Fake QuickBooks / accounting software payment failed phishing — impersonates QuickBooks Online (Intuit), FreshBooks, Xero, or Wave claiming subscription payment failed and financial data will be deleted/locked within 24 hours; powerful loss-aversion hook for SMB owners relying on these tools for payroll, invoicing, and tax records; IC3 2024: SMB credential phishing up 40%; Proofpoint 2024: QuickBooks is the most impersonated accounting software brand

Phishing emails impersonating QuickBooks Online (Intuit), FreshBooks, Xero, or Wave accounting software claiming the subscription payment failed and threatening that financial data will be permanently deleted, locked, or exported within 24–48 hours unless payment is updated — driving to a credential- or card-harvest page. Key facts: (1) QuickBooks Online is used by 7M+ small businesses for bookkeeping, invoicing, payroll, and tax preparation; FreshBooks by 30M+ freelancers; Xero by 4M+ users globally — the loss of access to financial records, invoices, and payroll data triggers immediate action by business owners who cannot afford even one day of accounting downtime; Proofpoint 2024: QuickBooks is the most impersonated accounting software brand in email phishing campaigns; (2) The "data deletion" threat is uniquely effective: unlike other account phishing that threatens to lock users out, accounting software phishing threatens permanent deletion of financial history — years of invoices, bank reconciliations, payroll records, and tax data; this creates existential fear for business owners and accountants that bypasses rational verification behavior; (3) IC3 2024: small business credential phishing grew 40% year-over-year, with financial software impersonation emerging as a primary attack vector for obtaining both credentials (for account takeover) and payment card details (for direct financial theft); (4) Legitimate Intuit, FreshBooks, and Xero renewal and payment notifications arrive from their verified company domains, include the last 4 digits of the payment method on file, specify the exact subscription plan and amount, and link to the platform's official billing management page — they never threaten immediate data deletion with a countdown. Warning signs: sender not intuit.com, freshbooks.com, xero.com, or waveapps.com; no payment method details on file; data deletion threat with short countdown; link to non-official billing portal.