Fake Patreon / Substack / Ko-fi creator payout on hold or account suspended phishing — fraudulent email impersonating Patreon, Substack, Ko-fi, or Gumroad claiming the creator's payout has been placed on hold, earnings have been withheld, or account has been suspended — directing them to verify banking details or sign in to release earnings — targets independent creators whose primary income flows through these platforms; Patreon: 250K+ active creators; Substack: 35M+ paid subscriptions; APWG 2024: creator economy platform impersonation grew 195% YoY

Phishing emails impersonating Patreon, Substack, Ko-fi, or Gumroad claiming the creator's payout has been placed on hold, earnings have been withheld due to a verification issue, or their creator account has been suspended — directing them to verify banking information, sign in to release earnings, or appeal the suspension. Key facts: (1) Patreon has 250K+ active creators earning directly from 8M+ patrons; Substack hosts 35M+ paid newsletter subscriptions with creators earning $1,000–$100,000+/month; Ko-fi and Gumroad serve millions of independent artists and creators; APWG 2024: creator economy platform impersonation grew 195% year-over-year as the creator economy matured into a primary income source for millions of people; (2) The payout hold lure is the highest-urgency scenario for creators: legitimate platforms DO hold payouts for identity verification, bank account verification, tax form requirements (1099-K), and account review — recipients are pre-conditioned to expect these notices and trained by the platforms themselves to respond quickly; for a full-time creator, a payout hold directly threatens rent, food, and business expenses; (3) Credential compromise of a Patreon account is high-value for multiple reasons: the attacker can change the payout bank account to siphon future earnings directly; they can message the creator's patrons with fraud or investment scams using the creator's established relationship and trust; they can delete content, revoke tiers, or cancel patron subscriptions to damage the creator's business; (4) Substack credential theft is particularly valuable because many Substack writers use their newsletter email list as their primary business asset — an attacker with newsletter access can send phishing or scam emails to the entire subscriber list, leveraging the creator's reader trust for high-yield fraud. Warning signs: sender domain not patreon.com, substack.com, or ko-fi.com; payout amount either unspecified or round/implausible; link to non-official payout portal; urgency about immediate earnings loss.