Conference / event-registration phishing — impersonates major security + tech conferences (RSA Conference, Black Hat, DEF CON, Gartner Security & Risk Summit, Microsoft Ignite, AWS re:Invent, Google Cloud Next, KubeCon, O'Reilly, SANS, Infosecurity Europe, Web Summit, Dreamforce, SXSW) with a "registration incomplete / final payment due / invoice pending" narrative + payment-card-or-credential-harvesting link on a non-organizer host. Two BEC shapes: (a) credit card harvesting, (b) invoice-redirect where the victim's company pays an attacker-controlled account. Targets senior IT / security professionals + executives. Shipped 8 days before RSA Conference 2026 (Apr 27-May 1) to hit the peak phishing window. Evidence: Cofense 2024-2025 RSAC + Black Hat impersonation reports; Proofpoint 2024 conference-phishing coverage; CISA event-impersonation-BEC alerts

Conference + event registration phishing targets attendees of major security and technology conferences with a "your registration is incomplete / final payment due / invoice pending" narrative + credential-or-payment-card-harvesting link on a non-organizer host. The attack surface covers the highest-profile industry conferences where attendees are senior IT / security professionals or executives with organizational purchasing authority: RSA Conference (~45,000 attendees, $2,095 full pass), Black Hat USA + Europe + Asia, DEF CON, Gartner Security & Risk Management Summit + Gartner IT Infrastructure + Gartner Marketing Symposium + other Gartner verticals ($4,000-$5,000 registrations), Microsoft Ignite, AWS re:Invent, Google Cloud Next + Google I/O, KubeCon + CloudNativeCon, O'Reilly AI Conference + Velocity + Strata, SANS Institute summits, Infosecurity Europe, GITEX, CeBIT, Web Summit, Collision Conference, Dreamforce, SXSW. Two distinct BEC shapes are both caught by this signal: (a) credit card harvesting where the victim enters payment details on a fake "complete your registration" landing page and the attacker collects the card, (b) invoice-redirect BEC where the victim's company pays an attacker-controlled account thinking the payment goes to the real conference — particularly devastating for enterprises where conference-registration reimbursements pass through finance with minimal verification. Real precedents: Cofense documented RSA Conference impersonation waves in the 2-3 weeks preceding the event across 2024 + 2025; Proofpoint published similar Black Hat + DEF CON impersonation patterns; RSA Conference's own team has published phishing advisories recognizing the pattern every year; CISA has issued alerts on event-impersonation BEC as a persistent vector. The signal fires into peak phishing windows by design — calendar-driven attacks spike in the 2-4 weeks preceding an event as attendees are actively checking registration status. Legitimate conference communications link exclusively to the official organizer domain: `rsaconference.com`, `blackhat.com`, `defcon.org`, `gartner.com`, `ignite.microsoft.com`, `reinvent.awsevents.com`, `cloud.google.com`, `kubecon.cncf.io`, `oreilly.com`, `sans.org`, `infosecurityeurope.com`. Any registration-payment email whose link target is elsewhere is, by construction, a phish. If you receive a conference-registration-status email, go directly to the conference's registration portal via a bookmarked URL or your confirmation email from when you first registered — never click the link in the urgency email.