Fake Stripe Support — Account Suspended Scam
Fraudsters contact merchants via phone or email posing as Stripe's risk or compliance team, claiming their Stripe account has been suspended due to a policy violation and demanding login credentials or payment to restore service.
Part of: Fake Customer Support Scams
Last reviewed: 7 June 2026
For any business that relies on Stripe for revenue, a sudden account suspension is financially catastrophic. Scammers exploit this business-critical vulnerability by impersonating Stripe's compliance or risk team and contacting merchants with fabricated suspension notices.
The approach is often more sophisticated than consumer-facing phishing because the attacker may have researched the merchant's business, referencing its industry, recent transaction volumes, or its business name accurately. This research may come from LinkedIn, the merchant's own website, or data sold in business-database leaks. The combination of accurate business details and an urgent suspension claim can override the merchant's caution.
The fraudster's goal varies: some seek to harvest Stripe login credentials to access live customer card data and ongoing payouts; others attempt to collect 'verification fees' or 'dispute resolution deposits' before supposedly reinstating the account. Neither Stripe's actual compliance process nor its genuine support team involves fees or requests for credentials transmitted outside the secure dashboard.
How this scam works on the Stripe brand
Real Stripe account actions — including suspensions — are communicated through the Stripe dashboard itself and via email from @stripe.com. Stripe's genuine emails about account restrictions contain a link to dashboard.stripe.com and include the business name registered on the account. Stripe does not call merchants out of the blue to resolve compliance issues, and it does not charge fees to review disputes or reinstate accounts.
Fake Stripe communications arrive from addresses like [email protected], use PDFs or Word documents labelled 'Stripe Policy Notice', and instruct the merchant to call a phone number or reply with their API secret key or account credentials. The tone is formal and references real Stripe terminology (e.g. 'your Stripe account is under Section 3.1 review') to appear authoritative.
Merchants who provide API keys give attackers full programmatic access to their Stripe account — including the ability to create charges, issue refunds to cards they control, change payout accounts, and retrieve customer data. This is potentially far more damaging than a simple credential compromise.
Common red flags
- Email about a Stripe suspension from an address that is not @stripe.com
- A phone call claiming to be from Stripe's risk or compliance team — Stripe does not call merchants proactively
- Request for your Stripe API secret key, account password, or two-factor backup codes
- A demand for a 'deposit', 'dispute fee', or 'reinstatement charge' to restore the account
- The notice arrives via PDF or document attachment rather than inside the Stripe dashboard
- References to 'urgent' policy violations without specific transaction details from your real account history
- You are asked to grant access to a third-party Stripe app or OAuth integration under urgency
How to protect yourself
- Log in directly to dashboard.stripe.com to verify whether a real restriction is in place
- Contact Stripe support only through support.stripe.com — never call a number from an email
- Never share your Stripe API secret key with anyone; treat it like a password
- Enable two-factor authentication on your Stripe account and use an authenticator app
- Review authorised OAuth applications in Stripe settings regularly and revoke any you do not recognise
- Verify your registered Stripe email and payout bank account periodically
- Alert your payments or finance team about this scam pattern so multiple people can catch suspicious communications
How to report it
- Forward phishing emails to [email protected]
- Report through Stripe's official support at support.stripe.com
- If API credentials were compromised, rotate them immediately in the Stripe dashboard and notify Stripe
- File a complaint with the FTC at reportfraud.ftc.gov
- If customer data may have been accessed, consult your data-breach notification obligations
Frequently asked questions
Does Stripe ever charge fees to resolve a suspended account?
No. Stripe does not charge merchants fees to investigate compliance issues, resolve disputes, or reinstate accounts. Any demand for payment to restore a Stripe account is a scam.
What can an attacker do with my Stripe API secret key?
With your secret key, an attacker can create and refund charges, modify subscriptions, change payout settings, and retrieve customer and card data — all without your password. Treat secret keys like passwords and rotate them immediately if compromised.
How quickly does Stripe notify you of a real account suspension?
Real Stripe suspensions appear immediately in the dashboard and are communicated via email to the registered address. There is no delay requiring you to call a third-party number. If in doubt, log in to the dashboard first.