Fake GoFundMe / Kickstarter / Indiegogo / Fundly / YouCaring / DonorsChoose / SeedRS / Crowdcube / StartEngine / WeFunder campaign-CREATOR payout phishing — "your campaign payout is on hold / creator verification required, verify within N hours or funds return to donors" + credential-harvesting link to a non-vendor host impersonating the creator / organizer dashboard. Blast radius: payout redirection (medical GoFundMes can be tens of thousands; tech Kickstarter campaigns hundreds of thousands), campaign page defacement for follow-up solicitation to different endpoint, donor PII exposure via dashboard, Stripe Connect abuse on Kickstarter. Distinct from donor-side charity phish and from fake-patreon-substack-creator-payout-phish (subscription-based creators). Evidence: GoFundMe Trust & Safety advisories (COVID-19 2020, Turkey-Syria 2023, Hawaii wildfire 2023); Kickstarter 2022-2024 creator advisories around high-profile $1M+ tech campaigns; BBB + FTC crowdfunding takeover coverage

Crowdfunding campaign-CREATOR phishing. Attackers impersonate GoFundMe, Kickstarter, Indiegogo, Fundly, YouCaring, DonorsChoose, SeedRS, Crowdcube, Fundable, StartEngine, or WeFunder with "your campaign is under review / creator verification required / payout on hold pending identity verification" messages directed at the campaign OWNER. The link drives to a typosquat host (gofundme-verify-campaign.example, kickstarter-creator-verify.example, indiegogo-owner-verify.example) that presents a pixel-perfect fake organizer / creator dashboard sign-in. Once credentials are harvested the blast radius is high: (1) payout redirection — attacker changes the linked bank / Stripe Connect to redirect the next distribution. Medical GoFundMe campaigns routinely raise tens of thousands for individual fundraisers; successful Kickstarter tech projects raise hundreds of thousands to millions at payout time; Indiegogo product campaigns similar. (2) Campaign page defacement — attacker can edit the campaign page to post fake updates, often soliciting MORE donations directed to a different endpoint (Venmo handle, crypto address, off-platform payment link). (3) Donor PII exposure — backer list with emails, full names, and physical addresses (for reward shipping on product campaigns) is visible in the creator dashboard. (4) Stripe Connect abuse — Kickstarter uses Stripe Connect for creator payouts; compromised dashboard access lets the attacker reconfigure the connected Stripe account entirely. Distinct from donor-side charity phish (if a separate signal exists; different target population + different attack shape), and distinct from `fake-patreon-substack-creator-payout-phish` (subscription-based creator platforms with recurring-payment flows rather than one-shot campaign-based payouts, different platforms, different vocabulary). Real precedents: GoFundMe Trust & Safety published phishing advisories after the COVID-19 medical fundraiser wave of 2020, the Turkey-Syria earthquake wave of 2023, and the Hawaii wildfire wave of 2023 — disaster-adjacent high-volume fundraising attracts phishing campaigns targeting newly-minted organizers who are unfamiliar with the platform. Kickstarter has published 2022-2024 creator-targeted phishing advisories, particularly around the highest-profile $1M+ tech campaigns which are the highest-value takeover targets. BBB and FTC have issued advisories on crowdfunding creator-account takeover as a persistent attack class. Legitimate communications come exclusively from the platform's own domain: `gofundme.com`, `kickstarter.com`, `indiegogo.com`, `fundly.com`, `youcaring.com`, `donorschoose.org`, `seedrs.com`, `crowdcube.com`, `fundable.com`, `startengine.com`, `wefunder.com`, plus `stripe.com` / `connect.stripe.com` for Kickstarter payout verification flows. Warning signs: any campaign-payout-review email whose sign-in link is hosted anywhere else. Defense: always open the creator / organizer dashboard directly from the platform's bookmarked URL, never via an email link. Enable hardware-backed 2FA on your campaign account, especially for campaigns over $10K. If you're running a disaster-adjacent or time-sensitive campaign, assume elevated phishing risk and verify every "your campaign has been flagged / put on hold / needs verification" email by calling the platform's published customer support number directly.