Fake Stripe Invoice Phishing
Criminals send convincing fake payment-request emails styled as Stripe invoices, targeting small-business owners and freelancers who regularly receive legitimate Stripe payment links. Clicking the embedded 'Pay Now' button leads to a credential-harvesting or payment-capture page.
Part of: Fake Unpaid Invoice Scams
Last reviewed: 7 June 2026
Stripe powers invoicing and payments for millions of businesses worldwide, which means business owners, freelancers, and accountants routinely receive genuine emails from stripe.com containing payment requests and receipts. Scammers exploit this familiarity by crafting near-identical emails that pressure recipients into paying fraudulent invoices or handing over their Stripe account credentials.
The fake invoice attack typically targets people who both send and receive Stripe payments — SaaS founders, e-commerce merchants, and agency owners. The fraudulent email may reference a plausible service (web hosting, software subscription, compliance fee), include a realistic-looking invoice number, and carry Stripe's visual identity with sufficient accuracy to pass a casual glance.
A second, more targeted variant goes after Stripe account holders directly. It claims there is an issue with their payout, a failed identity verification, or a required compliance review, and asks them to log in via an embedded link. The fake login page captures their Stripe credentials, giving fraudsters access to customer data, stored card information, and pending payouts.
How this scam works on the Stripe brand
Real Stripe emails originate from @stripe.com addresses and direct recipients to dashboard.stripe.com or stripe.com for any account actions. Stripe's own invoice-sending feature generates links under a stripe.com subdomain (e.g. invoice.stripe.com). Stripe never asks you to provide your account password via email, and it uses your registered business name in communications.
Fake Stripe invoices diverge in several ways: the sender address uses a domain like stripe-billing.com or payment-stripe.net, the 'Pay Now' button resolves to a non-Stripe domain, and the invoice may contain a made-up business name or service description that does not match any real transaction. Some fakes use actual Stripe-hosted pages with a redirect injected, so the URL appears to start with stripe.com before forwarding.
Merchant-targeting variants ask for Stripe login credentials on a page that mimics dashboard.stripe.com pixel-for-pixel. After capture, the attacker logs in, changes the payout bank account to their own, and waits for the next settlement cycle to divert funds.
Common red flags
- Sender address is not @stripe.com — even if it contains the word 'stripe'
- Invoice references a service or amount you do not recognise
- 'Pay Now' link does not resolve to stripe.com or invoice.stripe.com on hover
- Email asks you to log in to your Stripe account via a link rather than directing you to dashboard.stripe.com
- Urgency language: 'overdue', 'final notice', 'account will be suspended in 48 hours'
- Business name in the invoice header does not match any of your known clients or vendors
- Request for bank details, card numbers, or credentials beyond what a normal invoice payment would require
How to protect yourself
- Go directly to dashboard.stripe.com to check for any genuine notifications rather than following email links
- Hover over all links before clicking to confirm they resolve to stripe.com
- Enable two-factor authentication on your Stripe account
- Verify unexpected invoices with the supposed sender via a known contact method before paying
- Never enter your Stripe password on any page you reached from an email link
- Review your Stripe payout bank account periodically to ensure it has not been changed
- Train accounts-payable staff to verify invoice legitimacy through out-of-band confirmation
How to report it
- Forward phishing emails to [email protected]
- Report the incident through Stripe's support portal at support.stripe.com
- Submit the fraudulent URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- File a complaint with the FTC at reportfraud.ftc.gov
- If a payment was made, contact your bank or card issuer immediately and dispute the charge as fraud
Frequently asked questions
Does Stripe send invoices from any address other than @stripe.com?
Stripe's payment request and receipt emails come from @stripe.com addresses. Invoice links use stripe.com subdomains. Any email claiming to be a Stripe invoice from a different domain is fraudulent.
What if I already paid a fake Stripe invoice?
Contact your bank or card issuer immediately and report the payment as fraud. The sooner you act, the better the chance of a chargeback. Also report to Stripe at [email protected] and to the FTC.
Can attackers steal my customers' card data if they access my Stripe account?
Stripe stores card data in a tokenised form that is not fully exposed even to merchants. However, an attacker with dashboard access can change payout accounts, issue refunds to new cards, and access order details and email addresses. Protect your account with strong 2FA.