AI Hyper-Personalised Spotify Phishing Scam
Scammers use AI language models to craft Spotify phishing emails referencing specific songs in your listening history, your playlist names, or your Wrapped data to make fraudulent account-security messages feel unnervingly genuine.
Part of: AI Hyper-Personalised Phishing Scams
Last reviewed: 8 June 2026
Spotify Wrapped, playlist names, and recently played content are often shared publicly by users and are accessible via Spotify's API to apps the user has authorised. Criminals have discovered that this data, combined with an email from a past breach, can be fed into an AI to craft phishing messages of unusual specificity.
A generic Spotify phishing email says 'We noticed suspicious activity on your account'. An AI-personalised version says 'We noticed a new device accessing your account, including recent plays of [your actual recently played artist] and your playlists [names that match yours]'. The second message feels unmistakably like it came from Spotify's real security team.
The goal is the same as any credential phishing attack — to steal your Spotify username and password — but the personalisation dramatically increases the likelihood that even a cautious user will comply without checking the sender domain carefully.
How this scam works on the Spotify brand
Spotify sends genuine security notifications from @spotify.com email addresses. Real notifications are general — they reference your account and the device type but do not incorporate your listening history or playlist names into security emails.
The AI-personalised scam incorporates data pulled from Spotify's public API (available to apps the user has authorised), from Wrapped graphics shared on social media, or from breach databases that include Spotify usage data. The resulting email reads with a fluency and specificity that fools even vigilant readers.
The 'Secure Account' button leads to a convincing Spotify login clone. After entering credentials, the page may also attempt to capture credit card details under the guise of 'verifying payment information to restore full account access'.
Common red flags
- A Spotify security email references specific songs, artists, or playlist names — real Spotify security emails do not do this.
- The sender domain is not @spotify.com — check the full From address carefully.
- The sign-in link leads to a domain that is not spotify.com.
- The email asks for payment card details as part of account verification.
- Urgency language: 'Your Spotify Premium subscription will be cancelled in 12 hours unless you verify now.'
- The level of personalisation exceeds what Spotify typically includes in its communications.
How to protect yourself
- Enable two-factor authentication on your Spotify account at spotify.com/account/security.
- Review which third-party apps have Spotify access at spotify.com/account/apps and revoke any you no longer use or do not recognise.
- Navigate to spotify.com directly to check your account status — never via an email link.
- Use a unique password for Spotify, managed by a password manager.
- Be especially suspicious of emails that reference your Spotify content — treat the specificity as a red flag, not reassurance.
- If you shared Spotify Wrapped data publicly, be aware that this data can be used to personalise phishing attacks against you.
How to report it
- Report the phishing email to Spotify via the contact form at spotify.com/us/contact-us/.
- Report the URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/.
- Report to the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- If your card was charged fraudulently, contact your bank immediately.
Frequently asked questions
How could a scammer know what I have been listening to on Spotify?
Spotify's API allows third-party apps to read your listening history if you have authorised them. Additionally, Spotify Wrapped graphics shared on social media, public playlists, and breach databases all contain data that can be used to personalise a phishing email.
Should I revoke access to third-party Spotify apps?
Regularly review and revoke apps you no longer use at spotify.com/account/apps. Limiting which apps have API access to your listening history reduces the data available for crafting personalised phishing attacks.
What should I do if I entered my Spotify credentials on a fake site?
Change your Spotify password immediately at spotify.com/account, enable two-factor authentication, and check your linked payment method for any unauthorised charges. Also change the same password on any other service where you reused it.