Fake HeyGen or Synthesia AI avatar video subscription suspended — Creator or Business plan payment failed, AI video generation credits revoked, talking avatar access blocked due to billing failure phishing

Phishing emails impersonating HeyGen or Synthesia claiming the Creator, Business, or Enterprise plan subscription has been suspended, AI avatar video generation credits are revoked, or talking avatar access is no longer active due to a billing failure — directing victims to update payment through a credential-harvesting portal. A B2B-focused attack category targeting companies that produce training and marketing videos at scale. Key facts: (1) HeyGen serves 50,000+ paying business customers at Creator ($29/month, 3 video credits), Business ($89/month, unlimited video credits), and Enterprise (custom) tiers — marketing teams, L&D departments, and content agencies that produce AI avatar videos for client deliverables face immediate production disruption when a 'subscription suspended' email arrives mid-project; the high per-seat cost ($29-$89/month) makes the billing failure narrative highly plausible and the urgency strong; (2) Synthesia serves 50,000+ enterprise users at Starter ($18/month), Creator ($64/month), and Enterprise (custom $400+/month) tiers — Synthesia is the market leader in AI video for corporate training, with Fortune 500 customers using it to produce onboarding videos, compliance training, and internal communications; a 'Synthesia subscription suspended, video creation access blocked' email creates urgent business disruption for L&D teams with monthly training delivery deadlines; (3) HeyGen and Synthesia credentials grant access to the victim's custom AI avatar library: HeyGen users create 'Instant Avatars' by recording a 2-minute video of themselves, and Synthesia users create 'Personal Avatars' similarly — stolen credentials expose these digital avatar assets that can be misused to create deepfake corporate communications impersonating the victim without their knowledge; (4) The B2B attack surface is amplified by shared account usage: HeyGen Business and Synthesia Creator plans are often shared across marketing or L&D teams with a single billing account — a 'subscription payment failed' email arriving in the billing administrator's inbox creates urgency on behalf of all team members who depend on the platform; (5) Both platforms send legitimate billing reminder emails with plan-specific language (video credits, avatar seats, generation quota) that attackers replicate precisely — the credibility of the phishing template is high because recipients recognize the billing format from real notifications; (6) The attack is distinct from the existing Midjourney/Runway signal: Midjourney generates still images and Runway generates cinematic AI video, while HeyGen/Synthesia generate talking-head avatar videos used specifically for business communications — the brand names, the vocabulary (avatar, talking avatar, video credits, video generation), and the target user profile are entirely different. Warning signs: sender not heygen.com or synthesia.io; genuine HeyGen billing at app.heygen.com/account; Synthesia billing at app.synthesia.io/settings/subscription.