Fake Twilio / SendGrid communications API account suspended, SMS and voice API disabled, phone numbers released, or email delivery suspended due to billing failure phishing

Phishing emails impersonating Twilio or SendGrid claiming the communications API account has been suspended, SMS and voice APIs are disabled, phone numbers have been released, or email delivery is suspended due to billing failure — directing victims to update billing through a credential-harvesting portal. A distinct attack category targeting the communications infrastructure layer: Twilio is the world's dominant cloud communications platform and SendGrid (a Twilio company) is the dominant transactional email API. Key facts: (1) Twilio serves 300,000+ active businesses (at $0.0079/SMS, $0.013/minute voice, plus monthly subscription for advanced services) including 10 of the top 10 US banks and 8 of the top 10 US health systems — a 'Twilio account suspended' email creates cascading failures: SMS-based two-factor authentication stops working for all users, voice calls go unanswered, WhatsApp Business messages cease, and any application relying on Twilio Verify for identity verification loses the ability to verify new users; (2) The phone number release hook creates irreversible urgency: Twilio phone numbers are released back to the number pool when accounts are suspended, and businesses that have published their Twilio numbers on websites, marketing materials, and support portals face the prospect of customers calling a number that will be assigned to a different business — the 'your phone numbers will be released' hook creates a uniquely irreversible urgency; (3) SendGrid delivers 100+ billion emails per month for businesses including Airbnb, Spotify, Yelp, and Uber — a 'SendGrid email delivery suspended' email means all transactional emails stop: user registration confirmation emails fail, password reset emails are not delivered, order confirmation emails to customers disappear, and invoice delivery halts; (4) Twilio credentials expose the complete communications infrastructure: all phone numbers and their configurations (forward-to rules, webhook URLs for receiving SMS/voice), all messaging service configurations, all Twilio Verify application configurations showing how the business verifies user identities, all Conversations API access granting visibility into all support chat transcripts, and all Programmable Voice credentials; (5) Twilio's developer-centric model means API credentials are embedded throughout production code: ACCOUNT_SID and AUTH_TOKEN appear in environment variables across dozens of microservices, and a credential compromise allows an attacker to use the business's Twilio account to send fraudulent SMS messages at the business's expense, make fraudulent calls appearing to come from the business's verified numbers, and intercept incoming SMS messages including authentication codes for any service that sends SMS verification to the business's Twilio numbers. Warning signs: sender not twilio.com or sendgrid.com; genuine Twilio billing at console.twilio.com/billing; SendGrid billing at app.sendgrid.com/settings/billing.