Spotify “Billing Update” phishes for login and card details

A phishing campaign spoofing a Spotify Premium billing notice is attempting to steal user login credentials and payment information. It starts as a simple HTML email with a single link, then walks victims through a convincing, step-by-step process that escalates from credential theft to payment card capture, finishing with a “Verified by Visa” style prompt. This is not a “spray and pray” attachment-based attack. It’s a low-friction click-through journey engineered to keep the victim saying “yes” one step at a time.

What the scam looks like

The message presents as a billing or subscription problem that needs urgent action, with a prominent button to “Confirm Payment Method”. In a sample of the emails blocked by MailGuard:

• From (display name): Help SpotifyNotice
• From (address): chrbty.jic01@hotmail.com
• Subject: “RE: Final Reminder: Update Your Spotify Billing Information Now to Avoid Losing Access to Your Premium Subscription Benefits”
• Notable tell: It’s sent from a Hotmail address, not an official Spotify domain.
• Another tell: The “To” field shows a Spotify-like address (help-alet@spotify.com), a tactic often used to create false legitimacy in a quick scan.

Here's what the email looks like 👇

How the scam works, step-by-step

Once the victim clicks the link, the attack moves through a staged flow:

1) Fake Spotify login page

Victims are taken to a Spotify-branded login page asking for an email/username and password, with options to “Continue with Google”, “Facebook”, “Apple”, or “Phone Number”.

Key indicator: the site is not hosted by Spotify. In the example, the browser address bar shows:
info-help.service-teamnotice.com/...

2) “Your account has been disabled”

The next screen claims the account is disabled due to “Suspected activity” or “Payment issues”, then prompts the victim to “Activate your Account”.

Why it works: it introduces urgency and fear of service loss, then offers an immediate fix.

3) “Update your billing details”

The victim is pushed into a billing update workflow, presented as a multi-step process (“Step 2 of 3”), reinforcing the idea this is a legitimate account recovery journey.

4) Credit/debit card harvest

The following page asks for card number, expiry date, and CVV. At this point, the attacker has moved from account access to direct financial theft.

5) “Verified by Visa” prompt

A final screen mimics payment authentication, “Please wait. Do not refresh or leave this page…”. This is designed to normalise the process and keep the victim engaged, even if the transaction fails behind the scenes.

What to watch for

If you only have a few seconds to triage, these are the highest-signal indicators:

• Sender mismatch: a consumer mailbox (Hotmail, Gmail) posing as a major brand.
• Domain mismatch after click: anything other than an official Spotify domain is a red flag, even if the page looks perfect.
• Escalation pattern: login prompt followed by “account disabled” followed by billing update and card capture. That sequence is classic credential-to-payment harvesting.
• Generic greeting and lack of personalised account detail: real billing notices usually include identifiable account context.

What to do if a user clicked

For IT and security teams, the safest response is to assume credentials may be compromised:

• Reset the password immediately for the impacted account, and any other accounts that reused the same password.
• Review sign-in activity and active sessions, revoke sessions where possible.
• Enable or enforce MFA (and where applicable, use phishing-resistant MFA for high-risk users).
• If card details were entered, contact the bank immediately to block the card and monitor for fraud.
• Report and remove the email across the environment if it was delivered to multiple users.

Why these “simple HTML + one link” emails still work

The email itself is basic, but the landing flow is where the engineering effort lives. Attackers know that once someone clicks, they are far more likely to comply with the next prompt, especially when the prompts feel like familiar account recovery steps.

This is also why layered controls matter. User judgement is a weak point under time pressure, especially when the scam is designed to look routine.

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

• Aren’t addressed to you personally.
• Are unexpected and urge immediate action.
• Contain poor grammar or miss crucial identifying details.
• Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters!  Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.