Fake Cloudflare / Fastly CDN and network services subscription payment failed, domain protection suspended, CDN services disabled, or SSL and DDoS protection access no longer active phishing

Phishing emails impersonating Cloudflare or Fastly claiming the CDN and network services subscription payment has failed, domain protection is suspended, CDN services are disabled, or SSL and DDoS protection access is no longer active — directing victims to update billing through a credential-harvesting portal. A distinct attack category targeting the network infrastructure layer that sits in front of every web application: Cloudflare is the world's largest CDN and network security provider, and Fastly is the premium CDN provider favored by high-traffic media and e-commerce companies. Key facts: (1) Cloudflare protects 20%+ of all websites on the internet with 5+ million paying customers ($20-$200,000+/year depending on plan tier) — Cloudflare sits in front of every protected domain as the DNS and CDN layer, meaning a 'Cloudflare account suspended' email is simultaneously credible to personal bloggers ($20/year Pro plan), SMBs ($200/month Business), and enterprise teams ($5,000+/month Enterprise); the domain suspension hook is uniquely powerful because it implies the entire website goes offline and becomes unreachable; (2) The 'SSL certificate suspended' hook exploits a specific web owner fear: Cloudflare manages SSL/TLS certificates for millions of domains; a suspended account means the HTTPS certificate is no longer renewed, making every visitor to the site receive a browser 'Your connection is not private' warning — for e-commerce sites, this means zero sales until resolved; (3) Fastly serves 2,500+ enterprise customers ($50,000-$5,000,000+/year) including The New York Times, GitHub, Spotify, and Stripe as the real-time CDN favored by companies for whom edge performance and cache purging speed matter most — Fastly is the CDN of choice for media companies serving video and breaking news; a Fastly CDN suspension takes the website offline for all users globally, with no cached version available; (4) The Cloudflare Workers and Pages suspension hook targets the growing segment of developers who host entire applications on Cloudflare's edge compute platform — a Workers/Pages suspension takes down applications that have no other hosting, unlike traditional CDN customers who have origin servers to fall back to; (5) Cloudflare and Fastly credentials expose the complete domain and infrastructure architecture: every domain's DNS configuration and origin server IP addresses (normally hidden behind Cloudflare's proxy), all firewall rules and WAF policies, Cloudflare Workers source code and environment variables (which often contain API keys for third-party services), the complete DDoS protection configuration, and Fastly's VCL (Varnish Configuration Language) cache rules. Warning signs: sender not cloudflare.com or fastly.com; genuine Cloudflare billing at dash.cloudflare.com/billing; Fastly billing at manage.fastly.com/account/billing.