Fake Stripe Dashboard alert lure — "unusual activity on your Stripe Dashboard, review within 24 hours or payouts will be suspended" targeting SaaS founders + e-commerce merchants; Stripe credentials + 2FA harvest leads to payout-bank-redirect, Radar card-data exfil, fraudulent payouts, Stripe Connect platform pivot

Fake "unusual activity detected on your Stripe Dashboard — review within 24 hours or payouts will be suspended" email targeting SaaS founders, e-commerce merchants, and any business running on Stripe. Harvests Stripe Dashboard credentials and 2FA codes. Post-compromise, attackers: (1) change payout bank accounts to attacker-controlled accounts, redirecting the merchant's revenue stream; (2) extract customer card data from Radar reports; (3) create fraudulent payouts on behalf of the merchant; (4) pivot to Stripe Connect accounts to hit every connected seller (a platform-wide compromise from a single credential). Stripe's own phishing-awareness blog documented sustained 2024-2025 campaigns. 2026 variants add fake transaction IDs + dollar amounts to increase plausibility. The phish converts because Stripe Dashboard suspensions + payout pauses ARE real policy mechanisms — merchants react fast because a payout pause during cash-flow-tight months can tank a business. Fires when body references Stripe / Stripe Dashboard / Stripe Connect / Stripe payouts / Radar / merchant account AND contains unusual-activity / review / suspend / verify / compliance-review urgency. Excludes stripe.com + dashboard.stripe.com + connect.stripe.com + notifications.stripe.com + receipts.stripe.com + support.stripe.com. Auto-classified as danger via the `-lure` suffix.