Fake Stripe Password Reset Phishing
Criminals send fake Stripe dashboard-password reset emails to merchants, directing them to a phishing page that captures the new password and 2FA code — giving attackers authenticated access to the live Stripe dashboard and its customer data and payout settings.
Part of: Fake Password Reset Scams
Last reviewed: 7 June 2026
Stripe dashboard access is high-value for attackers because it combines financial assets (pending payouts, balance) with sensitive data (customer email addresses, partial card information, order history) and configuration levers (payout bank account, webhook URLs). A successful dashboard credential theft can therefore cause financial loss, compliance obligations, and customer-data breaches simultaneously.
Fake password-reset emails are a reliable vector for this attack. They arrive from addresses mimicking Stripe's password-reset flow (e.g. [email protected]) and claim either that the merchant requested a reset or that Stripe's system detected an unusual login and has initiated a forced reset for security.
The link leads to a Stripe login-page clone that presents a 'set new password' interface. After the merchant enters a new password, the page may also ask for the current 2FA code to 'confirm the reset' — capturing both the new credential and the live 2FA token simultaneously. The attacker can then log in to the real Stripe dashboard with the new password and OTP.
How this scam works on the Stripe brand
Real Stripe password-reset emails originate from @stripe.com, and the reset link goes to a stripe.com URL. Stripe's reset process sends a time-limited link; it does not ask for a current OTP during the reset unless 2FA confirmation is explicitly required by the account settings. After a genuine reset, the change is visible in the account's security log at dashboard.stripe.com.
The fake reset email may accurately include the merchant's business name and email address (from breach data), making it appear personalised. The email may also include a 'If you did not request this, ignore this email' line — copied from legitimate reset emails — to appear standard.
Merchants who complete the fake reset on the phishing page see a 'Password changed successfully' confirmation and may be redirected to the real Stripe login page, where their new password now works. The attacker, having captured both the password and a 2FA code, logs in separately.
Common red flags
- A password-reset email from an address other than @stripe.com
- The reset link goes to a domain other than stripe.com
- The page asks for a 2FA code to 'confirm' the reset — Stripe's standard reset process does not do this
- A 'forced reset' notice claiming Stripe initiated the process for security reasons
- The email was received at a developer address rather than the primary Stripe account email
- After completing the reset, you are redirected to the real Stripe login — classic phishing redirect
- No corresponding security event appears in the Stripe security log at dashboard.stripe.com
How to protect yourself
- Only initiate password resets from within the Stripe dashboard at dashboard.stripe.com
- Do not follow password-reset links in unexpected emails — initiate the reset yourself if needed
- Enable 2FA on your Stripe account using an authenticator app
- Check the Stripe security log regularly for unrecognised login events
- Use a password manager that only fills on stripe.com domains
- Set up alerts for payout-bank-account changes in Stripe notification settings
- Forward any suspicious Stripe email to [email protected]
How to report it
- Forward the phishing email to [email protected]
- Report through Stripe's support portal at support.stripe.com
- If credentials may have been captured, rotate them and your 2FA immediately in the dashboard
- File a complaint with the FTC at reportfraud.ftc.gov
- Report to the FBI's IC3 at ic3.gov if customer data or funds were accessed
Frequently asked questions
Does Stripe send forced password resets for security reasons?
Stripe may prompt password resets when it detects suspicious activity, but these are communicated within the dashboard and from @stripe.com addresses with links to stripe.com. Any forced-reset email from a different domain is fraudulent.
Why would capturing my Stripe 2FA code during a reset be so damaging?
A 2FA code is time-limited, but at the moment it is captured, an attacker can use it simultaneously to log in to the real dashboard. Combined with the new password you set on the fake page, the attacker has everything needed for a full authenticated session.
What can an attacker access on the Stripe dashboard?
Dashboard access exposes payouts, balance, customer records and email addresses, payment history, and payout bank-account settings. An attacker can change the payout destination, issue fraudulent refunds, and download customer data — all with significant consequences.