Fake Stripe Order Confirmation Phishing Scam
Scammers send fake 'Stripe payment received' or 'you were charged via Stripe' emails to merchants and consumers to harvest Stripe account credentials.
Part of: Fake Order Confirmation Phishing Scams
Last reviewed: 8 June 2026
Stripe sends email confirmations when a payment is processed, a payout is initiated, or a subscription charge succeeds. These notification emails are widely recognised and trusted by the millions of merchants who use Stripe daily. Criminals reproduce them precisely — including the Stripe logo, transaction reference format, and footer text — and send them to both merchants and consumers.
For merchants, the fake email says a new payment of a substantial amount has been received and that action is needed in the Dashboard to release funds. The 'action required' link leads to a credential-harvesting page. For consumers, the email claims they have just been charged by a Stripe-powered merchant for a product they did not order, exploiting alarm to prompt clicks.
Stripe's real emails always contain a transaction ID that appears in the real Dashboard. Any email prompting Dashboard access via an external link rather than direct navigation should be treated with suspicion.
How this scam works on the Stripe brand
The merchant variant states: 'A payment of $[high value] has been received. Action required to release funds to your bank account. Verify now: [link].' This message appeals to the merchant's desire to receive a large payout, prompting them to log in immediately. The link leads to a pixel-perfect Stripe Dashboard login page that captures email and password.
The consumer variant says: 'You have been charged $[amount] by [Stripe merchant name] via Stripe. If you do not recognise this charge, click here to dispute it.' The link leads to a fake Stripe consumer dispute form that requests card details and a copy of an ID document.
In both variants, a second-factor request follows: 'Enter the code sent to your phone to complete verification.' The scammer relays this code in real time to access the victim's actual Stripe account before the session expires.
Common red flags
- The email urges action via an external link rather than asking you to log in directly at dashboard.stripe.com.
- The from-address is not @stripe.com — a subtle misspelling like str1pe.com is common.
- The transaction ID in the email does not match anything in your Stripe Dashboard when you check directly.
- The consumer dispute form asks for card details — real Stripe dispute processes go through the merchant's dashboard, not a consumer form.
- The amount in the email is unusually large and you have no memory of the corresponding order.
- An authentication code is requested by the login page from a link in the email.
- The email footer contains different copyright or address information to a genuine Stripe email.
How to protect yourself
- Access your Stripe Dashboard only by typing dashboard.stripe.com in your browser — never via email links.
- Enable two-factor authentication on your Stripe account with an authenticator app rather than SMS where possible.
- Check your Dashboard directly for any payment that an email claims requires action.
- As a consumer, contact the merchant directly if you do not recognise a charge — do not use a link in a Stripe-branded email.
- Use a password manager so that fake Stripe domains will not receive your autofilled credentials.
How to report it
- Forward phishing emails to [email protected].
- Report to the FTC at reportfraud.ftc.gov.
- Report to Google Safe Browsing if the phishing URL is live.
- File with ic3.gov if your Stripe account was accessed.
- Contact your bank if a card linked to Stripe was charged without authorisation.
Frequently asked questions
Does Stripe send emails asking merchants to click a link to release funds?
Stripe sends notifications about payouts, but fund releases are automatic according to your payout schedule. A message saying you must click a link to release funds is almost certainly fraudulent — check your Dashboard directly.
How can I tell a real Stripe email from a fake one?
Real Stripe emails come from @stripe.com addresses, contain a transaction ID you can verify in your Dashboard, and never ask you to enter credentials via a link in the email itself. Hover over links to see the destination URL before clicking.
A consumer says they were charged by my Stripe account but I see no record. What is happening?
If the charge does not appear in your Dashboard, the consumer likely received a phishing email using Stripe's branding without your involvement. Direct them to dispute via their card issuer and report the phishing email to [email protected].