Fake ChatGPT / OpenAI / Gemini / Claude AI service subscription phishing — fraudulent email impersonating OpenAI, ChatGPT Plus, Google Gemini Advanced, Anthropic Claude, or Microsoft Copilot claiming the recipient's subscription payment failed, account has been suspended for a usage policy violation, or subscription is expiring — directing them to sign in to update billing, verify identity, or restore access through a spoofed account portal — a credential-harvesting and payment card theft attack targeting AI service users; Kaspersky 2025: AI brand impersonation grew 1,200% YoY; APWG Q1 2026: OpenAI is a top-10 most impersonated brand

Phishing emails impersonating OpenAI, ChatGPT Plus, Google Gemini Advanced, Anthropic Claude, or Microsoft Copilot claiming the recipient's subscription payment has failed, their account has been suspended for a usage policy violation, or their AI subscription is expiring — directing them to sign in, update billing information, or verify identity to restore access. Key facts: (1) Kaspersky 2025: AI brand impersonation grew 1,200% year-over-year as AI services became mainstream consumer and enterprise products — attackers follow user adoption curves; APWG Q1 2026: OpenAI has become a top-10 most impersonated brand globally, rising from near-zero impersonation in 2023 to high-volume campaigns within 18 months; (2) The attack is especially effective because AI service users are disproportionately technically sophisticated and therefore overconfident — they understand that AI subscriptions are billed monthly and that payment failures or policy violations are real platform events; this overconfidence reduces the suspicion that would normally prompt sender domain verification; additionally, many AI users pay for subscriptions from personal accounts linked to their work email, making credential compromise high-value for corporate espionage; (3) Account takeover of an OpenAI account is valuable for multiple reasons: it may expose confidential ChatGPT conversation history containing business strategy, code, customer data, and proprietary research; attackers can use the victim's remaining subscription tokens to run expensive API workloads for cryptojacking or LLM jailbreaking services; and the victim's API keys stored in the account can be used directly against the victim's own OpenAI-powered applications; (4) The Gemini Advanced variant captures Google account credentials — giving full access to Gmail, Calendar, Drive, Photos, and all Google Workspace — making this equivalent to a complete enterprise account compromise for users who rely on Google SSO. Warning signs: sender domain not openai.com, anthropic.com, google.com, or microsoft.com; email does not reference the specific subscription tier or last payment date; link to non-official account portal; generic "your AI subscription" phrasing without brand-specific details; urgency about immediate account suspension.