Fake ElevenLabs voice AI subscription suspended — Creator, Pro, or Scale plan payment failed, character quota revoked, voice cloning access blocked, or text-to-speech API suspended due to billing failure phishing

Phishing emails impersonating ElevenLabs claiming the Creator, Pro, or Scale plan subscription has been suspended, the character quota has been revoked, voice cloning access has been blocked, or the text-to-speech API is no longer active due to a billing failure — directing victims to update payment through a credential-harvesting portal. A novel attack category with unique downstream risk: stolen ElevenLabs credentials directly enable deepfake voice attacks on others. Key facts: (1) ElevenLabs serves 10M+ users with Starter ($1/month, 10,000 characters), Creator ($11/month, 100,000 characters), Pro ($99/month, 500,000 characters), and Scale ($330/month, 2 million characters) tiers — professional voice actors, content creators, podcast producers, and developers integrating TTS APIs all pay regularly for character quotas; a 'Creator plan suspended, voice generation no longer active' email creates immediate production disruption for anyone using ElevenLabs in a creative workflow; (2) ElevenLabs credential compromise is uniquely threatening compared to other AI subscription phish: stolen credentials grant access to the victim's custom voice library, including cloned voices created from voice samples — these cloned voices can be immediately used by attackers to generate deepfake audio impersonating the victim or others for vishing attacks, CEO fraud, and family emergency scams; this meta-risk (credential theft enabling voice deepfake creation) makes ElevenLabs credentials exceptionally high-value to sophisticated attackers; (3) The subscription billing model creates a realistic notification format: ElevenLabs sends legitimate monthly renewal emails and quota warning emails that users expect to receive — attackers copy this format precisely, including the character count and plan name, to create a highly credible phishing template; (4) The API access suspension hook targets developers integrating ElevenLabs into production applications: a 'your ElevenLabs API keys are no longer active' email implies that every application relying on the TTS API (podcast generators, e-learning platforms, virtual assistants, video narration pipelines) is simultaneously broken — production urgency overrides domain inspection; (5) ElevenLabs credentials expose proprietary voice assets: the ElevenLabs Instant Voice Cloning (IVC) feature allows users to clone their own voice from 1-minute audio samples; attackers who access an account find pre-built cloned voices ready for immediate misuse in social engineering; (6) The platform's rapid growth (launched 2022, reached 1M users in 2023, 10M by 2024) means many users are relatively new and unfamiliar with the exact format of legitimate ElevenLabs billing notifications, increasing susceptibility to well-crafted phishing templates. Warning signs: sender not elevenlabs.io; genuine ElevenLabs billing at elevenlabs.io/subscription; API key management at elevenlabs.io/settings/api-keys.