We’ve all seen those ‘phishing’ emails – I must get 3-4 a week from ‘Spotify’ to reactivate my account (I don’t use Spotify), and a look over the last week I have had them from ‘Calendly’, ‘HMRC’, ‘Bitcoin’, quite a lot from ‘PayPal’, ‘American Express’, ‘DHL’; and even one ‘from’ Shopify but asking about Spotify. Subtle!

A few years ago, I had clicked through a very well crafted ‘HMRC’ email and only realised once I saw a screen of badly squished banking logos.

And just a few months ago, I had a call from NatWest saying I needed to confirm some transactions and they asked for just a few too many security questions for my liking. When I queried it, they got really narky with me – not, I hope, what a true NatWest employee would do.

I mostly bin them these days, but I used to report them – and am inclined to do more so, after this experience. 

**Edit – since posting this, the wonderful Kyle Van Deusen posted this in The Admin Bar WordPress Community, and within an hour or so, 5 other agencies said it had happened / is happening to them, with a further 12 reported. Seems this is affecting a LOT of people right now :/

It’s all just a bit annoying, until YOU are the one being the subject…!

I feel kind of ashamed, when I’ve done nothing wrong, and I’ve not been hacked. Just had someone compile my public information.

All these big subscription brands – and now me! Does this mean I’ve ‘made it’? This only happens to big brands, right?

Well, according to our Cyber Security partners, AiMTech, it is getting more common, and it’s not just for the big companies.

In the last few months, I’ve been working a lot more on building my profile internationally, but I do feel it may have bitten me in the arse. From shock, to horror; feeling violated, to flipping it around to raise awareness.

I’m penning this in the hope it will help anyone else who has been / may be victim of this kind of thing.

I am taking solace that I did nothing wrong, I hadn’t clicked any dodgy links, and we weren’t hacked.

The horror

Over the weekend, I was alerted by one of our clients that they’d received an email from ‘me’ claiming that their site needed urgent updates, and not only that, they needed access to their domain and also to do some ‘urgent’ SEO work.

Thankfully, only a handful of clients were contacted, and we deduced that the offender had gone to the ‘Our work’ page on our own website, clicked through to the client sites, and clicked the generic email noted on the contact page (info@ / enquires@ etc) before we were alerted and they were reported.

We figured this out by seeing the times at which each of them were contacted, which correlated directly with the order of the projects on our page.

Of those who had it, most were instantly aware it was spammy / phishing attempt from the red flags noted below, but some replied, only to realise by the second email that we don’t charge in dollars!

I have to say, it was quite a convincing attempt.

My initial fear was that my email had been hacked (a good friend of mine recently experienced this, and it was NOT pleasant).

A big thanks to Dan, Arron and team at AiMTech who have been extremely helpful navigating this with us.

I wasn’t hacked, our domain wasn’t spoofed – just public information on our website enabled this

I’d love to say that there’s a way of preventing this, but it was all info lifted from our About us page and Projects page. If the big banks and global apps such as Facebook and Spotify can’t stop it, I don’t what you can do. But educating your self and your clients is the next best thing, and this is what I’m striving for here.

What I looked out for

There were some major red flags from the start, and I figured a few things out:

The emails started being sent Friday evening

Now, in an emergency I would alert someone on a weekend or evening, and a major threat we’d email but follow up with a call. But ‘routine maintenance’ can wait til Monday! 

From the time stamps on the emails from ‘me’, they followed the exact order of our Portfolio page, 20 mins or so apart. So this helped ease my fears of how they got our client list. 

My first thought was a) a hack or b) it was from the ‘site designed and developed by DeType’ sign off.

They had sent it from a Gmail account

Our domain is protected with DNSSEC (Domain Name System Security Extensions) to lock the gate, and DMARC adds the ‘wax seal’ or authenticity on your email (making sure the letter actually came from you). 

Along with specific SPF and DKIM records, this means it’s not possible to ‘spoof’ our email address. Their tactic was to set up a Gmail account, which by default would show either Google’s ‘favicon’ logo in the sender details or just the initials – ours will show branded.

The Subject Of The Email Was In American / AI Style Title Case Like This

Anyone who knows me, knows I would NEVER do this – it looks crass (to me), it looks very American (no hate, but culturally in the UK it sticks out), it looks overly sales-y and these days, smacks of lazy AI slop. 

I find it so hard to read, my mind boggles at how people in the UK are adopting. One of the first things I trained my GPT on was to use en-GB English ONLY and never use Title Case for headings. 

It was addressed to the clients business name, not personal one

This was perhaps the biggest tell tale sign, however some client’s website IS them – but we’d only call someone by their preferred name.

The content was littered with spelling mistakes and odd grammar

Now, we all make the odd typo, but this was CHOCKA with them, as well as phrases such as ‘kindly do this…’ which are telltale signs. Along with this, mention of us creating ‘mom and pop’ websites (sorry, what?!) and mentioning payment in dollars.

It talked about services we don’t offer

Now, this is a harder one to spot, but it mentioned Wix websites and SEO campaigns, neither of which we do.

Indications of ‘merge fields’

The business name instead of personal name, some of the services ‘offered’, my name and title at the bottom all had artefacts of copy / paste or merge fields. 

It asked questions that I would already know the answer to

Asking for your website access details would never be asked, and domain access may be, but with clear instructions and often a phone call.

It didn’t sound like ‘me’ in the slightest

This is perhaps one of the most telling signs – I have developed a certain style over the years, and the first person who alerted me said that it instantly looked spammy, but most of all, it just didn’t sound like me at all! And I am taking this as quite an important marker: many of the things noted could be figured out, but it’s incredibly hard to truly sound like someone else.

I’ll take this last one as something to really take on board: stop using GPTs to pump out content, or worry about sounding super ‘professional’ – make sure to thread in your own voice; and try (when you can) to STILL WRITE YOUR OWN CONTENT. Things like this show how important it can be!

The first thing most of the affected clients said was it just all sounded off, and then they noticed the gmail address.

What we did (and if this happens to you)

First thing was to email all clients potentially affected – which I did personally – as it was important to hear it from *actual* me! I’m grateful for some very kind responses and messages of support.

I looked at the patterns: how were they getting this list of clients? Well, they’re all Our Projects page – we’re proud of our work and want to show it off! The timings of the emails, each 20 minutes or so apart, follow the same order as that page.

I had some understandably frustrated responses too: they were surprised they had my picture, and contact details – all of which are on our About us page, but it had taken some effort to pull that together!

I reported it to Gmail: https://support.google.com/mail/contact/abuse

And to the UK National Cyber Security Centre: https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-email

Finally, to produce this article and email our mailing list to alert anyone we may have missed; to help anyone on either the receiving end, or the one being ‘cloned’.

If you need some help

If I, or our partners AiMTech can help anyone with any of the security aspects of this, please use our contact form, or call our studio phone number, I’ll be happy to assist!