Fake ServiceNow ITSM and workflow automation platform subscription payment failed, instance licenses suspended, workflows and automations disabled, or Now Platform access no longer active phishing

Phishing emails impersonating ServiceNow claiming the ITSM and workflow automation platform subscription payment has failed, instance licenses are suspended, workflows and automations are disabled, or Now Platform access is no longer active — directing them to update billing or restore access through a credential-harvesting portal. A distinct attack category targeting the enterprise workflow automation platform that IT, HR, customer service, and operations teams use as the system of record for service management, employee requests, and cross-departmental workflows — a ServiceNow instance suspension simultaneously takes offline every IT helpdesk ticket queue, every HR onboarding workflow, every customer service case routing rule, and every cross-departmental process automation that the organization has built on the platform. Key facts: (1) ServiceNow serves 7,700+ enterprise customers ($100,000-$10,000,000+/year) including 85% of the Fortune 500 as the dominant enterprise workflow automation and ITSM platform — ServiceNow is not just an ITSM tool: it is the workflow operating system for large enterprises, running IT Service Management, HR Service Delivery, Customer Service Management, Field Service Management, and Security Operations in a single instance; a ServiceNow subscription suspension takes offline every workflow, every automated approval chain, and every self-service portal the organization's employees use to request IT resources, submit HR requests, and manage security incidents; (2) The 'instance licenses are no longer active' hook carries specific technical urgency for enterprise IT administrators: ServiceNow runs as a named instance (company.service-now.com) that is provisioned per customer; an email claiming that the instance is being suspended resonates with IT administrators who understand that instance provisioning is contractually tied to license compliance; large enterprises with thousands of active ServiceNow users immediately escalate 'instance suspension' notices because the operational consequence is total loss of the IT helpdesk function — every open incident, change request, and problem record in the system becomes inaccessible; (3) ServiceNow ITSM suspension creates IT operational paralysis: the IT helpdesk loses its ticketing system and must revert to email and phone for every support request, incident priority cannot be tracked, SLA timers stop, on-call escalation routing breaks, and the change advisory board (CAB) process for approving infrastructure changes stops functioning; the IT operations team, which often has dozens of in-flight incidents and change requests at any given moment, loses its primary coordination tool during an outage that itself requires incident management to resolve; (4) The 'workflows and automations disabled' hook targets a specific ServiceNow dependency: many enterprises have built ServiceNow workflows that are upstream triggers for other systems — the ServiceNow HR onboarding workflow that triggers Active Directory account provisioning stops, the ServiceNow change management workflow that triggers deployment pipeline approvals stops, and the ServiceNow security operations workflow that routes SIEM alerts to security analysts stops; a suspension creates a cascading failure across every system that was being triggered by ServiceNow automations; (5) ServiceNow credentials expose the complete enterprise workflow and compliance architecture: every ITSM ticket revealing open security vulnerabilities, infrastructure change history, and incident patterns, all HR service delivery records including employee onboarding data and case histories, the complete workflow and automation library showing the process logic for every critical business operation, integration credentials connecting ServiceNow to Active Directory, SIEM tools, CI/CD pipelines, and HR systems, and the CMDB (configuration management database) — the authoritative map of every IT asset and its relationships — that is used for impact analysis during major incidents. Warning signs: sender not servicenow.com or service-now.com; genuine ServiceNow billing at instance.service-now.com/nav_to.do or through direct account manager contact.