Stripe Impersonation Scams
Scammers impersonate Stripe to target business owners with fake payout-hold notices and phishing pages. Stripe will never ask for your API keys via email or threaten to close your account unless you verify through a link.
Last reviewed: 1 June 2026
Stripe processes payments for millions of online businesses, and the fear of a payment hold or account suspension is a powerful lever for fraudsters. Business owners receive realistic-looking emails claiming that a Stripe risk review has frozen payouts and that account details must be re-submitted via a link — which is actually a phishing page that captures login credentials and API keys.
API key theft can have severe consequences, as keys can be used to issue fraudulent refunds, charge stored cards, or access customer data. Protecting them is as important as protecting a bank password.
How scammers impersonate it
- Sending emails claiming a Stripe risk review has placed a hold on payouts, with a link to a fake dashboard
- Creating phishing pages at domains like 'stripe-dashboard.net' that harvest credentials
- Targeting developers via email with fake 'Stripe API security alerts' asking for key rotation through a phishing link
- Impersonating Stripe support on social media to gather API credentials under the guise of troubleshooting
- Spoofing Stripe sender addresses to bypass basic email filters
What the real organisation never does
- Ask for your API secret key via email, chat, or phone
- Require you to verify your account by clicking a link in an unsolicited email
- Threaten immediate fund freezing unless you act within minutes via a provided link
- Contact you through unofficial social media accounts for account support
Common red flags
- Email about a payout hold with a link to a domain other than stripe.com or dashboard.stripe.com
- Request for your API secret key to 'diagnose' an issue
- Urgency: 'Your payouts will be frozen in 24 hours unless you verify'
- Login page design that looks like Stripe but has an unfamiliar domain
- Support contact found via Google rather than inside the Stripe dashboard
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Email: 'Stripe Risk Team: A review of your account requires your attention. Re-verify your business details at [fake link] to resume payouts.'
Developer email: 'Stripe Security Alert: Your API key may have been exposed. Rotate it immediately at [phishing link].'
How to verify
- Always navigate to dashboard.stripe.com directly — never via an email link
- Genuine Stripe communications about your account are mirrored inside the dashboard
- API key management is handled only within the official Stripe dashboard under Developers > API keys
- Contact Stripe support via the chat widget inside your dashboard, not via any externally found number
What to do if you're targeted
- Rotate any potentially compromised API keys immediately inside the real Stripe dashboard
- Change your Stripe account password and enable two-factor authentication
- Report the phishing email to Stripe at [email protected]
Frequently asked questions
My Stripe payouts are actually on hold — how do I know if the email is real?
Log in to your Stripe dashboard directly at dashboard.stripe.com. A genuine hold will be clearly displayed there. If you see no hold, the email was phishing.