Fake Proton Mail / Proton Drive / Proton VPN Plus subscription suspended or encrypted email access blocked or VPN connections disabled due to billing failure phishing

Phishing emails impersonating Proton Mail, Proton Drive, or Proton VPN claiming the subscription has been suspended, encrypted email access has been blocked, VPN connections are no longer protected, or the Proton Unlimited plan payment has failed — directing victims to update billing through a credential-harvesting portal. A distinct and high-value attack category targeting privacy-conscious users who are paradoxically attractive phishing targets. Key facts: (1) Proton has 100M+ registered accounts with an estimated 50M+ paying subscribers (Proton Mail Plus: $3.99/month, Proton Unlimited: $9.99/month bundling Mail + Drive + VPN + Calendar + Pass) — users who pay for privacy services are more likely to have sensitive accounts worth protecting and therefore worth stealing; (2) The 'encrypted email access suspended' hook creates unique urgency that no other billing phish produces: Proton users specifically chose Proton Mail because they had sensitive communications they wanted protected from surveillance, so a 'your encrypted email is no longer active' message implies their sensitive correspondence is now exposed or inaccessible; (3) The 'Proton VPN connections are no longer protected' hook is particularly effective: Proton VPN users (often journalists, activists, business travelers, and remote workers) depend on VPN for data security on public networks — a 'VPN suspended, your connection is unprotected' message creates immediate anxiety about ongoing exposure; (4) Proton's rapid growth post-2022 (driven by big-tech privacy scandals and Microsoft/Google email surveillance concerns) means many users are relatively new to the platform and unfamiliar with Proton's exact notification format — they cannot distinguish legitimate billing emails from phishing because they haven't received enough real Proton billing emails to develop pattern recognition; (5) Proton Mail credentials are uniquely valuable: unlike Gmail/Outlook where credentials enable reading existing emails in plaintext, Proton Mail end-to-end encryption means phished credentials grant access to a user's private encryption keys (stored encrypted with the account password) — this enables decryption of all stored encrypted email if the attacker also captures the password; (6) The 'ProtonMail' (old brand) and 'Proton Mail' (current brand) dual-name creates phishing complexity: attackers use both names interchangeably in phishing templates, and many users still call it 'ProtonMail', making domain-mismatch detection harder. Warning signs: sender not proton.me, protonmail.com, or protonvpn.com; genuine Proton billing at account.proton.me.