Fake Spotify "Premium subscription payment failed — update billing to continue listening" notice sent from a non-Spotify domain demanding card update via embedded link — credential-harvest and card-skim cross-domain phish. Real Spotify mail originates from spotify.com / email.spotify.com only.

Fake Spotify "Premium subscription payment failed — membership on hold, update payment method to continue listening or restore Premium access" notification sent from a non-Spotify sending domain (From / Reply-To / link domains do not align with spotify.com / email.spotify.com) demanding the recipient click an off-domain link to update payment information — credential-harvest and card-skim cross-domain phish. Real Spotify billing communications come from spotify.com / email.spotify.com with DMARC-aligned signing; cold inbound emails from off-domain senders threatening Premium suspension unless billing is updated via off-domain link are scams. Spotify is a top consumer-streaming impersonation brand per APWG 2024 (alongside Netflix and Disney+) due to the recurring-billing model and a subscriber base that creates massive click-through volume on payment-failed lures. Distinct from netflix-billing-cross-domain (Netflix) — this specifically targets the Spotify / Premium-on-hold / payment-failed / update-billing / continue-listening pretext with off-domain href. Detection: Spotify brand vocabulary + premium / payment-failed / membership-on-hold urgency + sender or link domain ≠ spotify.com + no DMARC alignment. Trash score: +4. Source: GC1-R32; APWG 2024 streaming-platform phishing tracker; Spotify Trust & Safety anti-phishing guidance; FTC streaming-service impostor advisory 2024.