,000+ companies. Customer.io: 4,500+ companies. Distinct from list-based email marketing (Mailchimp/Klaviyo) — targets event-triggered, cross-channel lifecycle platforms. Suspended push notifications are customer-visible: users stop receiving order updates and appointment reminders, generating app store negative reviews within hours. Credentials expose all behavioral data, campaign content library, A/B test results, and push notification token registries. Warning signs: sender not braze.com/iterable.com/customer.io.

Phishing emails impersonating Aircall, Dialpad, or OpenPhone claiming the VoIP business phone subscription payment has failed, the business phone system is offline, customer calls are not being received, or call routing and phone numbers are suspended. Aircall: 15,000+ customers ($30-50/user/month). Dialpad: 30,000+ customers. OpenPhone: 50,000+ businesses. The 'customer calls are not being received' hook is the highest-urgency possible for a phone system — customers calling the support number hear a disconnection tone, creating immediate revenue and reputation impact. Aircall integrates with HubSpot, Salesforce, and Zendesk, meaning credentials expose linked CRM call logs and contact records in addition to call recordings and voicemails. Warning signs: sender not aircall.io/dialpad.com/openphone.com.

Phishing emails impersonating Productboard or Aha! claiming the product roadmap subscription payment has failed, the product roadmap is suspended, the customer feedback portal is inaccessible, strategic initiatives are at risk, or release planning is halted. Productboard: 6,000+ companies ($25-100/maker/month). Aha!: 700,000+ users ($59-149/user/month). The 'feedback portal suspended' hook is customer-visible — many companies link publicly to their Productboard portal, so a portal outage damages credibility externally. Product roadmap data is highly sensitive competitive intelligence: unreleased feature plans, strategic objectives, and 18-month roadmaps. Credentials also expose all raw customer feedback aggregated from Intercom, Zendesk, and Salesforce. Warning signs: sender not productboard.com/aha.io.

Phishing emails impersonating Drata or Vanta claiming the compliance automation subscription payment has failed, SOC 2 audit evidence collection is suspended, compliance monitoring is disabled, or security controls are no longer tracked. Drata: 3,500+ companies ($25K-100K+/year). Vanta: 6,000+ companies ($13K+/year). A distinct attack category targeting security compliance automation platforms. The 'SOC 2 audit evidence suspended' hook is uniquely high-stakes for companies with active audits — evidence gaps during a SOC 2 Type II observation period must be explained to the auditor and can invalidate the audit. Compliance credentials expose the complete security posture including every failing control and at-risk vendor — a roadmap for exploiting security gaps. Warning signs: sender not drata.com/vanta.com.

Phishing emails impersonating Lattice or Culture Amp claiming the performance management subscription payment has failed, performance reviews are suspended, OKRs are inaccessible, employee surveys are disabled, or the performance review cycle has been halted. Lattice: 5,000+ companies ($11-19/person/month). Culture Amp: 6,500+ companies. A distinct attack category targeting HR performance management platforms. The 'employees cannot complete their performance reviews' hook targets HR teams during annual review season when the entire people management process depends on the platform. Credentials expose performance ratings, compensation review decisions, PIP details, and Culture Amp engagement scores including flight risk assessments. Warning signs: sender not latticehq.com/cultureamp.com.

Phishing emails impersonating Carta or Pulley claiming the cap table subscription payment has failed, the cap table is inaccessible, option exercises are suspended, equity data is at risk, or stockholder records are unavailable. Carta: 40,000+ companies, 800,000+ employee shareholders. Pulley: 4,000+ startups. A distinct attack category targeting equity and cap table management tools used by VC-backed startups. The 'option exercises suspended' hook is uniquely high-stakes — stock option exercise windows are time-limited (typically 90 days post-employment), creating extreme urgency when exercises appear blocked. Cap table data is exceptionally sensitive: attacker access reveals every shareholder's equity stake, option grant exercise prices, 409A valuations, and active liquidity events. Warning signs: sender not carta.com/pulley.com.

Phishing emails impersonating Gong or Chorus claiming the revenue intelligence subscription payment has failed, sales call recordings are suspended, deal intelligence is inaccessible, conversation intelligence is disabled, or pipeline analytics are no longer active. Gong: 4,000+ enterprise customers ($1,200-1,751/user/year). Chorus.ai (ZoomInfo): 2,000+ revenue teams. A distinct attack category targeting revenue intelligence platforms that record every sales call. The 'deal intelligence suspended' hook is time-critical during active sales quarters. Call recordings expose every customer objection, pricing discussion, and competitor mention in active deals. Revenue intelligence credentials also expose private pipeline health data and revenue forecasts. Warning signs: sender not gong.io/chorus.ai.

Phishing emails impersonating Hotjar or FullStory claiming the session recording subscription payment has failed, session recordings and heatmaps are suspended, user recordings are no longer collecting, or replays and UX analytics are inaccessible. Hotjar: 170K+ paying customers ($32-171/month Business/Scale). FullStory: 3K+ enterprise customers. A distinct attack category targeting UX analytics and session recording tools — completely different from workspace-share or video-conferencing phishing. The 'session recordings suspended' hook is effective because UX data is time-critical: recordings missed during a product launch or A/B test are permanently lost and cannot be retroactively captured. 'Heatmaps no longer collecting' threatens behavioral data streams that feed product decisions. LogRocket session replay suspension blocks engineering teams from reproducing reported bugs. Credentials expose all session recordings (which may contain sensitive user data entry), heatmaps revealing product interaction patterns, and feedback survey responses. Warning signs: sender not hotjar.com/fullstory.com/logrocket.com.

Phishing emails impersonating Greenhouse or Lever claiming the recruiting subscription payment has failed, job postings are suspended, the applicant pipeline is inaccessible, the hiring pipeline is halted, or candidates will not be able to apply for open positions. Greenhouse: 7,500+ customers (enterprise pricing). Lever: 5,000+ customers. A distinct attack category targeting applicant tracking systems (ATS) that power the entire recruitment pipeline — no existing ATS-billing signal covers this. The 'candidates will not be able to apply' hook is uniquely high-stakes during active hiring campaigns — every inbound application from job postings is lost during suspension. Companies spending $5K-30K/month on LinkedIn Recruiter driving candidates to these postings face immediate financial loss from a fake billing failure. Lever Nurture suspension locks the entire passive-candidate relationship database. ATS credentials expose every candidate resume, interview feedback from hiring managers, salary negotiation details, and internal compensation bands. Warning signs: sender not greenhouse.io/lever.co.

Phishing emails impersonating Airtable or Smartsheet claiming the subscription payment has failed, team bases and automations are inaccessible, sheets and workspace are suspended, or team data is at risk. Airtable: 450K+ paying organizations ($10-20/user/month); Smartsheet: 90K+ customers ($9-32/seat/month). Distinct from workspace-share phishing — targets BILLING suspension. Airtable Pro suspension locks all bases, automations, and form submissions; Smartsheet suspension locks all sheets, dashboards, and automated workflows including Salesforce/Microsoft 365 integrations. Credentials expose complete operational databases with customer records, financial projections, and product roadmaps. Warning signs: sender not airtable.com/smartsheet.com.

Phishing emails impersonating Lucidchart or Lucidspark claiming the subscription payment has failed, team diagrams are inaccessible, shared boards are suspended, or diagramming content will be locked. Lucidchart: 25M+ paying users ($7.95-9/month Individual/Team); Lucidspark: whiteboard product. Distinct from Miro/Mural billing phishing — targets technical diagramming (architecture, network topology, UML, ER diagrams). Lucidchart/Confluence integration means suspension breaks embedded diagrams in documentation wikis. Credentials expose infrastructure topology, org charts, and unreleased architecture plans. Warning signs: sender not lucidchart.com/lucidspark.com.

Phishing emails impersonating Zendesk claiming the customer support subscription payment has failed, support tickets are inaccessible, agents can no longer respond, live chat is suspended, or the helpdesk is offline. Zendesk: 100K+ paying businesses ($55-215/agent/month). Distinct from Freshdesk/Intercom billing phishing — targets Zendesk, the world's largest customer support platform. Support suspension creates immediate customer-visible SLA failures — all tickets, live chat, phone integration, and social DM routing go offline simultaneously. Credentials expose full customer support history and contact data for potentially millions of end users. Warning signs: sender not zendesk.com.

Phishing emails impersonating Dropbox Business or Box Enterprise claiming the cloud storage subscription payment has failed, team folders and shared files are inaccessible, or organization content is suspended. Dropbox Business: 700K+ paying teams ($15-25/user/month); Box Enterprise: 97K+ organizations ($15-35/user/month) dominant in financial services, healthcare, and legal sectors. Distinct from file-sharing/WeTransfer phishing — targets BILLING suspension with team content access loss. Team folder suspension halts document-dependent workflows across marketing, legal, design, and operations simultaneously. Box suspension in regulated industries creates compliance-risk urgency. Credentials expose full company document libraries including financial models, legal agreements, and customer contracts. Warning signs: sender not dropbox.com/box.com.

Phishing emails impersonating Notion or Coda claiming the workspace subscription payment has failed, the workspace and team pages are inaccessible, team wikis and databases are suspended, or workspace access will be locked. Notion: 30M+ users ($8-16/user/month Plus/Business), the central knowledge base for startups; Coda: 25K+ paying teams ($10-30/user/month). Distinct from fake Notion workspace-share credential phishing — targets BILLING suspension with company-wide knowledge base loss. Workspace suspension locks the team wiki, company handbook, project databases, product roadmaps, and OKRs simultaneously. Credentials expose full company knowledge base including unreleased product plans and customer research. Warning signs: sender not notion.so/coda.io.

Phishing emails impersonating 1Password Teams/Business, Bitwarden, or Keeper Business claiming the team password manager subscription payment has failed, the team vault is inaccessible, employees are locked out of stored work accounts, or the organization vault and shared password collections are suspended. 1Password Teams: 100K+ teams ($3-8/user/month); Bitwarden: millions of users including 30K+ organizations ($3-5/user/month Teams/Enterprise). Distinct from vault breach/security alert phishing — targets BILLING suspension with cascading organizational impact. Team vault suspension is binary: employees immediately lose access to every shared credential — CRMs, cloud platforms, SaaS logins, SSH keys, API keys simultaneously. Password manager credentials give attackers access to the vault management interface from which all stored credentials can be exported. Warning signs: sender not 1password.com/bitwarden.com/keepersecurity.com.

Phishing emails impersonating Descript, Riverside, or Buzzsprout claiming the subscription payment has failed, video projects and transcript editing are suspended, podcast recordings are no longer active, or podcast episodes will be removed from Apple Podcasts and Spotify. Descript: 80K+ creators ($12-24/month); Riverside: 100K+ creators ($15-24/month); Buzzsprout: 100K+ podcast shows ($12-49/month). Distinct from Vimeo/Loom video HOSTING phishing — targets podcast/video CREATION, editing, and distribution tools. The 'episodes removed from Apple Podcasts and Spotify' hook is existentially high-urgency for podcasters depending on the podcast for income. Credentials expose unreleased interview recordings, episode production schedules, and subscriber analytics. Warning signs: sender not descript.com/riverside.fm/buzzsprout.com.

Phishing emails impersonating CircleCI, Buildkite, or Travis CI claiming the CI/CD pipeline subscription payment has failed and pipelines are suspended, builds are halted, or deployments are blocked. CircleCI: 30K+ organizations, 500K+ developers ($30-2,000+/month), used by Spotify, Segment, Twilio; Buildkite: 2,000+ enterprise customers including GitHub, Shopify, Stripe. Distinct from GitHub/GitLab DevOps billing phishing — targets dedicated CI/CD tooling. Pipeline suspension halts all production deployments simultaneously — feature releases, hotfix deployments, and automated test runs all fail for every developer's code push. Teams mid-incident who need to deploy a hotfix are maximally susceptible. Credentials expose deployment secrets (SSH keys, cloud API keys, database migration credentials) and the pipeline configuration revealing the entire production infrastructure. Warning signs: sender not circleci.com/buildkite.com/travis-ci.com.

Phishing emails impersonating Heroku, Railway, Render, or Fly.io claiming the app deployment subscription payment has failed and dynos are suspended, deployments are no longer active, or web services and apps are offline. Heroku: 13M+ registered developers ($5-500+/month); Railway: 500K+ users ($5-20/month); Render: 500K+ users. Distinct from Vercel/Netlify frontend platform phishing — targets backend/full-stack deployment. Heroku dyno suspension immediately returns 503 errors to live users, halts API endpoints, webhook processors, and background workers simultaneously. Railway suspension takes down the web service, databases, and every background worker on the account. Render account suspension kills web services, cron jobs, and managed PostgreSQL simultaneously. Credentials expose all environment variables (API keys, DB URLs, OAuth secrets), deployment logs, and custom domain DNS settings. Warning signs: sender not heroku.com/railway.app/render.com/fly.io.

Phishing emails impersonating Gusto, BambooHR, or Paychex claiming the US HR and payroll subscription payment has failed and payroll will not be processed, direct deposit is suspended, employee records are inaccessible, or tax filings will not be filed. Gusto: 300K+ small businesses ($6-80/month + $4-12/employee); BambooHR: 30K+ companies; Paychex: millions of SMB customers. Distinct from Deel/Rippling global payroll phishing — targets US domestic SMB payroll. Payroll suspension is the highest-urgency billing failure hook: employees don't receive paychecks, triggering immediate labor law violations in most US states. Paychex suspension also threatens tax filing deadlines — missed quarterly 941 deposits trigger IRS penalties starting at 2-15%. Credentials expose every employee's SSN, date of birth, home address, and bank routing numbers. Warning signs: sender not gusto.com/bamboohr.com/paychex.com.

Phishing emails impersonating Buffer, Hootsuite, or Sprout Social claiming the social media management subscription payment has failed and scheduled posts are cancelled, connected accounts are disconnected, or social media publishing is suspended. Buffer: 75K+ paying customers ($6-120/month); Hootsuite: 800K+ ($99-249/month); Sprout Social: 34K+ ($249-499+/month). Targets social media managers and marketing teams. Hootsuite suspension cancels all queued posts across every connected channel (Twitter/X, LinkedIn, Instagram, Facebook, TikTok) simultaneously — a team with 3 weeks of content loses it all. Buffer Agency plans affect every client's social queue at once. OAuth account disconnection after suspension requires fresh authentication from every platform, taking hours. Sprout Social credentials expose every connected social account's OAuth token, content calendar, competitive analysis data, and customer inbox. Warning signs: sender not buffer.com/hootsuite.com/sproutsocial.com.

Phishing emails impersonating beehiiv, ConvertKit, or Ghost claiming the newsletter platform subscription payment has failed and newsletters, email sends, paid subscriber access, or membership subscriptions are suspended. beehiiv: 50K+ creators ($49-99/month); ConvertKit/Kit: 100K+ creators ($29-79/month); Ghost: 150K+ sites ($9-25/month). Targets newsletter and email creators as businesses, distinct from course platform phishing. Newsletter suspension halts all email sends, locks paid subscribers out of gated content, and freezes all automation sequences simultaneously — creators mid-launch lose their entire conversion sequence. Credentials expose the full subscriber list, all draft content, revenue data, and Stripe integration settings — enabling follow-on phishing campaigns targeting the creator's entire audience. Warning signs: sender not beehiiv.com/convertkit.com/kit.com/ghost.org.

Phishing emails impersonating Figma claiming the organization or Professional subscription payment has failed and design files, team workspace, component libraries, and FigJam boards are suspended. Figma: 4M+ paying users ($15-75/editor/month), used by Google, Microsoft, Airbnb, and 90%+ of design teams globally. Distinct from fake Figma file-share phishing — targets billing suspension with company-wide design workflow consequences. Organization plan suspension locks every editor out of all shared design files, component libraries, and prototypes simultaneously. FigJam boards used for sprint planning and design critiques go dark. Engineering handoffs break as designers cannot export specs or update component tokens. Credentials expose all proprietary design files, unreleased product mockups, and design system source files. Warning signs: sender not figma.com; billing managed at figma.com/settings.

Phishing emails impersonating Kajabi, Teachable, Thinkific, or Podia claiming the course platform subscription payment has failed and online courses, student access, course revenue, and digital products are suspended. Kajabi: 75K+ creators ($149-399/month); Teachable: 100K+ creators ($59-499/month); Thinkific: 50K+ creators ($49-499/month). Targets course creators as businesses, not consumer learners — distinct from Duolingo/MasterClass phishing. Platform suspension cuts off all students simultaneously, triggering refund requests and chargebacks. Creators with monthly subscription courses face ongoing revenue loss. Credentials expose the full student database, all course content and video, payment integration settings, and affiliate program data — enabling follow-on phishing campaigns targeting the creator's student email list. Warning signs: sender not kajabi.com/teachable.com/thinkific.com/podia.com.

Phishing emails impersonating WP Engine, Kinsta, or Cloudways claiming the managed WordPress hosting subscription payment has failed and WordPress sites, hosting environments, and CDN are suspended. WP Engine: 200K+ customers ($25-290+/month); Kinsta: 35K+ customers ($30-1,500+/month). Distinct from generic web hosting (GoDaddy/Bluehost) — targets professional developers and agencies. Agency plans are a high-leverage target: one billing contact is responsible for 5-50+ client WordPress sites; a single phishing success takes all client sites offline simultaneously. Cloudways server suspension also cuts SSH/SFTP access, blocking emergency recovery. Credentials give attackers SFTP access to all WordPress site files, all hosted database credentials, and admin control panel access across every site on the account. Warning signs: sender not wpengine.com/kinsta.com/cloudways.com.

Phishing emails impersonating Webflow or Framer claiming the professional website builder subscription payment has failed and sites, CMS collections, and custom domains are suspended. Webflow: 3.5M+ users, 300K+ paying ($14-212+/month); Framer: 1M+ users ($15-45/month). Distinct from Wix/Squarespace consumer phishing — targets design professionals and agencies. Webflow suspension simultaneously breaks the CMS editor for content teams and the published website for visitors. CMS-driven sites lose all dynamic content pages and editorial workflows. Webflow Workspace agency plans take every client site offline at once. Framer's rapid growth creates a novel lure developers haven't been trained to verify. Credentials allow domain redirection, content injection, and e-commerce data access. Warning signs: sender not webflow.com/framer.com.

Phishing emails impersonating Cursor, Replit, or Windsurf claiming the AI code editor subscription payment has failed and the coding environment, workspace, and AI features are suspended. Cursor: 1M+ paying users ($20/month Pro, $40/month Business); Replit: 4M+ users ($20/month Core); Windsurf: 1M+ rapid adoption. Distinct from GitHub Copilot phishing. Cursor suspension disables AI completions, AI chat, and the entire developer workflow simultaneously for all Business team members. Replit suspension takes deployed applications offline immediately — indie developers and students lose live production apps. Windsurf is a novel phishing lure that developers haven't been conditioned to verify skeptically. Credentials expose repository OAuth tokens and codebase indexing data across all connected GitHub/GitLab repos. Warning signs: sender not cursor.com/replit.com/codeium.com.

Phishing emails impersonating Miro, Mural, or Lucidchart claiming the visual collaboration subscription payment has failed and boards, whiteboards, and team workspace are suspended. Miro: 60M+ users, 200K+ paying ($10-20/member/month); Mural: 35M+ users, enterprise ($17.99-24.99/member/month); Lucidchart: 30M+ users ($7.95-20/user/month). Visual workspace suspension locks all team members out of shared boards simultaneously — in-progress design sprints, product roadmaps, architecture diagrams, and retrospective boards all go dark at once. Mural suspension immediately before a scheduled workshop forces cancellation of cross-team sessions with 20+ participants. Miro boards function as shared institutional memory with no offline backup — product strategy, customer research, and competitive intelligence become inaccessible. Warning signs: sender not miro.com/mural.co/lucidchart.com.

Phishing emails impersonating Intercom, Freshdesk, or Help Scout claiming the customer support platform subscription payment has failed and customer messaging, support inbox, live chat, and helpdesk tickets are suspended. Intercom: 25K+ paying customers ($74-374/month); Freshdesk: 50K+ customers ($18-95/agent/month); Help Scout: 12K+ businesses ($22-65/user/month). Support platform suspension means every inbound customer request goes unanswered immediately — the live chat widget stops loading on the website, the support inbox stops receiving conversations, and SLA timers continue running on inaccessible open tickets. Freshdesk suspension creates immediate contractual SLA breach risk across every open ticket. Intercom's Messenger widget fails publicly on the subscriber's website, creating visible service failure for all site visitors. Credentials contain all customer conversation history, contact data, and helpdesk API tokens. Warning signs: sender not intercom.com/freshdesk.com/helpscout.com.

Phishing emails impersonating Typeform, SurveyMonkey, or Jotform claiming the form platform subscription payment has failed and forms, surveys, and response collection are suspended. Typeform: 2M+ paying users ($29-99/month); SurveyMonkey: 300K+ paying ($25-75/month/user); Jotform: 25M+ users ($39-129/month). Form suspension simultaneously stops all active forms — lead-gen forms stop capturing prospects, NPS surveys stop mid-campaign, job application forms stop receiving applications, and payment forms stop processing transactions. Payment-integrated forms (Stripe/PayPal via Typeform/Jotform) lose all form-based revenue channels at once. SurveyMonkey enterprise suspension during an active survey risks losing weeks of collected respondent data. Jotform covers HR, medical, legal, and e-commerce forms simultaneously. Submission data contains raw respondent PII across every published form. Warning signs: sender not typeform.com/surveymonkey.com/jotform.com.

Phishing emails impersonating Contentful, Sanity, or Storyblok claiming the headless CMS subscription payment has failed and content delivery, CMS spaces, and entries are no longer accessible. Contentful: 30%+ of Fortune 500, 7K+ enterprise customers ($300-2,000+/month); Sanity: 1,000+ enterprise customers; Storyblok serves marketing teams with a visual editor. Headless CMS suspension takes down every website and app that reads content from the CMS simultaneously — the entire content layer across all digital channels goes dark at once. Product pages, articles, app screens all show blank content. Storyblok's visual editor creates a non-technical target pool: marketing users have no basis to verify sender domains. Credentials include management API tokens that allow content modification and delivery API keys read by all production systems. Warning signs: sender not contentful.com/sanity.io/storyblok.com.

Phishing emails impersonating Postman or RapidAPI claiming the API platform subscription payment has failed and API collections, team workspaces, monitors, and mock servers are suspended. Postman: 30M+ users, 500K+ paying ($19-49/user/month); RapidAPI: 4M+ developers. Postman workspace suspension locks the entire engineering team out of shared API collections, test suites, and environment variables simultaneously. Monitor suspension creates production visibility loss — API regressions go undetected until users report errors. RapidAPI suspension stops all subscribed API keys, breaking every app that depends on marketplace APIs. Postman environment variables store API keys, OAuth tokens, JWT secrets, and database credentials for every service the team integrates with — one phishing success harvests all stored credentials. Warning signs: sender not postman.com/rapidapi.com.

Phishing emails impersonating Zapier, Make (formerly Integromat), or n8n Cloud claiming the workflow automation subscription payment has failed and all automated zaps, scenarios, and integrations are no longer running. Zapier: 2.2M+ paying users ($19.99-799+/month); Make: 500K+ active users ($9-99+/month); n8n Cloud: 40K+ technical teams. Automation suspension simultaneously breaks every connected workflow — order processing, lead routing, CRM syncs, support ticket creation, and notification pipelines all fail at once. The compound cascade failure across every integrated tool makes the urgency real: one billing lapse breaks Salesforce→HubSpot routing, Stripe→Notion records, form→email sequences, and Slack alerts simultaneously. Automation credentials store OAuth tokens for every connected app — Slack, Gmail, Salesforce, Stripe, GitHub — enabling cross-platform credential theft. Warning signs: sender not zapier.com/make.com/n8n.io, genuine billing always managed in-platform.

Phishing emails impersonating Deel, Rippling, or Gusto claiming the global payroll or HR platform subscription payment has failed and payroll, contractor payments, and employee management are suspended. Deel: 35K+ companies; Rippling: 17K+ companies; Gusto: 300K+ small businesses. Payroll platform suspension means employees cannot be paid — the single most catastrophic SaaS-linked business emergency with immediate legal, contractual, and reputational consequences. Deel suspension blocks international contractor payments across 150+ jurisdictions simultaneously, triggering labor law violations in every country. Rippling's unified HR + payroll + IT architecture means suspension breaks payroll, benefits enrollment, and IT provisioning simultaneously. Payroll credentials are the highest-value business data: SSNs, bank routing numbers, salary data, and I-9 documents for every employee. Warning signs: sender not deel.com/rippling.com/gusto.com, payroll billing always managed in-platform.

Phishing emails impersonating Cloudinary, Bunny.net CDN, Fastly, imgix, ImageKit, or Mux claiming the media delivery subscription payment has failed and all image delivery, video streaming, and CDN services are suspended. Cloudinary: 1M+ developers, 50K+ paying customers ($89–450/month); Bunny.net: 300K+ users; Fastly: 3K+ enterprise customers. CDN suspension breaks every image and video simultaneously — every product image on an ecommerce site, every video on a platform, every media asset in an app fails to load within minutes. Unlike single-service outages, CDN failure cascades visibly to all users in real time, creating immediate revenue pressure. Media transformation suspension breaks dynamically-resized images and auto-generated video thumbnails, breaking responsive layouts across all devices. Cloudinary's DAM (digital asset management) storage lockout threatens access to years of creative assets. Fastly CDN suspension disables edge caching, causing origin servers to absorb all traffic and potentially crash under load — a forced DDoS-like scenario. Attackers clone Cloudinary's console UI precisely, as developers interact with dashboards daily. Warning signs: sender not cloudinary.com/bunny.net/fastly.com, genuine Cloudinary alerts come from cloudinary.com domain only.

Phishing emails impersonating Calendly, Acuity Scheduling (Squarespace), SavvyCal, Cal.com, or Setmore claiming the scheduling subscription payment has failed and all booking links, scheduled meetings, and calendar integrations are suspended. Calendly: 10M+ users, 50K+ paying customers ($10–20/month); Acuity: 100K+ users ($20–61/month). All booking links go dark simultaneously — a business consultant, coach, therapist, or SaaS demo team loses the ability to accept any new client booking. Calendly suspension freezes the entire top-of-funnel: no discovery calls, no demos, no consultations, no onboarding sessions. Unlike email outages, scheduling link failure is immediately visible to prospects who hit dead booking pages in real time. Acuity Scheduling (used by service businesses: salons, therapists, personal trainers) suspension blocks all appointment booking and automated reminder sequences — client relationships break down without warning. Team scheduling plans suspend routing logic that distributes meetings across sales teams, leaving enterprise customers with no meeting intake mechanism. Calendly OAuth integrations with Google Calendar and Outlook break all calendar sync — past scheduled meetings disappear from calendars. Attacker goal: Calendly SSO credentials and connected Google/Microsoft OAuth tokens grant access to full calendars with meeting details, client names, and business context. Warning signs: sender not calendly.com/acuityscheduling.com, genuine Calendly notices from calendly.com domain only.

Phishing emails impersonating Google Play Console claiming the Android developer account has been suspended for a policy violation, apps have been removed from the Play Store, or in-app purchases are no longer processing. Google Play: 3.5M+ Android apps, 2.5M+ active developers. Distinct from Apple Developer Program phishing (already covered). App removal cuts off all revenue channels simultaneously: in-app purchase processing, subscription renewals, and paid downloads all fail at once — complete business shutdown for indie developers with a single revenue app. The real 7-day appeal window is exploited to create hard-deadline urgency ('you have 7 days before permanent termination') that encourages immediate action without verification. Play Console policy violations are genuinely common and vaguely worded (misleading metadata, inappropriate content), making phishing emails indistinguishable from authentic enforcement notices. Compromised Play Console credentials let attackers push malicious app updates to all existing users, harvest reviewer email addresses, and redirect developer payment credentials. Warning signs: sender not google.com, all genuine notices from play-developer-feedback@google.com.

Phishing emails impersonating Stripe or Square claiming the merchant account has been suspended for suspicious activity, payment processing is disabled, or payouts and bank deposits are on hold pending identity verification. Stripe: 4M+ active businesses; Square: 4M+ sellers. Distinct from PayPal/Venmo personal payment pending phishing — this targets business merchant payment processing. Merchant account suspension means zero revenue from any card transaction immediately — every checkout fails. Stripe Connect payout holds freeze already-earned revenue held in Stripe balance, creating operating capital pressure for cash-flow-dependent businesses. Stripe's identity verification process is a real legitimate flow that attackers clone precisely — fraudulent document upload forms harvest government IDs and payment credentials simultaneously. Square suspension prevents in-person card payment during peak hours, causing immediate customer-facing service failure in restaurants and retail. Stripe dashboard credentials enable payout redirection to attacker bank accounts — the highest-value merchant credential. Warning signs: sender not stripe.com/squareup.com, Stripe never requests verification via email.

Phishing emails impersonating DigitalOcean, Linode (Akamai Cloud), or Vultr claiming the cloud hosting account is suspended, droplets and servers are offline, or managed databases and Kubernetes clusters are at risk. DigitalOcean: 600K+ paid customers ($12-960+/month); Linode: 900K+ users; Vultr: 1.5M+ users. Distinct from hyperscaler (AWS/Azure) and PaaS (Vercel/Netlify) phishing — this targets self-managed VPS infrastructure with no managed failover. VPS suspension kills all hosted infrastructure simultaneously: every Droplet goes offline at once, taking down all hosted websites, APIs, and databases with no automatic failover or enterprise support to fall back on. Developer-first community creates billing-inattentive targets: solo developers and early-stage startups focus on deployment tasks and often miss billing notifications until the urgency notice arrives. Linode's per-hour billing creates 'unexpected charge' credibility for developers with runaway test instances. Managed database suspension is most urgent: databases become inaccessible simultaneously with app servers, causing immediate connection errors. Warning signs: sender not digitalocean.com/linode.com/vultr.com, account suspension always originates from official domain.

Phishing emails impersonating Brex, Mercury, or Ramp claiming suspicious activity was detected, the corporate banking account is suspended, or corporate cards and business payments are frozen. Brex: 20K+ companies; Mercury: 100K+ startups; Ramp: corporate card + AI expense management. Distinct from Wise/Revolut (personal fintech) phishing — this targets startup corporate banking. Mercury account suspension is existential: company cannot initiate ACH transfers, wire payments, or payroll — 'your payroll transfer has been frozen' threatens employees not receiving paychecks, the most urgent business scenario possible. Brex suspension freezes all corporate cards company-wide simultaneously — every employee's card declines, triggering immediate calls to finance. Ramp suspension disrupts both corporate cards and automated bill payment workflows managing recurring vendor subscriptions. Corporate banking credentials are BEC precursors: compromised Mercury/Brex gives attackers direct access to wire transfer controls — the gateway to the largest email fraud category ($3.08B IC3 2024). Startup founders who personally manage banking without treasury controls are prime targets when traveling. Warning signs: sender not brex.com/mercury.com/ramp.com, banking platforms never request credentials via email.

Phishing emails impersonating Snowflake, Databricks, or Fivetran claiming the data platform subscription has failed, queries and pipelines are suspended, or BI dashboards are offline. Snowflake: 9K+ customers; Databricks: 10K+ customers; Fivetran: 5K+ customers. Data warehouse suspension blinds every analytics and BI consumer simultaneously: executive dashboards, engineering reports, and ML model inputs all go dark at once. Snowflake's consumption-based pricing creates genuine billing anxiety — organizations fear cloud cost overruns, making 'unexpected charge' lures particularly credible. Databricks suspension halts ML model training jobs, feature store updates, and MLflow experiment tracking simultaneously — data science teams lose their working environment mid-sprint. Fivetran lapse causes cascading downstream failures: all connectors stop syncing, making data in Snowflake/BigQuery silently stale with no visible indication. Data platform credentials expose all analytical data, ML training datasets, and customer behavioral datasets. Warning signs: sender not snowflake.com/databricks.com/fivetran.com, billing managed in console only.

Phishing emails impersonating HCP Terraform (Terraform Cloud) or HashiCorp Vault claiming the infrastructure subscription payment has failed, workspace runs and remote state are suspended, or Vault dynamic secrets and application credentials are offline. HCP Terraform Plus: $20/user/month; HCP Vault: $0.03-0.07/hr. Terraform Cloud suspension blocks all infrastructure changes organization-wide: CI/CD pipelines that trigger Terraform applies fail, blocking software releases; remote state becomes inaccessible, making local Terraform commands fail with state-lock errors. HashiCorp's IBM acquisition and BSL license change created heightened billing anxiety — 'subscription terms changed, payment verification required' is unusually credible to the Terraform community. HCP Vault suspension is catastrophically disruptive: applications that retrieve database credentials dynamically fail to authenticate; TLS certificates cannot be renewed; Vault transit encryption calls fail — a single Vault suspension cascades into authentication and encryption failures across every service using it. Terraform state files expose complete infrastructure topology, resource IDs, and sometimes plain-text sensitive values. Warning signs: sender not hashicorp.com/app.terraform.io, billing managed in HCP portal only.

Phishing emails impersonating GitHub Enterprise, GitLab, or Bitbucket claiming the DevOps subscription payment has failed, repositories are going offline, or CI/CD pipelines are suspended. GitHub Enterprise: 100K+ organizations ($21/seat/month); GitLab: 30M+ users, Premium $29/seat/month; Bitbucket: $3-6/user/month. Distinct from GitHub Copilot developer tool phishing — this targets source code hosting billing affecting the entire development organization. Repository suspension shuts down the entire dev team: all members simultaneously lose code access, PR review workflows, and automated build pipelines. GitHub Actions CI/CD suspension halts deployment pipelines, preventing security patches and feature releases from reaching customers. GitLab Premium lapse downgrades to Free tier, removing merge approval rules, security scanning, and compliance frameworks. Bitbucket suspension breaks automated Jira integration and Smart Commits. DevOps credentials give attackers access to all source code, deployment secrets, environment variables, and API tokens stored as repository secrets. Warning signs: sender not github.com/gitlab.com/bitbucket.org, billing managed in organization admin settings only.

Phishing emails impersonating Shopify, BigCommerce, or WooCommerce claiming the subscription payment has failed, the online store and checkout are offline, or the merchant account is suspended. Shopify: 2M+ merchants ($29-299/month); BigCommerce: 60K+ merchants; WooCommerce: 28% of all online stores. Distinct from seller-account-suspended phishing — this targets billing payment failure with store-offline urgency. Store going offline is the most direct revenue-loss phishing hook: when a Shopify subscription lapses, product pages 404, checkout stops accepting orders, and merchants lose all sales revenue in real time — every minute offline is quantifiable lost revenue. Shopify ecosystem lock-in (custom themes, Klaviyo/ReCharge integrations, Shopify Payments, Shopify Capital) makes keeping the account active critically important. BigCommerce suspension takes down headless commerce frontends via product catalog API failure. WooCommerce phishing targets Subscriptions renewal billing and WooPayments. E-commerce credentials expose customer order databases, payment tokenization records, and banking information. Warning signs: sender not shopify.com/bigcommerce.com/woocommerce.com, store status never changed via email.

Phishing emails impersonating HubSpot, Salesforce, or Zendesk claiming the CRM subscription payment has failed, the sales pipeline and opportunity records are suspended, or marketing automation and helpdesk workflows are no longer available. HubSpot: 216K+ customers ($45-3,200/month); Salesforce: 150K+ customers ($25-500/user/month); Zendesk: 100K+ customers ($49-215/agent/month). Distinct from the existing CRM account-suspended/data-export signal. CRM suspension during quarter-close creates maximum organizational pressure: losing Salesforce during Q4 close means every sales rep simultaneously loses pipeline visibility, deal records, and activity tracking — consequences measurable in millions of dollars of revenue impact. HubSpot subscription lapse disables mid-campaign marketing automation — nurture sequences freeze, scheduled campaigns fail, lead scoring stops — breaking demand generation infrastructure with defined revenue targets. Zendesk suspension causes SLA-breach risk: all incoming support tickets stop routing, customer service teams lose ticket history. CRM credentials expose every prospect and customer contact record, deal values, and sales communications — premium BEC follow-on intelligence. Warning signs: sender not hubspot.com/salesforce.com/zendesk.com, billing managed in admin portal only.

Phishing emails impersonating Twilio, SendGrid, Postmark, or Mailgun claiming the communication API subscription payment has failed, the SMS/voice API is offline, or email delivery is suspended. Twilio: 300K+ active accounts ($15-150+/month); SendGrid: 80K+ customers ($15-100/month); Postmark: $15-1,265/month; Mailgun: 150K+ businesses. Suspended Twilio account kills all customer-facing communications: OTP codes fail, order notifications stop, delivery alerts go dark, and any application using Twilio for authentication becomes unusable — the most application-wide urgency of any billing phish. SendGrid suspension breaks transactional email at scale: account activation emails, password reset messages, and order receipts all bounce; new users can't activate accounts. Postmark's deliverability-critical focus makes suspension particularly alarming for developers who chose it specifically for reliability. Segment (Twilio-owned) suspension breaks the entire data stack at once. Communication API credentials give attackers access to phone number pools and messaging credits for spam campaigns at victim's expense. Warning signs: sender not twilio.com/sendgrid.com/postmarkapp.com/mailgun.com, API billing managed in console only.

Phishing emails impersonating Vercel, Netlify, or Railway claiming the subscription payment has failed, deployments and custom domains are going offline, or services and databases are at risk. Vercel: 700K+ teams ($20-400/month); Netlify: 3M+ developers ($19/month Pro); Railway/Render/Supabase: 100K+ teams each. Production deployment suspension is a P0 incident framing — production websites, APIs, and databases going offline affects customers and generates immediate revenue impact. Engineers and technical leads respond to production outage warnings without pausing to verify email authenticity. Railway/Supabase suspension takes down databases (more catastrophic than static sites). Supabase accounts host auth, database, and storage simultaneously — a single billing lapse collapses an entire app stack. Accounts contain API keys, deployment secrets, and database connection strings. Warning signs: sender not vercel.com/netlify.com/railway.app, billing managed in official admin portal only.

Phishing emails impersonating Sentry, Datadog, or PagerDuty claiming the subscription payment has failed, error monitoring and alerts are disabled, or on-call incident routing is suspended. Sentry: 90K+ organizations ($26-80/month); Datadog: 25K+ customers ($15-23/host/month); PagerDuty: 25K+ customers ($21-29/user/month). Disabled error monitoring creates 'flying blind' urgency — Sentry suspension means exceptions go unnoticed and performance regressions are invisible while production traffic continues. Datadog suspension removes infrastructure visibility, disabling SLA-critical dashboards and alert channels simultaneously. PagerDuty suspension is safety-critical: on-call alerting stops firing, meaning production outages at 3 AM produce no engineer notifications. Observability accounts contain API keys for cloud infrastructure, service authentication tokens, and full infrastructure topology — premium attacker intelligence. Warning signs: sender not sentry.io/datadoghq.com/pagerduty.com, monitoring never restored via email link.

Phishing emails impersonating Klarna, Afterpay, Affirm, or Sezzle claiming the recipient's BNPL account has been suspended due to an overdue payment, their pay-in-4 plan is on hold with orders at risk of cancellation, or an unauthorized purchase was detected. Klarna 85M+ active consumers ($20B+ annual transactions); Afterpay 20M+ customers; Affirm 18M+ consumers. BNPL creates a uniquely powerful urgency vector: a suspended account can mean in-progress purchase orders are cancelled — a shopper who just purchased electronics or goods on Klarna Pay in 4 and receives 'your installment plan is on hold and your order is at risk' faces immediate, concrete loss pressure beyond simple account access. BNPL accounts hold bank account routing numbers (ACH-linked), credit/debit cards, SSN from credit check, and purchase history — premium identity theft targets enabling fraudulent purchases at any of 500,000+ merchant partners. Warning signs: sender not klarna.com/afterpay.com/affirm.com/sezzle.com, legitimate emails include your specific order number.

Phishing emails impersonating TurboTax, H&R Block, TaxAct, or FreeTaxUSA claiming the recipient's tax software account has been locked for suspicious activity, their in-progress tax return is inaccessible, their prior-year documents are at risk, or their filing fee payment failed. TurboTax 40M+ users; H&R Block 23M+ online users; TaxAct 7M+. Tax software phishing peaks January 15–April 15 when users have actively in-progress returns and face the April 15 deadline — 'your TurboTax account is locked and your in-progress tax return may be lost' creates maximum urgency. Distinct from the tax refund advance scam: this attack targets account credentials to steal the actual IRS refund by changing the bank account routing number, or to file a fraudulent return before the victim does. Accounts contain SSN, W-2/1099 data, AGI, and bank routing number for refund deposit. Warning signs: sender not turbotax.com/hrblock.com/taxact.com/intuit.com, legitimate notices include partial SSN confirmation.

Phishing emails impersonating Rover, TaskRabbit, or Handy claiming the recipient's account has been suspended, their Tasker payment is on hold, or an upcoming pet sitting or home cleaning booking has been cancelled. Rover 5M+ pet owners with 2M+ pet care providers; TaskRabbit 2M+ Taskers; Handy 3M+ customers. Rover's pet sitting lure is uniquely emotional: a traveler who receives 'your pet sitting booking has been cancelled' days before departure faces an acute, time-sensitive problem that bypasses all phishing skepticism. TaskRabbit payment-hold targets gig workers' financial urgency. Handy's cleaning subscriptions auto-charge, and some customers share home lock codes through the platform — account compromise risks physical home security. These accounts contain home address, service schedule (revealing unoccupied periods), payment methods, and sometimes physical access codes. Warning signs: sender not rover.com/taskrabbit.com/handy.com/angi.com, legitimate notices include your specific booking and pet details.

Phishing emails impersonating Ancestry, 23andMe, or MyHeritage claiming the recipient's DNA account has been suspended, their genetic data and family tree are inaccessible, or a data breach has exposed their DNA results. Ancestry 3M+ paid subscribers; 23andMe 14M+ customers (filed for bankruptcy 2024 after 2023 breach exposed 6.9M profiles); MyHeritage 4M+. Genetic data is uniquely irreplaceable — unlike passwords or SSNs, DNA cannot be changed; it also identifies biological relatives who never opted in. The 23andMe bankruptcy raised real questions about genetic database ownership during acquisition, making security alerts feel both credible and urgent. Ancestry users receive legitimate 'new DNA match' emails constantly, conditioning them to click without sender verification. Compromised accounts expose raw DNA files, health predisposition reports (BRCA, Alzheimer's risk), and family matching data. Warning signs: sender not ancestry.com/23andme.com/myheritage.com, access security alerts only via the official app.

Phishing emails impersonating Indeed, Glassdoor, or ZipRecruiter claiming the recipient's job board account has been suspended for suspicious activity, their resume and profile are no longer visible to employers, or unauthorized access was detected. Indeed 350M+ registered users; Glassdoor 60M+ monthly users; ZipRecruiter 12M+ active job seekers. Job board accounts contain resumes with SSN, home address, employment history, and salary information — a complete identity package. Employment anxiety makes users act immediately: when actively job hunting, any account suspension feels like a career emergency that can't wait for verification. The 'identity verification required to continue applying' variant succeeds because major job boards do legitimately require identity verification for certain applications. Warning signs: sender not indeed.com/glassdoor.com/ziprecruiter.com, access any account issue only via direct navigation to the official site.

Phishing emails impersonating BetterHelp, Talkspace, Teladoc, or Cerebral claiming the recipient's therapy subscription payment has failed, their therapy sessions are suspended, or unauthorized access was detected on their mental health account. BetterHelp 4M+ active subscribers ($95-425/month); Talkspace 2M+ users; Teladoc Health 60M+ members. Telehealth accounts contain HIPAA-protected health information including therapy session histories, diagnoses, medication information, and mental health intake questionnaires — PHI sells for $250-500 per record on dark web markets (10x the value of financial records). The therapy billing failure lure is psychologically targeted: therapy is appointment-based, and patients fear interrupting treatment creates both urgency and heightened emotional vulnerability. Warning signs: sender not betterhelp.com/talkspace.com/teladoc.com/cerebral.com, any billing issue should be resolved only via the official app.

Phishing emails impersonating Chime, SoFi Bank, Ally Bank, or Marcus by Goldman Sachs claiming the recipient's online banking account has been suspended or locked for suspicious activity, or an unauthorized transaction was detected. Chime 22M+ account holders; SoFi 9M+ members; Ally Bank 11M+ customers; Marcus 10M+ customers. Online-only banks rely exclusively on digital communication — no branch to walk into means all customer service happens by email, so users are pre-conditioned to act on account security alerts without suspicion. Chime users often depend on direct deposits as their primary banking source, making a 'suspended account' notification highly urgent. Ally/Marcus users typically hold higher savings balances, making them high-value credential theft targets. Compromising one login gives access to checking, savings, debit card, and connected accounts. Warning signs: sender not chime.com/sofi.com/ally.com/marcus.com, any login link in a security email should be navigated directly via typed URL or official app.

Phishing emails impersonating DraftKings, FanDuel, BetMGM, or Caesars Sportsbook claiming the recipient's sports betting account has been suspended, funds withheld pending identity verification, or unauthorized access detected. DraftKings 6.6M+ MAU; FanDuel 8M+ MAU; BetMGM 5M+. Sportsbook accounts hold real cash balances plus SSN and full bank details required for KYC/AML compliance — a complete financial identity profile. The 'identity verification required' lure is highly credible because sportsbooks genuinely do require periodic KYC re-verification and hold withdrawals during account reviews. The 'funds withheld' variant exploits the fact that sportsbooks can legally hold winnings during an investigation, making the lure financially acute. Sports betting is now legal in 35+ US states with explosive growth. Warning signs: sender not draftkings.com/fanduel.com/betmgm.com, identity verification is always completed in-app, any email claiming to hold funds pending verification is a red flag.

Phishing emails impersonating USAA, Navy Federal Credit Union, or PenFed (Pentagon Federal) claiming the recipient's military banking account has been suspended, locked, or flagged for unauthorized activity — directing them to sign in and verify identity. USAA 13M+ members; Navy Federal 13M+; PenFed 2.7M+. Military banking accounts are uniquely valuable — USAA provides banking, insurance, investments, and auto/home loans under one credential, so one compromised login exposes all. Military members are specifically targeted: frequent PCS moves delay detection of suspicious activity; deployed members can't immediately respond to security alerts; young enlisted (18-22) have guaranteed income and may be less fraud-savvy. Security clearance holders are extra-vulnerable — a compromised identity can jeopardize clearance renewal. Warning signs: sender not usaa.com/navyfederal.org/penfed.org, military banks never email from external alert domains, always access banking via typed URL or official app.

Phishing emails impersonating LastPass, 1Password, Bitwarden, Dashlane, or Keeper claiming the recipient's password vault was compromised, their account was suspended for unusual activity, vault encryption is compromised, or stored passwords are at risk. Master password capture unlocks EVERY login the victim has ever saved — banking, email, work systems, healthcare, investments — from a single phish. LastPass 33M+ users; 1Password 8M+; Bitwarden 8M+; Dashlane 15M+. The 2022 LastPass breach still drives impersonation campaigns ('you may have been affected — verify your vault now'). Business impact is catastrophic: captured employee vault master passwords expose all shared team credentials, admin portals, and cloud infrastructure. Warning signs: sender not lastpass.com/1password.com/bitwarden.com, any email asking to 'export your vault' or 'enter your master password via a link' is always phishing — real alerts appear inside the app.

Phishing emails impersonating Microsoft 365, Office 365, Exchange Online, or Microsoft Defender for Office 365 claiming the recipient has N quarantined messages requiring release, email delivery is on hold, or messages will be permanently deleted unless they sign in. Cofense 2024: quarantine-release phishing is a top-3 enterprise credential harvest vector. M365 has 300M+ monthly active users who receive genuine quarantine digests daily — attackers exploit this conditioned 'click to release' behavior perfectly. Replicates the exact Microsoft quarantine email format; distinguishable only by sender domain. Harvested M365 credentials unlock email, SharePoint, Teams, OneDrive, and Azure AD simultaneously. Warning signs: sender not microsoft.com/protection.outlook.com, no employee name, round quarantine numbers, urgency about deletion within 24 hours (real quarantine holds 30 days).

Phishing emails impersonating HubSpot, Salesforce, Zoho CRM, or Pipedrive claiming the CRM account is suspended, Salesforce license is expiring with data at risk, a data export is ready for download, or unusual access was detected. HubSpot: 216,000+ customers; Salesforce: 150,000+ enterprise customers; Zoho CRM: 100M+ users. CRM credentials expose ALL customer contact data, deal pipelines, and sales communications — the company's most sensitive business asset. Attackers use CRM access for follow-on BEC attacks (impersonating sales reps to redirect invoice payments) and sell the contact database. The 'data export ready — sign in to download' variant is unusually low-suspicion. Warning signs: sender not hubspot.com/salesforce.com, no portal ID or org name, urgency about data deletion.

Phishing emails impersonating Okta, Azure Active Directory, Microsoft Entra ID, or OneLogin claiming the recipient's SSO account has been suspended, session expired requiring re-authentication, or MFA authenticator needs re-enrollment. Okta serves 18,000+ enterprise customers; Azure AD has 600M+ users; APWG 2024: IdP phishing grew 340% YoY. A single Okta or Entra ID credential is the 'master key' giving simultaneous access to email, Slack, GitHub, Salesforce, Jira, and every SSO-connected enterprise app at once. The Twilio, Caesars Entertainment, and MGM Resorts breaches all started with Okta credential phishing. Warning signs: sender not okta.com/microsoft.com, generic 'company portal' link, no organization name or app names referenced.

Phishing emails impersonating Apple claiming the recipient's Apple Developer account has been suspended for a policy violation, development certificates have been revoked, App Store Connect access is disabled, or Developer Program membership payment failed. Apple Developer Program has 34M+ registered developers and 5M+ active publishers. When certificates are revoked, ALL apps immediately stop working on every iOS/macOS device worldwide — catastrophic revenue loss for app businesses. Account access lets attackers delete published apps, reject pending submissions, access enterprise distribution certificates, and compromise corporate iOS deployments. Warning signs: sender not apple.com, no Team ID or bundle identifier referenced, urgency about certificates expiring within hours.

Phishing emails impersonating Cloudflare claiming the recipient's account has been suspended, flagged, or their DDoS protection has expired or been disabled — directing them to sign in or update billing to restore website security. Distinct from ClickFix CAPTCHA scams which use Cloudflare branding as a fake verification step. Cloudflare has 33M+ registered users and powers 20%+ of the global web. 'DDoS protection disabled' triggers catastrophic urgency for any website owner. Account compromise gives attackers control over all DNS records — enabling domain hijacking, SSL certificate issuance, and redirection to phishing or scam pages. Warning signs: sender not cloudflare.com, no account ID or domain names referenced, urgency about website going offline immediately.

Phishing emails impersonating Ring, Google Nest, SimpliSafe, or ADT claiming a home security subscription payment has failed, the Ring Protect Plan or Nest Aware subscription has expired, or professional monitoring will be disabled. Ring has 10M+ Protect subscribers; Nest Aware 5M+; SimpliSafe 4M+ customers; FTC 2025: smart home subscription impersonation grew 210% YoY. The threat of home cameras going dark or alarm monitoring being cut triggers intense personal fear that overrides rational verification. Attackers gain account credentials (live camera access, door lock control, motion history) AND the payment card, plus the home address and daily movement patterns. Warning signs: sender not ring.com/nest.com/simplisafe.com, no camera model or plan name, urgency about home being unprotected.

Phishing emails impersonating Mailchimp, ConvertKit, Klaviyo, or Constant Contact claiming the account is suspended for spam complaints or a policy violation, sending is paused, or a plan payment failed. Mailchimp has 14M+ active users. For e-commerce brands, a sending suspension kills promotional campaigns, cart abandonment flows, and welcome series — directly costing revenue. 'Suspended for spam complaints' is unusually believable because email platforms DO suspend accounts for high complaint rates. Account compromise exposes the entire subscriber list (the business's most valuable asset), enabling mass fraud emails to all customers. Warning signs: sender not mailchimp.com/klaviyo.com, no specific complaint rate or campaign details, link to non-official portal.

Phishing emails impersonating OpenAI, ChatGPT Plus, Google Gemini Advanced, Anthropic Claude, or Microsoft Copilot claiming a subscription payment failed, the account is suspended for a usage policy violation, or the subscription is expiring. Kaspersky 2025: AI brand impersonation grew 1,200% YoY; APWG Q1 2026: OpenAI is a top-10 most impersonated brand. Account takeover is high-value: attackers access confidential ChatGPT conversation history (strategy, code, customer data), exploit remaining API tokens for LLM jailbreaking services, and steal API keys for use in the victim's own AI applications. The Gemini variant captures Google account credentials — equivalent to full enterprise compromise for Google Workspace users. Warning signs: sender not openai.com/anthropic.com/google.com, no subscription tier or last payment date, link to non-official portal.

Phishing emails impersonating LinkedIn from a non-LinkedIn domain with fake connection request, pending connections, or account restricted notifications. Check Point 2024: LinkedIn is the most impersonated brand globally — 52% of all brand phishing. Vade Secure 2024: LinkedIn impersonation grew 232% YoY. Sales and networking professionals are conditioned to click connection notifications instantly. Captured credentials give attackers access to the victim's LinkedIn session, which they use to message all connections with investment or BEC scams using the victim's established credibility. Warning signs: sender not linkedin.com/mail.linkedin.com, notification asks you to sign in to your LinkedIn account rather than linking directly to the connection's profile.

Phishing emails impersonating Robinhood, Charles Schwab, E*TRADE, Webull, or Fidelity claiming suspicious trading activity, unauthorized access, or account restriction. IC3 2024: investment account takeover fraud grew 64%, average loss $73,000 — the highest average loss of any account-takeover fraud category. Attacker liquidates all positions and withdraws proceeds, leaving victims with losses of $50K–$200K and potentially margin debt. Retail investors fear unauthorized trades and click before verifying the sender domain. Warning signs: sender not robinhood.com/schwab.com/etrade.com, urgency about account deactivation, link to non-official domain, no reference to specific holdings.

Phishing emails impersonating Notion, Airtable, Monday.com, or Asana with a fake 'someone shared a page/base/board with you' notification requiring Google or Microsoft sign-in on a non-official domain. Cofense 2024: productivity-tool impersonation is a top-5 credential-phishing vector in SaaS-heavy organizations. Workspace takeover gives attackers the company's internal wiki, product roadmap, customer data, stored API keys, and connected integrations for deep BEC follow-on attacks. Warning signs: sender not notion.so/airtable.com/monday.com, workspace access requires Google/Microsoft login on non-official domain.

Phishing emails impersonating GitHub, GitLab, Bitbucket, or npm claiming unauthorized access or account suspension — driving to a credential-harvest page. Developer accounts are uniquely high-value: one GitHub login controls SSH keys, API tokens, private repos, CI/CD pipeline secrets, and npm publish access for supply-chain attacks. Proofpoint 2024: GitHub is the most impersonated developer platform brand; phishing surged 250% after 2023 credential-stuffing campaigns. Warning signs: sender not github.com/gitlab.com/bitbucket.org, link to non-official domain, no reference to specific recent security events or SSH key fingerprints.

Phishing emails impersonating Slack, Microsoft Teams, or Discord with fake workspace invitations or account deactivation warnings requiring sign-in on non-official domains. Cofense 2024: Slack phishing is the #1 workplace collaboration tool phishing vector — employees click workspace invitations automatically from conditioning. Workspace account takeover gives attackers full message history, file archive, webhook tokens, and the ability to send trusted messages to all teammates from the victim's account. Warning signs: sender not slack.com/microsoft.com/discord.com, invitation requires password entry via non-official domain, deactivation threat with deadline.

Impersonation scam where a fake invoice claims your Geek Squad, Norton LifeLock, or McAfee annual plan auto-renewed at $299–499, with a toll-free number to 'cancel.' Calling connects to a scammer who takes remote desktop access and drains your bank account. FTC 2022–2024: $800M+ in tech-support refund losses; FBI IC3 2023: $924M in tech-support fraud — second-highest dollar loss category; AARP: 60%+ of victims are over 60 with average losses of $10,000–$20,000. Real Best Buy and Norton notices link to your account portal — they never provide a phone number as the only cancellation option. Warning signs: invoice from non-official domain, toll-free number as sole cancellation method, no link to account management portal.

Phishing emails impersonating AT&T, Verizon, T-Mobile, or Sprint, claiming your wireless account is suspended or has a payment failure — driving to a lookalike carrier login page that harvests your credentials and payment card. FTC 2024: telecom impersonation scams cost $330M, up 45% over 2022; AT&T and Verizon are top-5 most impersonated brands. Stolen credentials enable SIM-swapping attacks that bypass SMS MFA on bank accounts. Warning signs: sender domain not the official carrier domain, urgency about termination within hours, link to unfamiliar domain, no reference to last 4 digits of your payment method.

Phishing emails that instruct you to scan a QR code with your phone camera to 'verify identity' or 'access a document' — bypassing email security scanners because the malicious URL is encoded in an image. APWG H2 2023: QR phishing volumes surged 587%; Cofense 2024: 17% of credential-phishing emails now use QR codes. No legitimate service sends unsolicited QR codes to satisfy authentication — genuine MFA uses apps already on your device. Warning signs: QR code in an unsolicited email, phone-camera instruction, account-expiry urgency, no link alternative.

Business Email Compromise in which an attacker impersonates an employee to email HR or payroll requesting a direct-deposit account change — routing the next paycheck to the attacker's mule account. Victims typically discover the theft on payday. FBI IC3 2024: payroll diversion BEC caused $55M in losses with an average of $8,000+ per incident. Unlike wire-transfer BEC (targeting finance), this targets HR generalists with a routine-sounding request. Warning signs: email from a non-company domain, urgency about the next pay period, routing and account numbers in the message body, no in-person or phone verification requested.

Fraudulent emails masquerading as Google Docs shares, Microsoft 365 app consent prompts, DocuSign viewer requests, or Dropbox access requests — directing the recipient to authorize a third-party OAuth app that silently grants the attacker persistent read and send permissions on the mailbox. Once granted, the attacker's app IS the account — password and MFA are bypassed entirely. The Microsoft Digital Defense Report 2025 identified illicit consent grant as the fastest-growing enterprise phishing vector, driving a substantial share of modern BEC losses. Warning signs: a shared-document or app-consent email from a non-brand domain, a link that opens an OAuth consent screen for an app you don't recognize, a request for mailbox-scope (read, send) permissions.

Phishing emails impersonating Zoom, Microsoft Teams, Google Meet, Webex, or BlueJeans meeting invites — directing the recipient to download an installer, updated client, or helper extension from a typosquat domain that drops AsyncRAT, QuasarRAT, Remcos, or DarkGate remote access malware. Heavy uptick through 2025-2026 as remote work normalized the click chain. Real Zoom and Teams invites integrate with the user's already-installed client via a calendar event — they never require downloading a fresh installer for a single scheduled meeting. Warning signs: meeting-invite email from a non-brand domain, a prominent download or install link, language urging a client or extension install to join.

Phishing emails that arrive alongside a flood of MFA push notifications — asking you to "approve the pending Microsoft Authenticator / Duo / Okta prompt to stop the codes." The attacker already has your password; the email supplies the pretext for you to tap Approve and hand over the account. Used in the Uber 2022 breach and scaled across Microsoft 365 / Okta / Duo campaigns through 2024-2026. Real identity providers describe the sign-in attempt (device, location, IP) and never pressure you to clear a queue — a push you didn't initiate is, by construction, someone else trying to log in as you. Warning signs: unsolicited MFA prompts, an email urging you to approve them to stop the flood, time-pressure language (within 5 minutes or your account will be locked).

Phishing emails disguised as Cloudflare, Google, reCAPTCHA, or Turnstile verification challenges that instruct you to press Win+R (or open PowerShell / terminal) and paste a "verification code" the site claims to have copied to your clipboard. The clipboard actually contains an mshta.exe or PowerShell one-liner that installs stealer malware like Lumma, Vidar, DanaBot, or AsyncRAT. CISA flagged ClickFix as a top-5 initial-access technique in late 2025; detected volumes tripled into Q1 2026. No legitimate captcha on the web ever asks you to run a command in a terminal — by construction, that instruction is always a compromise attempt. Warning signs: captcha instructions that mention Win+R, PowerShell, terminal, Run dialog, or pasting a command; any email directing you to "verify" by executing code on your own computer.

Phishing emails (mr.d0x-style FileFix, the Windows File Explorer cousin of ClickFix) that direct you to press Ctrl+L in File Explorer — which focuses the address bar — then paste a "file path" and press Enter. The pasted string is actually a disguised PowerShell, mshta, or rundll32 command: hundreds of whitespace characters are prefixed so only a harmless-looking path appears in the UI, while Enter silently executes the command. Disclosed by mr.d0x in June 2025 and in-wild within two weeks (Check Point, Kaspersky, Intel 471, BleepingComputer). Expel Labs disclosed a cache-smuggling variant with a JPG-hidden PowerShell payload dropping StealC v2 in December 2025; FileFix 2.0 with Mark-of-the-Web bypass arrived by March 2026. Distinct from the Win+R ClickFix family because the UI affordance is different. No legitimate workflow ever requires pasting anything into File Explorer's address bar to "open" an email attachment. Warning signs: instructions to press Ctrl+L, "open File Explorer," "focus the address bar," or "paste the path and press Enter" — especially paired with a long copy-paste string.

Phishing emails that piggyback on a real SaaS platform's notification infrastructure. Attackers inject scam text into a user-controlled field — a GitHub commit description, a Jira "Invite Customers" welcome message, an Amazon Business invite's display name, a Google Calendar event description, a Trello/Notion/Slack/Asana notification — so the email is actually sent by the trusted platform. It passes SPF, DKIM, DMARC, and ARC because the platform IS the sender. Cisco Talos (April 2026) tracked ~2.89% of all GitHub notification email on a single day as malicious; one campaign hit 20,049 organizations. The content pattern is stable: a toll-free callback number (1-800 / 888 / 877), a fake "you've been charged $NNN" claim or unauthorized-subscription dispute CTA, often padded with whitespace or dots to evade eyeballs. Legitimate GitHub/Jira/Amazon-Business messages do not ask you to call a 1-800 number to dispute a charge — that instruction belongs to the scammer, not the platform. Warning signs: notification from a trusted SaaS sender (github.com, atlassian.net, amazon.com) that contains a toll-free callback + a large dollar amount + "fraud hotline" / "refund department" / "to cancel call" language.

Multi-stage phishing attack that begins with a compromised partner's SharePoint tenant. The attacker uses the compromised account to share a document with you, which triggers a genuine Microsoft notification email — SPF, DKIM, DMARC, and ARC all pass cleanly because the email is really sent by Microsoft. Opening the document requires a one-time passcode that Microsoft emails to you automatically. Once you enter the code and the document loads, it is a second-stage adversary-in-the-middle (AiTM) phishing page that steals your Microsoft 365 session cookie and lets the attacker bypass MFA. Microsoft's Threat Intelligence team published this chain on January 21 2026; The Register, NCSC Switzerland, and Paubox covered follow-on campaigns targeting energy-sector organizations. The distinguishing fingerprint: a real SharePoint/Microsoft sender + a TOTP / one-time access code gate + an "[External]" / "outside your organization" banner in the body. Legitimate internal SharePoint shares never carry the external banner, and shares from known vendors usually live inside an existing mail thread (a reply or a re: subject). Warning signs: Microsoft SharePoint share notification from outside your organization that requires a verification code to open the document — especially when you weren't expecting it.

Phishing emails weaponizing the real Microsoft SMTP AUTH / Basic Authentication sunset on April 30 2026 (documented in Microsoft Tech Community and Microsoft Learn). The attacker cites the genuine deadline to create urgency — "basic authentication is being deprecated," "SMTP AUTH deadline April 30," "your app password will stop working," "legacy SharePoint authentication IDCRL is retiring May 1," "mailbox will be suspended" — and pushes a panic CTA like "migrate now," "re-authenticate now to avoid service disruption," or "sign in below to enable modern auth." The link points at a non-Microsoft URL styled like a Microsoft 365 sign-in page; when you enter credentials, the attacker captures them. Microsoft's 2022 first-wave basic-auth deprecation spawned dozens of phishing campaigns (per Sophos and Microsoft's threat reports); the April 2026 deadline is expected to replay that exact pattern — tens of millions of users and every IT admin in the world will be receiving legitimate migration advisories, which primes them to click urgency emails without scrutiny. Real Microsoft compliance advisories link exclusively to microsoft.com, learn.microsoft.com, microsoftonline.com, or office.com — they never ask you to sign in via a third-party "migration portal." Warning signs: urgency + basic-auth / SMTP-AUTH / app-password language + a sign-in link whose host is NOT a Microsoft domain. If in doubt, navigate directly to admin.microsoft.com or your company's internal IT-doc site rather than clicking.

Phishing emails that ask you to REVEAL your 2FA backup codes — the one-time recovery codes you saved when setting up 2-factor authentication on Google, Microsoft, Apple, Coinbase, Binance, GitHub, Dropbox, 1Password, Bitwarden, etc. The codes are intended specifically for emergency use when you lose access to your authenticator app. Harvested backup codes let the attacker bypass 2FA INDEFINITELY, even after you change your password, because backup codes remain valid until you explicitly rotate them. The attack narrative: "To maintain access to your account, please enter your 8 backup codes at the verification page below" / "Reply with your 10 recovery codes to re-verify your account" / "Your backup codes have been invalidated — submit your current codes to re-generate." The distinguishing fingerprint is the solicitation verb. NO legitimate service EVER asks you to submit / enter / reply with your backup codes. Real backup-code emails DISPLAY the codes to you for saving; they don't ask you to type codes back into anything. Any email asking for your backup codes is, by construction, a phish. Real precedents: the Coinbase 2020 breach (attackers used harvested recovery codes to bypass 2FA on compromised accounts), Google 2023 phishing waves, and ongoing Microsoft / Apple / Coinbase / Binance impersonation tracked by KnowBe4 and SANS security-awareness programs. Defense: save your backup codes offline in a secure location (printed in a safe, stored in a separate password manager with a different master password); never enter them anywhere except directly on the real service's real 2FA-setup page; rotate them immediately if you ever suspect compromise.

Phishing emails targeting the CREATORS of crowdfunding campaigns (not the donors) on GoFundMe, Kickstarter, Indiegogo, Fundly, YouCaring, DonorsChoose, SeedRS, Crowdcube, Fundable, StartEngine, or WeFunder. Message shape: "your campaign is under review," "creator verification required," "campaign payout on hold pending identity verification," "verify your Stripe Connect account to release funds," "funds will be returned to donors within 48 hours if you don't verify." The link drives to a typosquat host that presents a pixel-perfect fake organizer / creator dashboard sign-in and harvests credentials. Blast radius is severe: payout redirection (medical GoFundMe campaigns can be tens of thousands per fundraiser; successful Kickstarter tech projects hundreds of thousands to millions at payout time), campaign page defacement for follow-up solicitation to a different endpoint (Venmo, crypto address, off-platform payment link), donor PII exposure (backer emails + addresses from the creator dashboard), and on Kickstarter specifically, Stripe Connect account takeover through the connected payment flow. Real precedents: GoFundMe Trust & Safety published phishing advisories after the COVID-19 medical-fundraiser wave of 2020, the Turkey-Syria earthquake wave of 2023, and the Hawaii wildfire wave of 2023 — disaster-adjacent high-volume fundraising attracts phishing campaigns targeting newly-minted organizers. Kickstarter has published 2022-2024 creator-targeted phishing advisories, particularly around the highest-profile $1M+ tech campaigns. BBB + FTC have issued advisories on crowdfunding creator-account takeover as a persistent attack class. Legitimate communications come exclusively from the platform's own domain: `gofundme.com`, `kickstarter.com`, `indiegogo.com`, `fundly.com`, `youcaring.com`, `donorschoose.org`, `seedrs.com`, `crowdcube.com`, `fundable.com`, `startengine.com`, `wefunder.com`, plus `stripe.com` / `connect.stripe.com` for Kickstarter payout verification. Warning signs: any campaign-payout-review email whose sign-in link is hosted elsewhere. Defense: always open the organizer / creator dashboard directly from the platform's bookmarked URL. Enable hardware-backed 2FA on campaign accounts over $10K. If running a disaster-adjacent time-sensitive campaign, verify every "your campaign has been flagged / needs verification" email by calling the platform's published customer support number directly — elevated phishing risk applies because attackers specifically target newly-minted organizers who are unfamiliar with the platform's real processes.

Phishing emails targeting Twitch streamers with fake Partner/Affiliate monetization-review narratives: "Your Twitch Partner application is under review — verify identity within 48 hours," "Affiliate payout on hold pending tax re-verification," "Creator dashboard re-authentication required." The link drives to a typosquat host (twitch-partner-review.example, twitch-creator-verify.example) presenting a pixel-perfect fake Twitch creator-dashboard sign-in. Once credentials are harvested, blast radius: (1) payout redirection — attacker changes the linked bank / PayPal to redirect monthly subscription payout (thousands for mid-tier streamers), (2) channel takeover — fake endorsements or crypto scams posted to the streamer's existing subscriber base using the legitimate account (documented case: multiple Partners in 2021-2024 had their channels used to broadcast crypto-scam streams), (3) subscriber PII exposure via the creator dashboard, (4) brand-deal hijack via the Twitch inbox. The 2021 Twitch 125GB breach leaked partial creator-payout data, creating a pre-verified streamer email list that has been phished continuously since. Targets roughly 9 million active streamers in the Affiliate + Partner programs globally. Legitimate Twitch monetization communications come exclusively from `twitch.tv`, `email.twitch.tv`, `twitch.com`, `amazon.com`, `primegaming.amazon.com`. Warning signs: any monetization-review email whose sign-in link is hosted elsewhere. Twitch itself publishes multiple phishing advisories annually specifically warning creators about these lures. Defense: always open your creator dashboard directly from the Twitch app or a bookmarked `dashboard.twitch.tv` URL — never via an email link. If you're a Partner, enable hardware-backed 2FA (FIDO2 security key) on your Twitch account and enable any payout-change-delay with Twitch support to require second-channel approval for any payout-bank changes. If you did click and entered credentials, change your Twitch password immediately, review the Active Sessions page, and contact Twitch Creator Support to freeze pending payouts while you investigate.

Phishing emails that weaponize the 2024-2026 2FA-app migration wave. Attackers impersonate Twilio Authy (riding the August 19 2024 desktop-app sunset), Google Authenticator (cloud-sync rollout from 2023 onward), Microsoft Authenticator (cross-device sync), 1Password Authenticator, Okta Verify, or Duo Mobile with narratives like "Authy Desktop is shutting down — migrate your TOTP codes within 48 hours," "Enable Google Authenticator cloud sync to preserve your codes," "Verify Microsoft Authenticator cross-device sync to keep your 2FA access." The link drives to either a credential-harvesting fake migration portal (which captures TOTP seeds + backup codes) or a malicious "Authenticator Importer" binary that exfiltrates the seed store from the victim's existing app. TOTP seeds are the master key behind EVERY 2FA-protected account the victim has — bank, email, broker, crypto exchange, work SSO, GitHub, domain registrar. Harvested seeds let the attacker generate valid 6-digit codes indefinitely for every linked account until the victim manually rotates each. Why victims fall for it: 2FA migrations involve users EXPECTING exactly this kind of email, so skepticism is unusually low, and the victim pool was pre-primed by the Twilio Authy 33M-record breach disclosed in July 2024 just before the desktop-app sunset. Real precedents: the Twilio Authy breach (33M phone numbers exposed July 2024); Proofpoint + BleepingComputer + ITPro 2024-2026 coverage of post-sunset migration-phishing waves; parallel Google Authenticator cloud-sync migration-phish waves through 2024-2025; 1Password + Microsoft Authenticator cross-device-sync launches triggered similar impersonation campaigns. Legitimate authenticator migration emails come exclusively from: `authy.com`, `twilio.com`, `google.com`, `accounts.google.com`, `support.google.com`, `microsoft.com`, `microsoftonline.com`, `apple.com`, `okta.com`, `duosecurity.com`, `duo.com`, `1password.com`, `agilebits.com`. Warning signs: any authenticator-migration email whose sign-in / import link is hosted elsewhere. Defense: NEVER migrate TOTP seeds via an email link. Real migrations happen inside the authenticator app itself — typically via a QR code shown in the app you're leaving, scanned by the app you're entering — never email-driven. If you receive a "migrate your codes" email, open your authenticator app directly and check its in-app migration flow. If your provider has truly sunset, they will publish official guidance on their own `.com` domain reachable via bookmark. If you did click and entered TOTP seeds, rotate 2FA on every account linked to that authenticator IMMEDIATELY — don't wait for a pattern to emerge.

Phishing emails impersonating Zoom, Microsoft Teams, or Google Meet with a "your cloud recording is ready to view" / "meeting transcript available" / "recording from yesterday's call is ready to download" / "recording expires in 24 hours — view now" message. The link points to a typosquat host (zoom-recording-view.example, teams-transcript-portal.example, meet-record-google.example) that serves either (a) a pixel-perfect fake Zoom / Microsoft / Google SSO sign-in page that harvests enterprise credentials, or (b) a malicious "video player plugin" binary that installs infostealer malware on open. Volume exploded during the WFH era and has NOT declined in 2026 — remote-meeting recording emails are a normalized, expected, barely-scrutinized part of every knowledge worker's inbox, which is exactly why this impersonation works. Blast radius depends on the payload: credential-harvest gets the attacker the victim's M365 / Google Workspace SSO token and downstream access to email, SharePoint / Drive files, Teams chats, and any federated service; malware installs infostealers that exfil saved browser credentials, session cookies (bypassing 2FA), and any crypto-wallet browser-extension state. Real precedents: Abnormal Security's 2024 "Top Phishing Brands" report placed Zoom at #3, with recording-ready lures the dominant subtype; KnowBe4's 2024 + 2025 threat reports consistently ranked Zoom in the top 6 phishing brands worldwide; Microsoft MSRC published a 2024 advisory specifically on Teams impersonation phish after a campaign-spike against M365-federated enterprises; Bleeping Computer and The Hacker News tracked multiple 2023-2025 SSO-harvest waves styled as Zoom recording notifications. Legitimate meeting-recording emails come exclusively from the vendor's own domain: `zoom.us`, `zoomgov.com`, `teams.microsoft.com`, `email.teams.microsoft.com`, `sharepoint.com`, `meet.google.com`, `drive.google.com`, `webex.com`. Warning signs: any "your recording is ready" email whose sign-in / download link is hosted elsewhere. Defense: always open Zoom / Teams / Meet directly from the native desktop app or your bookmarked URL — recordings live inside the vendor's own library UI and never require you to sign in via an email link. For IT admins: enforce conditional-access policies that reject sign-ins from non-corporate IPs for these SSO domains, which limits blast radius even if a user does submit credentials.

Phishing emails that arrive 1-30 days after you report an Apple device (iPhone / iPad / AirPods / Apple Watch / Mac) lost or stolen. The message impersonates Find My or Apple Security with "Your lost iPhone 15 Pro has been located in [city]. Sign in to remove Activation Lock to recover the device." The link points to a pixel-perfect fake Apple ID sign-in page on a typosquat host (apple-find-my-verify.example, icloud-findmy-unlock.example). This attack works because Apple's real Activation Lock mechanism bricks stolen hardware until the original owner's Apple ID credentials are entered — which makes stolen Apple devices worthless to thieves unless they can harvest the owner's credentials. So the owner's email becomes the attack target 1-30 days after theft. Victims are extremely susceptible because (a) they just lost an expensive device, (b) they GENUINELY WANT the email to be real, (c) it arrives timed to the loss, which feels like an automated system response, and (d) the urgency timer ("within 24 hours or device is reset") overrides careful inspection. Blast radius after credentials are harvested: the thief unlocks and resells the stolen hardware (primary goal), AND the attacker now has full iCloud takeover — every photo, Note, Keychain-saved password, contact, iMessage history, call log, and iCloud Drive file across every device tied to the account, AND the @icloud.com / @me.com mailbox itself, which means password-reset emails for every other service the victim uses flow to the attacker — cascading takeover into bank / broker / work accounts. Real precedents: Krebs on Security and Wired documented organized 2018-2020 Chinese phone-theft rings that systematically phished stolen-phone owners; AppleInsider 2023-2025 published multiple warnings about "fake iCloud unlock services" that are all phishing fronts; the FBI Cyber Division issued a 2024 advisory flagging post-theft-phish targeting NBA players and other high-profile theft victims. The real Apple never asks you to sign in via an email link to remove Activation Lock — the removal happens inside Settings on a signed-in device OR on appleid.apple.com via your bookmark. Real Apple emails come exclusively from `apple.com`, `appleid.apple.com`, `icloud.com`, `support.apple.com`, or `apple.co`. Any "your lost device was found" email whose sign-in link is elsewhere is, by construction, a phish. Defense: if you lose a device, mark it lost in the Find My app on another signed-in device (which displays a contact phone number on the lock screen), then treat every subsequent "your device was found" email as phishing by default until verified via the real Find My app. Never click the link in the urgency email — open the Find My app directly to verify the device's current status. If you did click and entered credentials, change your Apple ID password immediately and review https://appleid.apple.com/account/manage for unauthorized devices.

Phishing emails impersonating Ledger, Trezor, BitBox, Coldcard, KeepKey, NGRAVE, SafePal, or Ellipal with an urgent firmware-update narrative — "your Ledger Nano X requires a mandatory firmware update within 24 hours due to a critical security vulnerability," "Trezor Suite mandatory security patch 24.4.0 available — connect your device now," "your hardware wallet will be locked within 72 hours unless you install the latest firmware." The link points to a typosquat host (ledger-firmware-v2.example, trezor-suite-patch.example, ledger-wallet-updater.example) serving a malicious "Ledger Live" or "Trezor Suite" installer. Once installed, the fake client exfiltrates the seed phrase during "device reconnection" — the attacker then drains every wallet derived from that seed within minutes. This is the catastrophic-loss class of crypto phishing: hardware-wallet seed phrases are the master key, password rotation and 2FA don't help, and on-chain transactions are irreversible. The 2020 Ledger customer email breach leaked 1M+ addresses with names, physical addresses, and phone numbers, and continues to feed targeted phishing through 2026 — every year variants of "mandatory Ledger firmware patch" hit the breach list again. The frequency of legitimate firmware updates is the core leverage: Ledger Live ships roughly monthly, Trezor Suite quarterly, and major firmware events (Ledger Stax 2024, Trezor Safe 3 late 2023) generate legitimate update-volume waves. That normalized traffic is exactly why impersonation works — recipients don't question another firmware-update email. Real precedents: the Ledger Connect Kit supply-chain attack on December 14 2023 drained $600K from dapps that integrated the compromised JS library; Trezor phishing wave in January 2024 impersonated "address-poisoning protection firmware update"; ongoing Ledger Recover / mandatory-patch impersonation campaigns have hit the same 2020-breach email list continuously through 2024-2026. Legitimate hardware-wallet communications come exclusively from the vendor's own domain: `ledger.com`, `ledger.fr`, `trezor.io`, `satoshilabs.com` (Trezor parent), `bitbox.swiss`, `shiftcrypto.ch`, `coldcard.com`, `coinkite.com`, `keepkey.com`, `ngrave.io`, `safepal.io`, `ellipal.com`. Warning signs: any hardware-wallet firmware-update email whose download / installer link is hosted anywhere other than the real vendor's domain. Defense: open Ledger Live or Trezor Suite directly from your bookmarked URL (or the Desktop application) — never from an email link. Real hardware-wallet vendors never send "install within 24 hours" deadlines; real security updates ship through the app itself and never require you to reconnect your device via a web-downloaded installer. If you ever enter or confirm a seed phrase anywhere OTHER than the real hardware device screen itself, assume compromise and move funds to a new wallet on a freshly-initialized device.

Phishing emails that impersonate US STATE-level tax authorities — California Franchise Tax Board (FTB), New York Department of Taxation and Finance (DTF), Illinois Department of Revenue, Texas Comptroller, Florida Department of Revenue, New Jersey Division of Taxation, Oregon Department of Revenue, Pennsylvania Department of Revenue, Massachusetts Department of Revenue, Michigan Department of Treasury, Ohio Department of Taxation, Georgia Department of Revenue, North Carolina Department of Revenue, Virginia Department of Taxation — with a "your state tax refund is on hold pending identity verification" narrative. The typical ask: confirm your Social Security Number, date of birth, driver's license number (many state returns use DL as ID-verification proof), and bank routing / account numbers via a credential-harvesting link on a typosquat host (ftb-ca-refund-verify.example, ny-dtf-verify.example). Harvested credentials feed downstream refund fraud where the attacker files a fraudulent amended state return redirecting your refund to THEIR bank account. The seasonal timing is what makes this potent: federal IRS refunds arrive 1-3 weeks after filing, but STATE refunds consistently arrive weeks later — California, New York, and New Jersey commonly take 4-12 weeks to process and deposit a state refund. So from mid-April through July, millions of state filers are actively waiting for a refund they KNOW is coming. When a "verify your identity to release your refund" email arrives in that window, it fits expectations perfectly. The 2026 cycle is especially risky because California's new online-only ID-verification platform launched in February 2026, sending millions of legitimate "verify your identity" emails and conditioning CA filers to expect exactly this kind of request. Real state revenue departments never ask for SSN, driver's license numbers, or banking information by email — they send postal letters. Real state-tax communications come exclusively from the authority's own .gov domain: `ftb.ca.gov`, `tax.ny.gov`, `revenue.state.il.us`, `tax.illinois.gov`, `comptroller.texas.gov`, `floridarevenue.com`, `state.nj.us`, `oregon.gov`, `revenue.pa.gov`, `mass.gov`, `michigan.gov`, `tax.ohio.gov`, `dor.georgia.gov`, `ncdor.gov`, `tax.virginia.gov`. Warning signs: any state-tax "verify identity to release your refund" email whose sign-in link is hosted anywhere other than the authority's real .gov domain. Go directly to your state revenue department's refund-status page via a bookmarked URL — never click the link in the urgency email. Defense: if you're unsure whether a refund-status email is real, call your state revenue department's published phone number directly or check your refund status via your state's official online refund-tracker portal — both routes bypass the email-link phishing surface entirely.

Phishing emails that impersonate major security and technology conferences with a "registration incomplete / final payment due / invoice pending" narrative targeting attendees — typically senior IT/security professionals and executives. Attack surface covers the highest-profile industry events where attendee registrations run $2,000-$5,000 per pass: RSA Conference (~45,000 attendees), Black Hat USA / Europe / Asia, DEF CON, Gartner Security & Risk Management Summit + other Gartner verticals, Microsoft Ignite, AWS re:Invent, Google Cloud Next, Google I/O, KubeCon + CloudNativeCon, O'Reilly AI Conference, SANS Institute summits, Infosecurity Europe, GITEX, CeBIT, Web Summit, Collision, Dreamforce, SXSW. Two attack shapes both caught: (a) credit card harvesting via fake "complete your registration" payment pages, (b) invoice-redirect BEC where the victim's company pays an attacker-controlled account thinking the payment is for the real conference — especially damaging for enterprises where conference reimbursements pass through finance with minimal verification. Attacks spike in the 2-4 weeks preceding an event as attendees actively check registration status. RSA Conference 2026 runs April 27 - May 1 — the signal is shipped specifically to intercept the pre-RSA peak-phishing window. Cofense documented these patterns around RSA + Black Hat in 2024 and 2025; Proofpoint tracked similar waves; RSA's own team publishes phishing advisories annually; CISA has issued multiple alerts on event-impersonation BEC. Legitimate conference emails link exclusively to the real organizer's domain: `rsaconference.com`, `blackhat.com`, `defcon.org`, `gartner.com`, `ignite.microsoft.com`, `reinvent.awsevents.com`, `cloud.google.com`, `kubecon.cncf.io`, `oreilly.com`, `sans.org`, etc. Warning signs: any conference-registration-status email whose sign-in or payment link is hosted anywhere other than the real organizer's domain. Go directly to the conference's portal via a bookmarked URL or the confirmation email you received when you first registered — never click the link in the urgency email, especially if your company will be reimbursing the payment.

Credential phishing that targets DNS-registrar ADMIN account holders — the people with tenant-level control over a domain's registration, authoritative nameservers, DNSSEC keys, glue records, and transfer locks. Attack surface covers GoDaddy, Namecheap, Squarespace Domains (ex-Google Domains), Cloudflare Registrar, Amazon Route 53, Gandi, Porkbun, Hover, Name.com, Dynadot, Enom, NetworkSolutions, IONOS, OVHcloud, and other major public registrars. The narrative hooks into plausible registrar-security events: "DNSSEC key rotation required" (a real maintenance operation that admins do handle via the console), "domain transfer authorization pending" (the EPP-transfer AUTH-CODE confirmation window), "authoritative nameserver change detected" (ICANN-mandated change-confirmation), "glue record update required," or the generic "re-authenticate your admin console." The credential-harvesting link points at a typosquat host (godaddy-dnssec-admin.example, namecheap-transfer-auth.example, cloudflare-registrar-verify.example) that captures the registrar admin credentials. Once compromised, the attacker can: (1) transfer the domain to an attacker-controlled account, (2) change the authoritative NS records, (3) redirect MX records to harvest inbound email including credential-reset messages, banking alerts, and internal comms, and (4) with the domain under their control, issue valid TLS certificates for the victim's brand via any public CA — enabling full man-in-the-middle attacks on every service hosted on that domain. This is full infrastructure takeover from a single credential compromise. Real precedents: the Cisco Talos analysis of the Sea Turtle (DNSpionage) campaign (2018-2019) documented state-sponsored actor groups compromising registrars across the Middle East and North Africa to redirect government and telecom domains; GoDaddy has disclosed multiple customer-compromise events through 2022-2024; Mandiant M-Trends 2025 and ICANN compliance advisories both track registrar-account hijacking as an ongoing threat category. Legitimate registrar communications link exclusively to the registrar's own domain — `godaddy.com`, `namecheap.com`, `domains.google`, `domains.cloudflare.com`, `route53.amazonaws.com`, `gandi.net`, `porkbun.com`, etc. Warning signs: any registrar-admin-security email whose sign-in link is hosted anywhere other than the real registrar's domain. If you hold registrar admin accounts: enable hardware-backed 2FA (FIDO2 security key) on every account, enable registrar-lock + transfer-lock on every valuable domain, use role-separated sub-accounts for DNS operations vs billing, and go directly to the registrar's admin console via a bookmarked URL — never click the link in the email.

Phishing emails that target browser-extension PUBLISHERS with credential-harvesting links disguised as extension-store developer-security notifications. Attack surface covers the four major extension stores — Chrome Web Store, Firefox Add-ons (AMO), Microsoft Edge Add-ons, Opera Add-ons — and uses four narrative hooks: (a) policy-violation / listing-suspension framing, (b) mandatory publisher verification, (c) Manifest V3 migration urgency, (d) extension-review workflow impersonation. The login link points at a typosquat host that captures the publisher's developer-console credentials. Once the attacker has those credentials, they can push a SIGNED malicious update to every installed user of every extension the publisher controls. Browser extensions have elevated permissions (read/modify all browsing activity, access cookies, inject scripts into any page), so the downstream impact is severe — one compromise reaches the entire install base automatically via the extension auto-update mechanism. The canonical 2024 precedent is the Cyberhaven compromise on December 26: attackers phished a Chrome Web Store developer at Cyberhaven with a "your extension violates policy" email, harvested the developer's Google credentials, and within hours pushed a malicious update to the legitimate Cyberhaven extension that was installed on hundreds of thousands of corporate browsers. The malicious update harvested Facebook Business manager credentials from every install. OrcaSecurity later identified at least 35 other Chrome extensions compromised in the same campaign wave. Legitimate extension-store emails link exclusively to the store's own domain: `chromewebstore.google.com`, `chrome-developers.google.com`, `addons.mozilla.org`, `microsoftedge.microsoft.com`, `addons.opera.com`. Warning signs: any developer-security email whose sign-in link is hosted elsewhere. If you publish browser extensions: enable hardware-backed 2FA (FIDO2 security key) on every store developer account, never re-authenticate via an email link, and always go directly to the developer console via a bookmarked URL.

Phishing emails that target maintainers of popular packages on npm, PyPI, RubyGems, crates.io, Packagist, NuGet, CocoaPods, Maven Central, hex.pm, and goproxy. The narrative hooks into plausible registry-security patterns: "mandatory 2FA re-verification required for publishers," "mandatory publish-token rotation under the new supply-chain protection policy," "unusual publish activity detected on your maintainer account — verify ownership," "your publisher credentials are expiring — re-authenticate." The credential-harvesting link points at a typosquat host (e.g. npm-publisher-verify.example, pypi-token-rotate.example) that captures the maintainer's publish credentials. Once the attacker has those credentials, they publish malicious versions of every package the maintainer controls — and because package-manager semver-caret installs automatically pull in minor / patch updates, downstream users pick up the malicious code on their next `npm install` or `pip install -U` without any explicit action. Blast radius is the distinguishing feature: one compromised maintainer = infection reaching the entire downstream install base within hours. The eslint-config-prettier maintainer phish in July 2024 published a malicious v8.12.0 that hit thousands of CI pipelines before detection. The chalk / debug / rc wave in March 2025 repeated the playbook. Earlier major examples include xmldom (2022), node-ipc (2022), ctx (2022), and the colors.js / faker.js self-sabotage incidents. Legitimate package-registry emails come exclusively from the registry's own domain (`npmjs.com`, `pypi.org`, `rubygems.org`, etc.); any publisher-security email whose sign-in link is hosted elsewhere is, by construction, a phish. If you maintain packages: enable hardware-backed 2FA (FIDO2 security key) on every registry account, use scoped CI tokens rather than your personal publish token, and go directly to the registry's account-security page via a bookmarked URL — never click the link in the email. The real npm / PyPI team will not email you with an urgent publisher verification link.

Post-quantum-cryptography certificate-migration phishing that targets IT administrators responsible for managing public SSL/TLS certificates during the 2025-2027 PQC transition window. NIST finalized the first PQC standards in August 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA) and the NSA's CNSA 2.0 policy mandates adoption by 2027 for US national security systems. The major public Certificate Authorities — Let's Encrypt, DigiCert, Sectigo, Entrust, GlobalSign, GoDaddy SSL, GeoTrust, Thawte, RapidSSL, ZeroSSL, IdenTrust, Comodo, Cloudflare Origin CA — are all mid-rollout of PQC + hybrid-certificate support, which means admins are in the "we need to do something about PQC but aren't sure what" window. Attackers exploit that unfamiliarity with a migration narrative: "Your Let's Encrypt certificate must be migrated to post-quantum cryptography." "DigiCert CNSA 2.0 compliance deadline approaching." "Re-verify your Sectigo certificate with ML-DSA signatures." "Your certificate has been flagged for hybrid-certificate renewal." "PQC migration required before revocation." The credential-harvesting link points at a typosquat host (letsencrypt-pqc-portal.example, digicert-cnsa2-reverify.example, sectigo-hybrid-renewal.example) that captures the CA admin credentials. Compromised CA admin access is catastrophic: the attacker can issue fraudulent certificates for any domain the account manages, enabling full man-in-the-middle attacks on web traffic, email, VPN, and any TLS-protected service. Low-volume but extremely high-impact — each successful compromise cascades into breach events across every domain the compromised account controls. Evidence: NIST FIPS 203/204/205 + NSA CNSA 2.0 timeline documents; Cloudflare, DigiCert, Sectigo, Let's Encrypt, Entrust official PQC roadmap posts (2025-2026); Bleeping Computer and The Register coverage of early PQC phishing waves targeting government contractors. Legitimate CA communications link exclusively to the real CA's own domain. Warning signs: any PQC-migration email whose sign-in link is hosted anywhere other than the real CA's domain. Go directly to the CA's admin portal via a bookmarked URL, or check the CA's PQC migration status page (letsencrypt.org/docs, digicert.com/pqc, sectigo.com/pqc-quantum-cryptography) — never click the link in the email.

Post-deadline US tax-return phishing that hits peak volume in the 2-6 week window after the April 15 filing deadline. The pre-deadline "your refund is on hold" wave is covered by a separate signal; THIS signal targets the distinct POST-processing narrative shapes that only make sense after your return has been submitted: "Your e-file was rejected — correct and resubmit within 48 hours." "Amended return (Form 1040-X) required." "Your return is under additional review." "Additional documentation required to process your return." "Your extension request was denied." "Your refund has been delayed pending verification." The brand mask covers both the IRS itself and the major e-file / tax-prep platforms (TurboTax, H&R Block, TaxAct, FreeTaxUSA, TaxSlayer, Cash App Taxes, Jackson Hewitt, Liberty Tax) because the legitimate e-file acceptance + rejection flow goes through those platforms — making any of them plausible masks. The credential-harvesting link points at a typosquat host (e.g. irs-efile-resubmit.example, turbotax-amend-1040x.example) that captures SSN, prior-year AGI, name and date of birth, bank account details, or uploaded tax documents. These details feed downstream refund-fraud schemes where the attacker files a fraudulent amended return redirecting your refund to their own bank account. The IRS publishes the Dirty Dozen list annually in April with the current year's top tax-phishing patterns; Proofpoint, Abnormal Security, TIGTA, and the FTC all track post-deadline phishing as a reliably-high-volume seasonal wave. The real IRS NEVER demands SSN, banking information, or immediate payment by email. Real IRS emails come exclusively from `irs.gov` domains. Real TurboTax emails come from `turbotax.intuit.com`. Real H&R Block from `hrblock.com`. Warning signs: any post-deadline "your return needs attention" email whose sign-in / upload link is hosted anywhere other than the real IRS or tax-prep domain. Go directly to `irs.gov/refunds` or your tax-prep provider's account portal via a bookmarked URL — never click the link in the email.

Phishing emails that exploit the 2026 mass-migration to passkeys. Google made passkeys the default for consumer accounts in January 2026; Microsoft rolled out passwordless-by-default to enterprise tenants throughout 2026; Apple made iCloud and Apple ID passkey-first with iOS 18.4+. Hundreds of millions of users are unfamiliar with the enrollment flow at exactly the moment they're being prompted to set up their first passkey — that unfamiliarity is the phishing opportunity. The attacker impersonates Google / Gmail / Microsoft 365 / Apple ID / Yahoo / Okta / Duo / 1Password / Authy with a passkey-enrollment narrative like "Your Google Account is being migrated to passkeys, confirm this device now," "Microsoft 365 passkey enrollment required," "Apple ID: confirm this device for passkey setup," or "Your sign-in method has changed — set up your passkey." The login link points at a typosquat host that either (a) harvests your current password in a fake "confirm your existing password before we move you to passkeys" step, or (b) initiates a WebAuthn ceremony that enrolls an attacker-controlled device credential as your new passkey — either way the attacker ends up with full account access. This is a distinct attack from passkey downgrade lures (which target users who already have a passkey); the enrollment variant targets the far larger pool of users who haven't set one up yet. Legitimate passkey-enrollment emails from Google, Microsoft, or Apple link exclusively to their own domains: `accounts.google.com`, `myaccount.google.com`, `login.microsoftonline.com`, `appleid.apple.com`, `icloud.com`. Warning signs: any passkey-enrollment email whose sign-in link is hosted anywhere other than the identity provider's real domain. If in doubt, go directly to your account-security page via a bookmarked URL and initiate passkey setup from there — never click the link in the email.

German-language phishing emails that impersonate the Deutsche Rentenversicherung (DRV) — Germany's federal pension insurance, covering roughly 57 million active contributors and retirees. The attack surface includes the umbrella DRV-Bund and all 14 regional bodies (Nord, Mitteldeutschland, Rheinland, Baden-Württemberg, Bayern Süd, Bayern Nord, Braunschweig-Hannover, Berlin-Brandenburg, Westfalen, Schwaben, Saarland, Hessen, Oldenburg-Bremen, Rheinland-Pfalz). The email pairs a DRV brand mention with a pension-specific panic hook — "Rentenbescheid liegt bereit," "Rentenanpassung zum 01.07," "drohende Rentenkürzung," "Rentenauszahlung ist gefährdet," "Überprüfung Ihres Rentenkontos," "Sozialversicherungsnummer bestätigen," "drohender Zahlungsstopp" — plus a login link pointing at a typosquat host that harvests your DRV-Portal credentials or your Sozialversicherungsnummer directly. Primary victims are retirees receiving monthly pension payments, who — due to age demographics and the emotional weight of pension security — click panic narratives at significantly higher rates than younger cohorts, making this attack uniquely profitable for the fraudsters. The Deutsche Rentenversicherung Bund maintains an ongoing public "Phishing-Warnungen" page cataloguing known campaigns; the BSI (Bundesamt für Sicherheit in der Informationstechnik) issued CS-Warnungen throughout 2026; Heise, Spiegel, and Süddeutsche Zeitung covered a widespread February 2026 wave targeting pensioners; Verbraucherzentrale and Stiftung Warentest publish senior-fraud advisories that specifically call out DRV impersonation. Legitimate DRV communications come exclusively from `deutsche-rentenversicherung.de`, `rentenversicherung.de`, or `drv-bund.de` — any other host is, by construction, a phish. Go directly to the real DRV portal via your bookmarked URL, or phone the DRV service hotline on 0800 1000 4800 if you're unsure. Never enter your Sozialversicherungsnummer or bank details in response to an email; the real DRV will never ask for them via email.

Phishing emails that target hotel, B&B, and vacation-rental staff — the partner-side accounts behind every listing on Booking.com, Agoda, Expedia, Hotels.com, Airbnb, VRBO, Trivago, or HRS. The email impersonates the partner Extranet (Booking.com), Partner Central (Expedia), Partner Hub, property-manager portal, or host dashboard and pushes a hospitality-industry-specific urgency hook: "pending guest message awaiting your reply," "unread guest message," "rate parity violation," "reservation dispute," "listing suspension," or "verify your property." The login link points at a typosquat host that harvests your Extranet credentials. The real danger is the force-multiplier downstream: once the attacker has your Extranet access, they log in as your hotel and use the REAL Booking.com messaging integration to send fake "your card was declined, please update your payment method" instructions to your future guests. Your guests receive the scam email from the genuine Booking.com infrastructure, with their real reservation details attached, and click without hesitation. Sekoia (July 2024), Secureworks, Akamai (October 2024), Google Threat Intelligence (April 2024), Trustwave, and Proofpoint have all tracked this campaign — Sekoia named it "Vampire Bat" and Google named it "Smart Bat." Reuters covered the industry-wide impact in 2024: hundreds of hotels compromised, thousands of downstream guest-fraud incidents. Real Booking.com partner communications link exclusively to `admin.booking.com` / `partner.booking.com` / `booking-partner.com`; real Expedia partner emails link to `expediapartnercentral.com`; real Agoda partner emails link to `ycs.agoda.com`. Warning signs: any partner-facing email pressuring immediate Extranet login where the sign-in link is hosted on anything other than the aggregator's real partner-subdomain. Go directly to your bookmarked Extranet URL; never click the link in the email. If you're unsure whether a guest-dispute notice is real, log in to the real Extranet and check for the dispute there.

Portuguese-language phishing emails that weaponize Brazil's two dominant payment rails — PIX (the central-bank-run real-time instant-payment system processing billions of transactions monthly) and boleto (the traditional Brazilian bank payment slip with a 47-digit "linha digitável" barcode). The signal fires on three fraud variants, all paired with a Brazilian banking or utility brand (Banco do Brasil, Caixa, Itaú, Bradesco, Nubank, Santander Brasil, Inter, PicPay, Mercado Pago, Stone, PagSeguro, C6 Bank, Sicredi, Sicoob, Neon, or the utility brands Enel / CPFL / Sabesp / Comgás / Correios). Variant 1: a fake PIX "Copia e Cola" EMV QR-code payload (a long copy-paste string starting with `00020126` and containing `BR.GOV.BCB.PIX`) the victim pastes into their bank app — the app shows the attacker's name/CPF and routes the transfer directly to them. Variant 2: a fake boleto 47-digit linha digitável printed alongside phrases like "segue o boleto," "boleto em anexo," "pague o boleto," "boleto vencendo hoje," "vencimento hoje" — the victim pays the boleto in their bank app and funds go to the attacker. Variant 3: a "PIX errado / enviei por engano / favor devolver" narrative — the scammer claims they sent a PIX transfer in error and pressures the victim to return it via a phishing link. Evidence: Kaspersky BR boleto-fraud report, Exame and Estado de Minas coverage (Jan 2026), Banco Pan and IronVest 2026 Brazil-banking-fraud reports, BankInfoSecurity's "Hackers Grab $130M Using Brazil's Real-Time Payment System," and Febraban Cert.br advisories. Distinct from the Casbaneiro / Horabot LATAM banking-trojan lure because PIX-boleto attacks the payment rails directly via copy-paste codes — there is no malware payload, and the fraud succeeds the moment the victim pastes the code into their bank app. Warning signs: any Portuguese-language email containing a PIX Copia e Cola code, a 47-digit boleto barcode, or a "PIX errado" refund request from a sender you have never corresponded with. Legitimate PIX and boleto notifications from your bank arrive inside existing customer email threads and are signed by the bank's own DKIM — they never ask you to paste a payment code or return funds to an unverified counterparty.

Japanese-language phishing emails claiming a delivery attempt failed — impersonating Yamato Transport (ヤマト運輸 / クロネコヤマト / 黒猫), Sagawa Express (佐川急便), Japan Post (日本郵便 / ゆうパック), or Amazon.co.jp delivery. The body uses characteristic Japanese phrasing like 「お荷物をお届けできませんでした」, 「ご不在のためお持ち帰り」, 「再配達のご依頼」, 「配達できませんでした」 and pushes a link to a fake redelivery-scheduling form that harvests login credentials and payment details. This is the single highest-volume Japanese phishing pattern: the CoGUI phishing-kit operation, documented by Proofpoint and BleepingComputer, sent 580 million+ of these emails in early 2025. DarkReading, The Record, and Yamato Holdings have all issued advisories. Yamato + Sagawa + Japan Post dominate the Japanese last-mile market the way FedEx / UPS / USPS do in the US, so these three brands are the overwhelming majority of observed impersonations. Warning signs: any Japanese-language email claiming a delivery failure from a domain that is NOT the real `yamato-hd.co.jp` / `sagawa-exp.co.jp` / `post.japanpost.jp` / `amazon.co.jp`; any 「再配達」 link that does not point at the real carrier's site. If you're expecting a package, go directly to the carrier's official app or website — never click the link in the email.

Sophisticated AiTM (adversary-in-the-middle) phishing campaign that Microsoft named Storm-2755 in April 2026. An email lands in your inbox asking you to sign in to Microsoft 365 or Workday to "update direct deposit," "confirm bank account," or "re-enroll in payroll." The link points at a SEO-poisoned landing page that looks exactly like the real Microsoft 365 or Workday sign-in screen but is hosted on a non-Microsoft / non-Workday domain. The landing page proxies your credentials AND your 2FA code through to the real Microsoft 365 / Workday login, capturing your session cookie in the process. The attacker then signs in to the real Workday as you and changes your direct-deposit bank account to an attacker-controlled account, redirecting your next paycheck. Microsoft published forensics on April 9 2026 (Canadian employees) and October 9 2025 (U.S. universities, Storm-2657 variant). Help Net Security, Okta Threat Intelligence, and GBHackers covered follow-on campaigns. Warning signs: any email instructing you to sign in to Microsoft 365 or Workday to update banking information where the sign-in link is hosted anywhere other than `login.microsoftonline.com` or `<your-company>.workday.com`. Go directly to Workday via a bookmarked URL or internal SSO instead — never click the link in the email.

Phishing emails in Spanish or Brazilian Portuguese claiming a court summons, judicial notification, or tax-debt summons — "citación judicial," "notificación judicial," "intimação judicial," "mandado," "auto de infração," or "multa de trânsito" — with a password-protected PDF or ZIP attachment. The password is revealed inline in the body ("contraseña: ...," "senha: ...," "clave de acceso: ..."). The password-protected archive bypasses most mail-filter content scanners; when you open it, it drops Casbaneiro (aka Metamorfo) or Horabot banking trojans that overlay fake login screens on Brazilian and Latin American bank sites (Santander, Banco do Brasil, Caixa, Sicredi, Bradesco, Itaú, BBVA, Banamex, Mercado Pago, Scotiabank) and harvest credentials and second-factor codes. The Hacker News, SC Media, Cybereason, and DarkReading all covered the April 2026 campaign; Trend Micro flagged the Water Saci / Augmented Marauder actor cluster in October 2025; a December 2025 variant spread via WhatsApp worm + RelayNFC NFC-relay fraud. Legitimate attorneys in Spain or Brazil thread legal correspondence across existing email conversations and typically do not send unsolicited password-protected PDFs with the password in the same email. Warning signs: Spanish/Portuguese court/tax-summons phrasing + a password-protected PDF/ZIP + the password in the body + sender you've never corresponded with before. Never open the attachment — report and delete.

Phishing emails that impersonate a patient portal or telehealth brand — MyChart (Epic), FollowMyHealth, athenaPatient, NextGen, Cerner HealtheLife, Epic Open Scheduling, Teladoc, MDLive, Amwell, or Doxy.me — and claim you have a new secure message, your test results are available, your prescription refill decision is ready, or your after-visit summary is waiting. The email pushes a "log in to view" link pointing at a lookalike page that harvests your portal credentials. The healthcare context creates emotional urgency (is it a message from my doctor? is a result bad?), so users click faster than they would for most brands. HIPAA Journal reported 9.65 million protected-health-information records exposed in January and February 2026 alone; Scamicide documented a personalized MyChart phish with the target's first name in April 2025; HHS OCR settled PIH Health for $600,000 in December 2024 over a phishing-enabled breach. KnowBe4's 2025 reporting flagged healthcare as a priority phishing vertical because of the high resale value of PHI records on dark markets. Warning signs: any patient-portal-branded email that couples a secure-message / test-results / refill hook with a "log in to view" link to a domain that isn't your real provider's portal subdomain. Check the URL before entering credentials — your real MyChart lives at `mychart.<yourprovider>.org`, not at `mychart-login.example`.

Phishing emails that impersonate the billing or admin team of a productivity SaaS — Slack, Zoom, Jira, Linear, Figma, Notion, Asana, Monday.com, ClickUp, Miro, Airtable, or Loom — and claim that your workspace will be deactivated, downgraded, locked, or suspended within hours unless you download the "latest installer" or re-authenticate as the workspace admin. The installer is the drop: Malwarebytes disclosed a Teramind backdoor hidden inside a fake Zoom client update in February 2026, and Security Boulevard disclosed the `slacks[.]pro` campaign delivering a Remote Access Trojan as a "Slack desktop update" in April 2026. Push Security, Okta, Sublime, and Cyberpress have all tracked the pattern through 2025-2026 as a growing initial-access vector. Real SaaS billing emails never ask you to download an installer — they link to the vendor's own account portal over HTTPS with a DKIM-verified sender from the vendor's real domain (slack.com, zoom.us, linear.app, figma.com, notion.so). Warning signs: "your workspace will be deactivated in 24 hours," "admin action required," "critical billing update," "download the latest installer," "mandatory client update," all from a sender that isn't the real vendor domain.

Phishing emails claiming you're eligible for a token airdrop — Backpack BACK, Pyth, Jito, Wormhole, LayerZero ZRO, Monad MON, Arbitrum, Optimism, zkSync, Starknet, or any other recognizable crypto project — with a short claim window and a button labeled "connect your wallet" or "sign in with MetaMask." The claim page is a crypto drainer: as soon as you connect and sign any approval or token-permit message, the attacker drains the wallet. The FBI issued IC3 public service announcements on this pattern in June 2025 (Hedera NFT airdrop campaign) and March 2026 (fake "FBI Token" TRC-20 on Tron); MEXC, Cointelegraph, Check Point Research, and Coinmonks all tracked waves through 2025-2026. Estimated 2025 crypto fraud losses totaled around $17 billion. The giveaway is the combination: claim-framing ("claim your airdrop") + a wallet-connect button in the email + either a recognizable project brand or a countdown-style urgency window. Legitimate airdrops are announced via verified project newsletters and on-chain criteria, never via a wallet-connect link embedded in an email. Warning signs: "final X hours to claim," "you're eligible," "retroactive rewards," "token generation event" + "connect your wallet." If you ever click one of these and connect a wallet, immediately revoke approvals via revoke.cash.

Fraudulent emails impersonating a grandchild, nephew, niece, or authority figure claiming a family member has been arrested abroad, is hospitalized, stranded overseas, or in a legal emergency — urgently requesting wire transfers, gift cards, bitcoin, or Western Union for bail, medical bills, or legal fees. The FBI reported $952M lost to grandparent/impostor scams in 2023; victims skew 60+ because grandparental love overrides skepticism. Modern variants use AI voice cloning for a preliminary call then follow up with 'bail instructions' by email. The 'don't tell your parents — keep this secret' instruction prevents victims from verifying the emergency with family who could debunk it instantly. Warning signs: unsolicited emergency about a grandchild, gift cards/wire transfer for bail, instruction for secrecy.

Phishing emails impersonating CMS, Medicare, or Medicaid — claiming your Medicare card has expired, your Medicaid benefit is suspended, or your Part B coverage will be terminated — directing you to verify your Medicare Beneficiary Number, SSN, date of birth, or bank account via link to renew coverage or receive a replacement card. 65M+ Americans have Medicare; the population is specifically targeted because losing healthcare coverage is among the most alarming scenarios for seniors. Medicare Advantage open enrollment periods trigger scam waves exploiting fake 'coverage lapsing' urgency. CMS never contacts beneficiaries by email about card renewal or benefit suspension — all official communications arrive by physical mail. Warning signs: unsolicited email about card expiry or benefit suspension, MBI or SSN requested via link, non-.gov domain.

Phishing emails impersonating state child support enforcement agencies or Title IV-D divisions — claiming you have past-due child support arrears, a pending license suspension, wage garnishment order, contempt proceedings, or bank levy — directing you to pay via link or provide bank details, SSN, or case number to avoid enforcement. State agencies collect $33B+ annually with real powers: license suspension, passport denial, wage garnishment, bank levies — public knowledge of these consequences creates extreme urgency. License suspension threats are especially effective against self-employed workers who drive. All enforcement actions require certified physical mail, never email links. Warning signs: arrears or enforcement notice by email, bank details requested, non-state-government domain.

Phishing emails impersonating FINRA, the SEC, or CFTC — claiming you've been identified as an investment fraud victim eligible for a recovery award, settlement distribution, or restitution payment — directing you to verify your SSN, brokerage account, or bank routing number to receive compensation. Over $870M in investment fraud losses were reported in 2023; victims then get targeted by recovery scammers who buy victim lists from data breaches and public court filings. The SEC's real Fair Fund program makes fake settlement notifications credible. Recovery scammers use a double-victimization model — the upfront fee steals again, then account details enable direct bank fraud. Legitimate FINRA/SEC fund distributions never require credentials via email. Warning signs: unsolicited recovery eligibility notice, SSN or routing requested to claim compensation, non-gov domain.

Phishing emails impersonating USDA or state benefit agencies — claiming your EBT card was skimmed, SNAP food benefits stolen, or a replacement is ready — directing you to provide your EBT card number, PIN, case number, or SSN to restore stolen benefits. Over $1 billion in SNAP benefits were stolen via card skimming in 2022–2024; Congress authorized replacement payments and USDA sent notifications, creating the exact template scammers now spoof. EBT card + PIN enables immediate complete account drainage — EBT systems often lack real-time fraud alerts. This attack targets low-income families, seniors, and disabled individuals with no financial safety net. USDA FNS never contacts recipients by email about benefit theft — all notices arrive by physical mail. Warning signs: unsolicited email about skimmed EBT, card number or PIN requested via link, benefit replacement requiring SSN.

Phishing emails impersonating the SSA, SSDI, or SSI programs — claiming you've been approved for disability benefits, a special hardship distribution, or supplemental income — directing you to verify your SSN, date of birth, bank account, or Medicare number to activate payments. The SSA processes 2.7M new disability applications per year; applicants waiting years for a determination respond immediately to approval notifications. SSDI phishing harvests the most dangerous PII combination: SSN + DOB + bank routing — enabling identity theft, account takeover, and benefit fraud. The SSA communicates only by physical mail and never emails approval notices or requests SSN via links. Warning signs: unsolicited disability approval by email, SSN or DOB to 'activate' payments, bank routing requested for benefit deposits.

Phishing emails impersonating Fidelity, Vanguard, or Schwab — claiming you're eligible for a penalty-free early withdrawal, hardship distribution, or COVID hardship relief from your 401k, IRA, or pension — directing you to provide SSN, date of birth, bank account details, or plan number to receive the funds. The CARES Act (2020) created a real COVID 401k withdrawal provision that scammers permanently added to their toolkit. Retirement account victims face compounded harm: identity theft AND potential direct account drain. Fake RMD lures target seniors 73+ who already take required distributions. Legitimate providers never initiate withdrawal opportunities via email. Warning signs: unsolicited early withdrawal offer, SSN or date of birth to 'claim' funds, bank routing requested by email.

Phishing emails impersonating Google Workspace, Google Admin, or GSuite — claiming your workspace account has been suspended, domain restricted, or billing failed — directing you to verify admin credentials, update payment method, or confirm organization information. Google Workspace admin credentials are among the highest-value targets in business phishing: a compromised admin account controls all org email, Google Drive documents, and Google Cloud services. BEC attacks frequently begin with Workspace admin phishing. Billing failure lures are effective because service interruption for an entire org creates immediate urgency. Warning signs: non-google.com domain, admin suspension or billing urgency with external link, admin credentials or payment method requested by email.

Phishing emails impersonating Experian, Equifax, TransUnion, or Credit Karma — claiming your SSN was found on the dark web, exposed in a data breach, or that suspicious activity was detected on your credit report — directing you to provide SSN, date of birth, and financial details to lock or freeze your credit. Credit monitoring phishing surged after the 2017 Equifax breach (147M affected). 'Dark web monitoring' lures are effective because this is a genuine service all three bureaus offer. SSN + DOB + financial account numbers = complete set for new account fraud, tax return fraud, and medical identity theft. Warning signs: non-official credit bureau domain, SSN or date of birth requested via email link to 'protect' your credit.

Authority-impersonation scam emails claiming you have an arrest warrant, failed to appear for jury duty, been subpoenaed, or named in a federal lawsuit — directing you to pay a fine, call a number to avoid arrest, or provide SSN and bank details to resolve the matter. Legal scams are among the top-5 most damaging fraud categories (FTC/IC3); average loss is $1,000–$5,000. 'Jury duty warrant' is a high-volume variant exploiting the plausibility that someone missed a summons. Law enforcement and courts universally confirm they never contact people via email demanding immediate payment to avoid arrest. Warning signs: email claiming arrest warrant or jury failure to appear, payment required to avoid charges, SSN or bank account to 'resolve' a court case.

Phishing emails impersonating Coinbase, Binance, Kraken, Gemini, or other crypto exchanges — claiming your account has been restricted, frozen, or compromised — directing you to verify identity, submit government ID, complete KYC, or provide account details through a fraudulent portal. Crypto fraud is uniquely severe: transfers are irreversible, no FDIC insurance, no chargeback. Coinbase is one of the top-5 most impersonated financial brands. The 'account frozen' lure exploits real compliance anxiety. Legitimate exchanges complete all verification through the authenticated platform only. Warning signs: non-exchange domain, account freeze urgency with external link, government ID or KYC requested by email.

Phishing emails impersonating Stripe, Square, or other payment processors — claiming your merchant account has been restricted, suspended, or flagged for chargebacks — directing you to provide SSN, EIN, bank routing number, or business tax details through a fraudulent portal. Payment processor phishing is among the top business-targeted categories: a compromised Stripe account exposes customer payment data, connected bank accounts, and enables fraudulent payouts. The 'elevated chargebacks' lure exploits a real anxiety point for merchants. Stripe and Square never request SSN or routing numbers via email. Warning signs: non-stripe.com/squareup.com domain, restriction urgency, financial credentials by email.

Phishing emails impersonating AWS, Microsoft Azure, Google Cloud, or other cloud providers claiming your payment failed, account will be suspended, or you have an unexpected overage — directing you to update payment details via a link. Compromised cloud accounts have been used to spin up GPU instances for cryptomining ($50K–$500K charges in hours). AWS/Azure/GCP rank top-20 most impersonated brands in business phishing. All cloud billing alerts link to the authenticated console — never to external payment pages. Warning signs: non-official cloud domain, billing suspension urgency, credit card details requested via email.

Phishing emails impersonating Apple or iCloud claiming your iCloud storage is full and backups have stopped, your Apple ID has been locked, or your account will be disabled — directing you to click a link to verify credentials, update billing, or upgrade storage. Apple consistently ranks top-3 most impersonated brand globally (APWG). Compromised Apple IDs enable device unlocking, Apple Pay theft, photo theft, and ecosystem account takeover. Legitimate Apple storage alerts always redirect to on-device Settings — never external links. Warning signs: non-apple.com domain, external click-to-verify link, Apple ID password or payment request via email.

Phishing emails impersonating TurboTax, H&R Block, Jackson Hewitt, or generic tax services — claiming you can file and receive a refund advance deposited in 24 hours — directing you to provide your SSN, W-2, and bank routing number. Tax identity fraud losses exceeded $6.3B in 2023 (IRS). With SSN + W-2 + bank routing, fraudsters file fraudulent returns and divert refunds before you file. Legitimate refund advances are only offered through official apps during a filing session. Warning signs: cold outreach refund advance offer, SSN + W-2 + bank routing all requested together.

Phishing emails impersonating Visa, Mastercard, American Express, or Citi claiming your credit card has been suspended, blocked, or flagged — directing you to verify card details or update billing to restore access. Payment card fraud caused $33.5B in global losses in 2022 (Nilson Report). Legitimate card networks never email cardholders directly — they communicate through your issuing bank. A direct 'Visa' or 'Mastercard' email is almost always fraudulent by definition. Warning signs: email from card network not your bank, card suspended threat, click-to-verify-card-details CTA.

Phishing emails impersonating HR departments or payroll systems claiming your W-2, 1099, or year-end tax form is available — directing you to click and log in with credentials, provide your SSN, or verify bank routing to access your tax documents. W-2 theft enables tax identity fraud; BEC/EAC losses totaled $2.9B in 2023 (FBI IC3). Legitimate HR systems never request SSN or bank routing via email. Warning signs: unsolicited W-2 email from non-corporate domain, SSN or routing number requested, login-credentials-required CTA with suspicious URL.

Fraudulent emails impersonating the FTC, CFPB, or attorney general claiming you are eligible for a class action settlement or unclaimed consumer refund — then requesting SSN and bank routing to process your settlement check. Government impersonation fraud cost $1.1B in 2023 (FTC). The scam exploits real FTC/CFPB refund programs to lower skepticism. Real FTC refund programs are announced at ftc.gov and never request SSN or bank details via email. Warning signs: unsolicited settlement eligibility email, SSN + bank routing requested, non-ftc.gov domain.

Phishing emails impersonating MetaMask, Coinbase Wallet, Ledger, Trust Wallet, or Phantom — claiming your wallet has been suspended or compromised — then asking you to enter your seed phrase or recovery phrase to restore access. Crypto wallet phishing caused ~$3.8B in theft in 2022 (Chainalysis). No legitimate wallet service will ever request your seed phrase under any circumstances — it is the master key to all your assets. Warning signs: wallet suspension alert from non-official domain, any request for seed phrase/recovery phrase/private key.

Phishing emails impersonating Microsoft 365, Office 365, or OneDrive — claiming your account is expiring, suspended, or storage exceeded — directing you to click a link and sign in to verify credentials. Microsoft is the most impersonated brand in phishing (Check Point Q4 2024). Compromised M365 credentials enable BEC attacks from within your organization. Legitimate Microsoft emails come from @microsoft.com and never threaten account deletion within 24 hours. Warning signs: non-microsoft.com sender, 24-hour expiry threat, click-to-sign-in with non-Microsoft URL.

Phishing emails impersonating the IRS claiming a tax refund is available, a tax overpayment has been detected, or back taxes are owed — directing you to verify identity via link, provide SSN and bank routing for direct deposit, or call an IRS officer to avoid levy or arrest. IRS impersonation caused $5.5B in losses in 2022–2023 (Treasury IG/IRS CI). The IRS never initiates contact via email and never threatens arrest by email. Warning signs: IRS email contact (always fraudulent), SSN + bank details request, arrest/levy threat, non-irs.gov sender domain.

Phishing emails impersonating PayPal claiming your account has been limited, suspended, or restricted due to unusual activity — directing you to click a link to verify identity, update billing, or restore access before permanent closure. PayPal ranks among the top 3 most phished brands globally (APWG 2024); credential compromise gives attackers direct access to linked bank accounts and cards. The 'account limited' pretext is effective because PayPal does legitimately limit accounts for security reasons. Warning signs: non-paypal.com sender domain, account suspension threat, click-to-verify CTA.

Phishing emails claiming your two-factor authentication (2FA/MFA) has been compromised, disabled, or that someone is attempting to bypass it — urging you to click a link to verify identity or re-enable authentication. These attacks target the security layer that prevents 99.9% of automated account takeovers (Microsoft 2023). The 'your 2FA is the threat' lure weaponizes security awareness to create urgency. Legitimate services never send unsolicited emails claiming your 2FA was disabled. Warning signs: unsolicited 2FA compromise claim, click-to-verify CTA, urgency/expiry threat.

Fraudulent emails claiming emotional attachment (fallen in love, soulmate, months of online connection) combined with a fabricated emergency — stranded overseas, oil rig, medical crisis, customs detention — requesting urgent money via Western Union, MoneyGram, Bitcoin, or wire transfer. Romance scams caused $1.3B in losses in 2023 (FTC), with a median individual loss of $10,000 — the highest per-victim loss of any fraud category. Warning signs: unsolicited emotional attachment + financial request, overseas emergency scenario, Western Union/Bitcoin CTA, reimbursement promise.

Fraudulent emails impersonating the SSA falsely claiming your Social Security number has been suspended or compromised due to criminal activity — threatening arrest unless you call a toll-free number immediately. SSA impersonation scams are the #1 government impersonation fraud category (FTC 2024: $1.1B in losses). The SSA never suspends SSNs — this is a fictional threat. Warning signs: SSN suspended/blocked claim, arrest warrant threat, toll-free callback demand, non-ssa.gov sender domain.

BEC emails impersonating executives demanding an immediate wire transfer while instructing the recipient to bypass normal approval channels and keep the request confidential. BEC wire fraud caused $4.57B in losses in 2023 (FBI IC3) — the #1 cybercrime loss category for 5 consecutive years. Three hallmarks: urgency + deadline, confidentiality instruction, bypass of verification. Legitimate transfers always follow established approval processes. Warning signs: all three BEC hallmarks, non-company domain sender, unfamiliar receiving account.

Phishing emails impersonating Google claiming your Google or Gmail account has been compromised, suspended, or accessed from an unrecognized device — directing you to click a link to verify and secure access. Google is a top-3 most-impersonated phishing brand globally (APWG/Verizon DBIR 2024). Legitimate Google alerts arrive from google.com and link to myaccount.google.com — never to external portals. Warning signs: non-google.com sender domain, '24-hour deletion' threat, external verification link.

Phishing emails impersonating Microsoft claiming your Microsoft 365, Office 365, or Outlook password is expiring or your account has been locked — directing you to click a link to reset credentials through a harvesting portal. Microsoft is the #1 most-impersonated brand in business email phishing (Verizon DBIR 2024). Legitimate Microsoft notices link to account.microsoft.com, never to external reset portals. Warning signs: non-microsoft.com sender, 'expires in X hours' framing, external password reset link.

Phishing emails impersonating Apple claiming your Apple ID or iCloud account has been locked, suspended, or disabled due to suspicious activity — directing you to verify credentials through a phishing portal. Apple is the #1 most-impersonated brand in phishing globally (APWG/Kaspersky 2024). Apple never sends emails with links demanding password verification — all legitimate Apple security alerts direct to appleid.apple.com directly. Warning signs: sender domain not matching apple.com, urgency about account deletion, link to verify outside appleid.apple.com.

Phishing emails impersonating PayPal, Venmo, Zelle, or Cash App falsely claiming you have a pending payment, money transfer, or funds on hold — directing you to log in or verify to claim funds through a credential-harvesting portal. FBI IC3 2023: payment app fraud caused $210M+ in losses; PayPal/Venmo impersonation are top 10 most-reported phishing brands. Real payment apps send notifications from official domains with List-Unsubscribe. Zelle transfers are immediate — any 'payment on hold' email is fraudulent. Warning signs: non-official sender domain, 'funds expire' urgency, unsolicited payment notification.

Phishing emails impersonating Amazon falsely claiming an unauthorized order or unexpected charge appeared on your account — directing you to call a toll-free number or click a link to cancel or dispute the transaction. Amazon-branded phishing is consistently among the top 3 most-impersonated brands. Real Amazon fraud alerts never include a call number or generic link without full order details. Warning signs: sender domain not matching amazon.com, no item details in order, toll-free call number, 'call immediately to cancel' urgency.

Phishing emails falsely claiming you have an approved, pending, or expiring federal tax refund — requesting your bank account number and routing number to 'deposit' it, or linking to a fake IRS portal to harvest credentials. The IRS contacts taxpayers exclusively by postal mail and never requests banking details by email. IRS Dirty Dozen 2024: IRS-branded phishing spikes every January–April tax season. Warning signs: unsolicited email from a non-irs.gov domain, request for bank/routing numbers, '48-hour expiration' on a tax refund, click-to-claim link.

Phishing emails impersonating Chase, Bank of America, Wells Fargo, Citibank, or other major banks claiming suspicious activity, unauthorized access, or a fraudulent transaction on your account — directing you to verify your PIN, account number, routing number, or password through a phishing link. FBI IC3 2023: phishing/spoofing caused $18.7B in losses; bank impersonation is the most common financial phishing form. Real banks never ask for PINs or routing numbers by email. Warning signs: sender domain not matching official bank, urgency about account suspension, credential verification request by email.

Your IP address has been linked to illegal cybercrime — an FBI/Interpol arrest warrant has been issued. Pay $2,000 in Bitcoin within 24 hours to clear your name. 'Do not contact a lawyer.' No law enforcement agency emails demanding cryptocurrency to avoid prosecution. FTC 2024: government impersonation scams caused $500M+ in losses. Report to ic3.gov.

$0 premium ACA/Obamacare plan emails asking for your SSN, DOB, and Medicare ID 'to enroll' — classic identity theft setup. Scammers may enroll victims in real plans to steal the subsidy while victims lose coverage. Real enrollment happens only at healthcare.gov or with licensed agents who provide their National Producer Number. FTC 2024: health insurance fraud caused $1.8B in losses.

Investment fraud promising 20–30% monthly guaranteed returns, forex robots making 500% annual profits, or binary options platforms that 'double your money in 24 hours.' Capital is '100% guaranteed' and funds must be sent via Bitcoin or wire transfer. FTC 2024: investment fraud caused $4.6B in losses — the highest-loss fraud category. No legitimate investment guarantees returns.

Email impersonating Facebook, Instagram, Twitter/X, or Meta claiming your account has been suspended or will be permanently deleted — requiring a link-click to re-enter credentials or submit ID. The link is a phishing page. FBI IC3 2024: social media phishing is a top-3 cybercrime category. Real platforms never email you a credential-entry link from an external domain.

Email with a fake $200–$400 auto-renewal invoice for Norton, McAfee, or Geek Squad directing you to call a phone number to "cancel." The call center installs remote-access malware or steals banking credentials. Red flag: "do not contact your bank — call us directly." FTC 2024: these scams cost consumers $175M+.

Unsolicited job offer requiring payment of a background check fee, training materials deposit, or equipment deposit — or demanding SSN and bank details before employment begins. Includes mystery shopper gift-card assignments. Real employers never charge candidates fees. FTC 2024: fake job scams = $501M in losses — the #2 fastest-growing fraud category.

Email from a scammer posing as a US soldier, offshore oil rig worker, widowed doctor, or professional met on a dating site. After emotional investment, they fabricate an emergency (stolen wallet, customs fee, medical bills) and ask for wire transfer or gift cards. FTC 2023: romance scams = $1.3B total losses — the costliest consumer fraud category; median loss $4,400. Never send money to someone you haven't met in person.

Email or cold outreach presenting a fake crypto trading platform with guaranteed 15–300%+ monthly returns. Scammers build trust (often via romance or social media), then guide victims to deposit BTC/USDT/ETH into a controlled fake exchange. Victims can initially 'withdraw' small profits before the exit scam. FBI IC3 2024: crypto investment fraud = $3.96B in losses — the #1 fraud category; average pig-butchering victim loses $120,000.

Email offering a work-from-home job that is actually a reshipping scam (receive and reship stolen goods), money mule recruitment (receive fraudulent transfers, forward the rest), or mystery shopper check fraud. Participants become unwitting accomplices to fraud. FTC 2024: imposter job scams = $500M+; victims may face criminal money-laundering charges even when unaware.

Email impersonating the IRS or SSA threatening arrest warrants, property seizure, or benefit suspension unless you call immediately or pay via gift cards/wire transfer. The IRS never emails threats, never requests gift cards, and never threatens arrest by email. FTC 2024: government impostor scams = $1.1B+ in losses; IRS/SSA impersonation is the #1 category.

Email impersonating your CEO, CFO, or another executive — requesting an urgent, confidential wire transfer or gift card purchase with instructions to bypass normal approval and keep it secret. BEC is the #1 source of cybercrime financial loss globally. FBI IC3 2024: BEC caused $2.9B in US losses; average attack cost $125,000.

Email impersonating a bank (Chase, Wells Fargo, BofA, Citibank) with a fabricated wire transfer, ACH, or Zelle fraud alert — urging you to call a scammer number to "block" or "reverse" it. The real bank never includes a callback number in fraud emails. FBI IC3 2024: bank impersonation wire fraud = $2.9B+ in losses; average victim loss exceeds $10,000.

Email using romantic language (darling, sweetheart, "fell in love," deployed military persona) combined with a wire transfer, gift card, or advance fee money request. Scammers build fake relationships over weeks before asking for funds. FTC 2024: romance scams caused $1.14B in losses — the highest of any fraud category; median loss is $2,000.

Email impersonating Google with a fabricated suspicious sign-in, account suspension, or password-expired notice — directing you to verify credentials on a harvesting page. Google accounts are the most valuable credential target: Gmail unlocks password resets for hundreds of services. APWG 2024: Google phishing = #2 consumer account targeted; Workspace phishing = 22% of cloud BEC losses.

Email impersonating Apple with a fabricated Apple ID locked/disabled/suspended notice or payment failure — pushing you to verify identity or update payment info on a harvesting page. Apple is the #2 most-impersonated consumer brand. APWG 2024: Apple ID phishing = 18% of consumer brand phishing; iCloud credential theft drives ransomware and account takeover attacks.

Email impersonating Amazon with a fabricated unexpected order, unauthorized purchase alert, or Prime auto-renewal — directing you to call a scammer number to "cancel" or click a harvesting link. Amazon is the #1 most-impersonated retail brand. FBI IC3 2024: Amazon impersonation scams cost $27M+; fake order confirmations rank in the top 5 phishing patterns.

Email impersonating PayPal with a fabricated unauthorized-transaction alert, account limitation, or invoice — pushing you to verify identity, call a scammer number, or enter credentials on a phishing page. PayPal has ranked in the top 3 most-phished brands for 12 consecutive years. APWG 2024: payment credential phishing = 34% of all phishing attacks.

Email impersonating Microsoft with a fabricated unusual sign-in, account suspension, or password-expired notice — directing you to verify credentials on a harvesting page. Microsoft is the #1 most-impersonated enterprise brand. APWG 2024: Microsoft/Office 365 phishing = 27% of all enterprise phishing; credential harvesting drives 79% of cloud account takeovers.

Email impersonating the Social Security Administration claiming your SSN has been suspended or linked to criminal activity — demanding you call a toll-free number immediately or face arrest. The real SSA never suspends SSNs or contacts people via email about criminal investigations. FTC 2024: SSA impersonation is the #1 government impostor scam, causing $850M in losses.

Job offer recruiting you to receive stolen-goods packages at your home address and reship them, or receive fraudulent wire transfers and forward funds overseas while keeping a commission. Both roles expose victims to federal criminal liability for money laundering. FBI IC3 2024: money mule schemes caused $10.9B in losses.