Fake Looker / Metabase BI and analytics platform subscription payment failed, Looks and dashboards suspended, LookML models inaccessible, dashboards and questions disabled, or scheduled reports no longer running phishing

Phishing emails impersonating Looker or Metabase claiming the BI and analytics platform subscription payment has failed, Looks and dashboards are suspended, LookML models are inaccessible, dashboards and questions are no longer active, or scheduled reports have been disabled — directing them to update billing or restore access through a credential-harvesting portal. A distinct attack category targeting self-service BI platforms that serve as the primary interface through which business teams access data — suspension simultaneously makes every business dashboard, scheduled report, and data exploration tool unavailable for every non-technical stakeholder in the organization. Key facts: (1) Looker serves 1,500+ enterprise customers ($50,000-$500,000+/year) including Spotify, Kickstarter, and Etsy as one of the dominant enterprise BI platforms, acquired by Google and now part of Google Cloud — Looker's core abstraction is the 'Look' (a saved data visualization), the Dashboard (a collection of Looks), and LookML (the modeling layer that defines how database tables relate and how business metrics are calculated); a Looker workspace suspension makes every Look, dashboard, and LookML model inaccessible; scheduled reports that email KPI dashboards to executives every Monday morning stop sending; embedded Looker analytics in customer-facing products go dark; (2) The 'Looks and dashboards suspended' hook is uniquely concrete for BI platform phishing: unlike most SaaS suspension phishing where 'features stop working' is abstract, Looker suspension has immediate, visible organizational impact — the sales manager's pipeline dashboard goes blank, the finance team's revenue tracking dashboard returns an authentication error, and the embedded analytics in the customer portal show empty charts to paying customers; (3) Metabase serves 50,000+ active deployments (Metabase Cloud at $500/month, plus self-hosted Enterprise) as the dominant open-source self-serve BI tool — Metabase's core concepts are 'Questions' (individual data visualizations) and Dashboards; Metabase suspension makes every saved Question inaccessible and stops all scheduled dashboard reports; the marketing team that receives a daily Metabase dashboard digest with acquisition and conversion metrics loses visibility entirely; (4) The 'scheduled reports disabled' hook targets a specific organizational dependency: both Looker and Metabase generate scheduled email and Slack reports that non-technical business users depend on for their daily/weekly operational visibility — operations managers who don't log into the BI tool directly receive their metrics via scheduled report; suspension of scheduled reports means these users have no visibility into operational metrics until access is restored; (5) Looker and Metabase credentials expose the complete business intelligence architecture: every LookML model revealing the semantic layer that defines how the company calculates revenue, churn, and customer health, the complete dashboard library showing every KPI being tracked by every team, the scheduled report configuration showing who receives which metrics and at what cadence, and the database connection credentials providing direct access to the underlying data warehouse. Warning signs: sender not looker.com or metabase.com; genuine Looker billing at looker.com/account; Metabase Cloud billing at store.metabase.com/account.