Fake Stripe Radar / risk-review RFI (Request For Information) account-restriction lure — "Account restricted — submit beneficial-ownership + bank-statement RFI within 7 days or payouts paused 90 days" via fake `dashboard.stripe.com/account-update` harvests merchant SSN / EIN + bank creds. Stripe Radar / risk-review RFIs + 2026 1099-K $2,500 threshold + dispute-rate spikes give attackers a real and credible compliance pretext. Real Stripe Radar / risk-review RFIs come from `@stripe.com`, `@payments.stripe.com`, `@email.stripe.com` with DMARC + In-Reply-To, surface inside the dashboard, and never demand SSN / EIN / bank-statement upload via inbound email link from an unfamiliar lookalike domain. Direct Gorganizer-customer overlap (Stripe-merchant base). Distinct from `stripe-atlas-delaware-franchise-tax-1120-deadline-lure` (R8 P5, Atlas C-corp tax) — this signal is specifically the Stripe Radar / RFI / account-restriction / SSN-EIN-PII framing. Source: GC1 R9 multiagent council top-5 P0 (S5 SaaS specialist).

Fake Stripe Radar / risk-review RFI (Request For Information) account-restriction lure targeting Stripe merchants. The phish narrative arrives as: "Per Stripe Radar risk review, your account has been restricted — submit beneficial owner verification, bank statement, and 1099-K records via the dashboard within 7 days or payouts will be paused for 90 days," or "Stripe risk review reports an elevated dispute rate on your account — submit a request for information including beneficial owner SSN/EIN, bank statements, and 1099-K reconciliation within 7 days, verify identity to lift the payout pause and avoid the 90-day account restriction." Stripe Radar / risk-review RFIs are a real Stripe operational mechanism (merchants regularly receive RFI requests when card-network or fraud-pattern flags trigger), and 2026 brought the 1099-K $2,500 threshold (down from $5K TY2025) plus payment-app dispute-rate spikes, lending the lure narrative immediate credibility — even experienced merchants may mistake the lookalike for a routine post-Radar-flag information request. Lookalike `dashboard.stripe.com/account-update` / `support.stripe.com` portals harvest merchant SSN / EIN, bank-statement uploads (full account number + routing + transaction history exposes the merchant to ACH fraud + business-bank takeover), beneficial-owner-of-record credentials, and Stripe dashboard SSO sessions. Post-compromise an attacker (1) drains the merchant's connected bank account, (2) modifies payout banking to attacker-controlled account, (3) refunds legitimate customer transactions back to attacker-controlled cards, (4) downgrades fraud filters to enable card-testing-fraud uploads. Real Stripe Radar / risk-review RFIs come from `@stripe.com`, `@payments.stripe.com`, `@email.stripe.com` (with DMARC + In-Reply-To + recognizable Stripe email cadence), surface inside the dashboard under `Disputes & RFIs` and `Account → Compliance Actions`, and never demand SSN / EIN / bank-statement upload via inbound email link from an unfamiliar lookalike domain. Direct Gorganizer-customer overlap (Stripe-merchant base — many Gorganizer subscribers use Stripe for their own businesses). Distinct from `stripe-atlas-delaware-franchise-tax-1120-deadline-lure` (R8 P5, Atlas C-corp DE-franchise-tax + Form-1120 scope) — this signal is specifically the Stripe Radar / RFI / account-restriction / SSN-EIN-PII / payout-pause framing. Fires when body references Stripe co-occurring with Radar / risk-review-alert / RFI / request for information / beneficial owner / bank statement / account-restricted-review-paused / payout-hold-pause-delay / dispute rate / 1099-K AND contains submit / upload / 7-days / verify-identity-account-ownership / restrict / paused / 90-days / action-required urgency. Excludes stripe.com, dashboard.stripe.com, support.stripe.com, email.stripe.com, payments.stripe.com. Auto-classified as danger via the `-spoof` suffix. Source: GC1 R9 multi-agent council top-5 P0 (S5 SaaS specialist).