Skip to main content

Alert: Phishing emails targeting Asset Store publishers

Updated

Unity warns of a phishing campaign targeting Asset Store publishers, with fraudulent emails impersonating Unity to steal credentials. Legitimate emails come only from @unity3d.com or @unity.com. Users should never click unsolicited links and must verify suspicious emails by contacting Unity Support or security@unity3d.com. If credentials are compromised, reset passwords immediately and enable Two-Factor Authentication.

What is happening?

We are aware of an ongoing phishing campaign targeting Unity Asset Store publishers. Malicious actors are sending fraudulent emails impersonating Unity in order to steal account credentials. New variants of these emails are reported regularly.

How to tell if an email is really from Unity

Before clicking any link or button in an email that appears to be from Unity, check the following:

  1. Check the sender address. All legitimate Unity emails come from an @unity3d.com or @unity.com address. If the domain is anything other than ours, even if the display name says "Unity" or "Unity Asset Team", the email is not from us.
  2. We will never ask you to click an unsolicited link to verify your account, review a policy update, or check a transaction. If you need to take action on your account, log in directly by typing the URL into your browser.
  3. Be skeptical of both urgent and casual tones. Phishing emails targeting publishers have used both threatening language (account restrictions, withheld payouts) and deliberately relaxed language (routine updates, minor tweaks) to avoid raising suspicion. Neither tone is a reliable indicator of legitimacy.
  4. When in doubt, don't click. Contact Unity Support directly or email security@unity3d.com to verify whether any email is genuine before taking action.

Examples of phishing emails reported by publishers

The following screenshots show real examples reported by publishers. This is not an exhaustive list. New variants appear regularly and may look different from those shown here.

phishing-email-2.png
phishing-email-4.jpg
phishing-email-3.png
phishing-email.png
phishing-email-5.jpg

What should I do if I receive a suspicious email?

  1. Do NOT click any links or buttons.
  2. Do NOT reply to the sender or provide any personal information.
  3. Report the email as spam or phishing through your email provider's built-in reporting tools.
  4. Delete the email from your inbox.

What if I've already clicked a link?

If you have clicked a link in one of these emails and entered your credentials, reset your Unity account password immediately and enable Two-Factor Authentication (2FA) if you have not already done so. 

Related articles