Fake HubSpot / Salesforce / Zoho CRM account suspended or data export phishing — fraudulent email impersonating HubSpot, Salesforce, Zoho CRM, or Pipedrive claiming the recipient's CRM account has been suspended, their Salesforce license is expiring with data at risk, a data export is ready requiring sign-in, or unusual access was detected — directing them to sign in to verify, restore access, or download their data — a credential-harvesting attack giving attackers access to ALL customer contact records, deal pipelines, and sales communications; HubSpot: 216,000+ customers; Salesforce: 150,000+ customers; CRM access enables follow-on BEC attacks and contact database theft

Phishing emails impersonating HubSpot, Salesforce, Zoho CRM, or Pipedrive claiming the recipient's CRM account has been suspended, their Salesforce license is expiring with data at risk, a CRM data export is ready for download, or unusual access was detected — directing them to sign in, restore access, or verify identity through a spoofed CRM portal. Key facts: (1) HubSpot has 216,000+ customers and 7M+ users; Salesforce has 150,000+ enterprise customers managing 4+ trillion CRM records; Zoho CRM has 100M+ users; IC3 2024: business application credential theft grew 61% year-over-year as CRM systems became critical sales infrastructure; (2) CRM credentials are uniquely high-value because a compromised CRM account exposes the company's complete customer contact database, live deal pipeline, historical sales communications, and often billing and contract data — the most sensitive business intelligence an organization holds; attackers use CRM access for targeted BEC follow-up attacks (impersonating sales reps to redirect invoice payments to attacker-controlled accounts, leveraging authentic deal details to sound convincing), and sell the contact database on dark-web marketplaces; (3) The "Salesforce license expiring — data will be deleted" variant is particularly effective because Salesforce does send genuine license expiry warnings with data retention urgency, conditioning administrators to respond immediately to prevent data loss; similarly, HubSpot genuinely warns of data export expirations; (4) The "CRM data export ready" variant is a low-suspicion lure: data exports are a common, legitimate workflow — being told "your export is ready, sign in to download" feels like a routine admin task rather than a phishing attempt. Warning signs: sender domain not hubspot.com, salesforce.com, or zoho.com; no reference to specific account name, Salesforce org ID, or HubSpot portal ID; generic urgency about data deletion without specific export details; link to non-official CRM domain.