Fake SaaS seat-overage true-up billing-reconciliation wire-redirect lure — "Your Linear / Notion / Figma / Slack annual commitment has 23 over-allocation seats in true-up; pay the past-due invoice via wire today or your workspace will be downgraded by EOD" targeting billing / IT / procurement admins. 2026 SaaS seat-overage true-up cycles (Linear, Notion, Figma, Slack) are real billing-reconciliation events, lending the lure narrative credibility. Lookalike billing portals harvest admin credentials and redirect the wire payment to attacker-controlled bank accounts. Real billing-reconciliation invoices come from the vendor's verified billing domain on a calendar cycle, never via inbound email link demanding wire transfer with end-of-day downgrade pressure. B2B-admin scope; financial-pressure cluster. Source: GC1 R8 multiagent council (S5 SaaS specialist).

Fake SaaS seat-overage / true-up billing-reconciliation wire-redirect lure targeting Linear / Notion / Figma / Slack billing / IT / procurement admins. The phish narrative arrives as: "Your Linear annual commitment has 23 over-allocation seats in true-up — pay the past-due invoice via wire today or your workspace will be downgraded by EOD," or "Slack and Figma annual commitment billing reconciliation reports 23 seat overages past due — pay invoice or downgrade your workspace by EOD." 2026 SaaS seat-overage true-up cycles (Linear, Notion, Figma, Slack) are real billing-reconciliation events that procurement teams handle quarterly + annually, lending the lure narrative immediate credibility — even experienced finance / IT admins can mistake the lookalike for a routine annual-commitment reconciliation reminder. Lookalike vendor billing portals harvest workspace-admin credentials and redirect the wire payment to attacker-controlled bank accounts. Post-compromise the attacker (1) wires the bogus penalty (typical $5K-$50K per attempt depending on workspace size + plan), (2) pivots to workspace data exfiltration (Linear issues, Notion docs, Figma designs, Slack messages — IP and PII goldmine), (3) holds the workspace hostage for ransom by threatening to revoke access if the legitimate invoice is contested. Real billing-reconciliation invoices come from the vendor's verified billing domain on a calendar cycle (the customer's Linear billing email comes from billing@linear.app on a known cadence), are payable through the workspace billing UI, and never demand wire transfer with end-of-day downgrade pressure. The annual-commitment / over-allocation / seat-overage / true-up / billing-reconciliation vocabulary cluster is functionally exclusive to enterprise-SaaS procurement, keeping FP very low. B2B-admin scope; financial-pressure cluster. Fires when body references Linear / Notion / Figma / Slack co-occurring with seats / overage / true-up / over-allocation / billing reconciliation / annual commitment AND contains downgrade / pay / wire / invoice / past-due / action-required / EOD / end-of-day urgency. Excludes linear.app, notion.so, figma.com, slack.com, slackhq.com. Auto-classified as danger via the `-spoof` suffix. Source: GC1 R8 multi-agent council (S5 SaaS specialist).