Fake Snowflake Data Cloud subscription payment failed, compute credits suspended, virtual warehouses paused, or data lake access disabled phishing

Phishing emails impersonating Snowflake claiming the Data Cloud subscription payment has failed, compute credits are suspended, virtual warehouses are paused, or data lake access is disabled — directing victims to update billing through a credential-harvesting portal. A distinct attack category targeting the cloud data warehousing and analytics layer that modern data-driven organizations rely on for all business intelligence and ML workloads: Snowflake is the world's leading cloud data platform with a unique compute-credit billing model that makes 'credits suspended' phishing maximally plausible. Key facts: (1) Snowflake serves 8,900+ customers including 743 of the Forbes Global 2000 (at variable compute credit pricing that can reach $500,000-$5,000,000+/year for large organizations) — Snowflake's consumption-based billing model means organizations regularly receive billing alerts about credit usage, making a 'compute credits suspended due to billing failure' email credible to anyone who manages Snowflake costs; a 'Data Cloud access suspended' email implies all analytics pipelines, data sharing connections, and BI tool integrations are simultaneously offline; (2) Snowflake's high-profile security incidents create ambient awareness that makes phishing targeting plausible: the 2024 Snowflake breach (affecting AT&T, Ticketmaster, Santander) was widely publicized, creating both phishing opportunity (attackers impersonating Snowflake security notifications) and threat awareness (security teams know Snowflake is a high-value target); (3) The compute credits billing hook exploits a genuine operational complexity: Snowflake credits are consumed by virtual warehouses at different rates depending on warehouse size (X-Small through 6X-Large), and organizations with multiple warehouses running complex queries frequently receive cost management alerts; a 'virtual warehouse suspended due to billing' email is operationally indistinguishable from a legitimate credit alert; (4) Snowflake credentials expose the complete organizational data estate: every database schema and table containing customer PII, financial records, and operational metrics; all data sharing configurations revealing which external organizations have been granted access; all Snowpark workloads including Python and Java code running in Snowflake's compute; all Streamlit applications built on Snowflake data; and all external stage configurations revealing the cloud storage buckets integrated with the data lake — a Snowflake credential compromise grants access to the most complete single source of organizational data. Warning signs: sender not snowflake.com; genuine Snowflake billing at app.snowflake.com.