One of our clients received the Site 5 phishing scam email below a few days ago. The email appears to be sent from an address at Site 5 hosting, but it is NOT from Site 5. A scammer sent it, pretending to be the Site 5 hosting company, and attempting to get the recipient to click and hand over their credit card details.
Phishing attacks are one of the easiest ways for a scammer to get your information. Some phishing attacks target WordPress website owners or website owners using an SSL certificate. They hope to be convincing enough to entice you to simply hand over sensitive account or credit card information.
Your best defense against phishing scams is to learn to recognize the signs.
Look at the email above. The sender’s email address seems logical. It is from a “noreply” address, which is fairly common for companies to use. So it’s important to remember that an email address can easily be spoofed. This means the sender writes any address they choose to, much as you could write any return address you like on a snail-mail envelope.
The recipient’s spam filter did classify this email as spam, though, seen by the [SPAM] added in the subject line. That is one red flag.
The domain listed is the client’s domain, so that seems legitimate enough.
The wording “purchase your account with Site 5” is slightly suspicious, because that is not a typical way to talk about web hosting, but it’s not extraordinary enough to stand out on its own. The line encouraging the recipient to contact their bank about the reason for refusal inspires confidence, because why would a scammer encourage you to talk with your bank? Of course, if you did contact your bank or credit card company, you’d find out there had been no payment refusal. But by encouraging you to do so, the scammer in fact makes it less likely you will actually do so.
Instead, you may be lured into clicking on the link and trying to update your payment information.
This email does include a sense of urgency, as most phishing scam emails do – update your payment information now “to avoid interruption of service.” But again, a legitimate email from your hosting company could include similar language, so it’s not that alarming in and of itself.
To further inspire confidence, the Terms of Service goes to Site 5’s actual Terms of Service page.
If you do remember to mouse over the button to check the URL before clicking on it, you will see that the URL is in fact an address in Germany (ending in .de), and is NOT the Site 5 website. And if you practice safe internet practices, you might remember that it’s best to log into Site 5’s website in a new browser window, typing in the URL yourself and checking your account’s billing statements.
But this email is so convincing, it would be understandable if you didn’t remember to do either of those things.
Fortunately, even if a very convincing phishing email arrives in your inbox, your internet browser may be able to protect you.
In this case, if we use Firefox and try to click on the link, we see this screen:
And if we click on “See details”, we can see the full URL. Now it becomes clear that though the URL includes “site5.com”, that is actually just a small part of the URL, and the real website URL is the spielmannszug-heiden.de bit at the end. This means the “Update Your Payment Information” button is NOT taking you to Site 5.
Chrome’s warning looks much the same, and also indicates that the website you are trying to connect to is not safe.
In this case, you can be sure that you should NOT visit the unsafe site. Instead, click on “Back to safety” or simply close your browser window. Edge has a similar warning screen.
You can read more about Google’s Safe Browsing Advisories here, or learn about Firefox’s phishing and malware protection here.
How can you turn on this phishing protection?
Great news! Firefox, Chrome, and Edge all have phishing protection turned on by default.
Are you still wondering how the scammer got your email address, and knew who your host was?
There are two main possibilities here.
- The scammers may have scraped a list of names from the Who Is registry, which lists domain owners if you don’t have privacy options turned on in your hosting account. Some hosts offer this as a free feature; at other hosts, it’s a paid feature. Check the Who Is registry to see if your email is listed, and if so, check your hosting account to see how you can turn on domain privacy.
- The scammers may simply be sending out millions of emails to every email address they can find. If they send enough emails out, they’re sure to find some recipients using the host in question, and the message is concerning enough to encourage a user to click and see what’s going on with their hosting account. If the website itself is as convincing as the email, the user may feel secure entering his credit card information into the website, and the scammer only needs a small percentage of the emails to be fruitful.
Stay safe from phishing scams by learning to recognize the red flags, and if in doubt, ask your trusted web developer or a computer-savvy friend.