MailGuard has intercepted a new phishing email scam impersonating Spotify and attempting to steal users’ login credentials, credit card details and personal information.
The email claims that Spotify was unable to process the recipient’s last payment and urges them to update their billing details within 48 hours to avoid suspension of their Premium subscription.
How the scam works
While the branding appears legitimate, the email is sent from unrelated domains. Clicking the button in the email leads to a phishing site designed to look like Spotify’s login page, but hosted on a non‑Spotify domain. The attacker is attempting to lure the victim into clicking the button by creating urgency around a fake payment failure.
Step 1: The phishing email
Victims receive an email claiming their Spotify payment has failed and urging them to update their billing details. A button labelled “UPDATE PAYMENT METHOD” directs them to a fake login page.
The attacker is attempting to convince the victim to engage by impersonating a trusted brand and fabricating an account issue.
Step 2: Fake login prompt
The link opens a page mimicking Spotify’s login screen, asking users to enter their email address or username.
The attacker is attempting to capture the victim’s email address to begin harvesting account credentials.
Step 3: Password capture
After entering an email address, users are prompted to enter their password on another fake login page.
The attacker is attempting to steal the victim’s password, enabling access to their Spotify account and any other accounts using the same credentials.
Step 4: Payment and identity theft
The scam then escalates, directing victims to a fake subscription page requesting full credit card details, address, phone number and date of birth.
The attacker is attempting to collect complete financial and identity information for fraudulent transactions and identity theft.
Step 5: Fake processing screen
A final “processing” page is displayed to make the interaction appear legitimate.
The attacker is attempting to delay suspicion by simulating a real processing flow while exfiltrating the stolen data.
This scam is designed to harvest sensitive information that can be used for fraud, identity theft and further compromise.
Key indicators of the threat
-
Sender domains are not associated with Spotify
-
Phishing pages hosted on a compromised third‑party domain rather than spotify.com
-
Requests for email addresses, passwords, full credit card details and personal information
-
Login and payment pages styled to mimic Spotify but delivered from unfamiliar URLs
-
Final “processing” screen used to mask the theft of credentials and payment data
Why this matters for businesses
This campaign is particularly dangerous for organisations where staff use Spotify accounts linked to corporate email addresses, shared credentials or business payment methods. A successful compromise can allow attackers to:
-
Access corporate email accounts if employees reuse passwords across services
-
Make fraudulent charges using business credit cards or stored payment methods
-
Use stolen personal information to impersonate staff in social engineering attacks
-
Target the organisation with further phishing attempts using harvested credentials
-
Build detailed identity profiles that can be exploited for account takeovers across other business platforms
With many staff members managing entertainment from corporate devices, a single phishing email can quickly escalate into a business‑level security incident.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or misses crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
