Today, I was delighted to receive an email from Carrie, one of our care plan clients. She asked whether an email from woocommerce.com was legitimate and if she needed to take action or if we should handle it. This turned out to be one of the most sophisticated and dangerous scams I’ve ever seen. Let me break down exactly how I spotted it.
What makes me especially happy about this situation is that Carrie knows, thanks to her website care plan, that she doesn’t have to worry about warding off these attacks or making website updates herself.
For any urgent-seeming security issue, whether legitimate or not, she simply forwards us a quick email asking “What is this? Do I need to do anything?”
It takes her less than 30 seconds.
Providing this kind of peace of mind to clients is what motivates me to keep growing and building our team here at Maple. We don’t just create websites, we become a trusted, long term partner in supporting their business (and their audience as well).
I love that!
But all my feelings aside, let’s explore some common scams and how you can stay safe. This post starts with some examples, then provides some tips for staying safe. My goal is that after reading (or even skimming) this post you will have improved your safety.
Let’s Start with Three Examples
There are lots of scams, always changing, so here are just a few recent examples (the ones that inspired this post). I came across them all within the span of one week!
Each can be identified as a scam because of some common red flags. Below these examples are some tips for staying safe and a more detailed breakdown of what to look out for.
Okay, on with the first example, an email asking website owners to download a security update.
Exhibit A:
The Download “Security Patch” Scam
It’s quite sophisticated—using urgency and authority, and accurately mirroring the formal emails we sometimes need to send to clients.
🚩 Here’s the first red flag: they’re asking for action directly from the email (instead of after logging into an account).
Specifically, they wanted Carrie to download and install something. This should never happen because all legitimate website updates and security patches can be done by logging into the website itself. Using the website’s dashboard, not email links, is one layer of protection ensuring legitimate connections to these services.
🚩 The second red flag was the email address itself. Despite looking legitimate—with personalized information, proper formatting, and grammar—it comes from “admin-woocommerce.com,” not woocommerce.com. When you see hyphens and additional words added to a domain name, you’re dealing with a different domain entirely.
It sounds like a lot to remember, so to keep it simple just create a few basic rules for yourself so you don’t waste time and energy dealing with spammy messages.
Exhibit B:
The Domain Renewal via “WordPress.com” scam
This one was immediately identified as a scam because of the email address. Notice how it’s not from the wordpress.com URL even though it is branded this way.
🚩 This is a clear red flag. The email is not from a legitimate @wordpress.com email address. Anytime you get an email or other message that’s obviously from the wrong email address you can safely delete it (or forward to us to make sure).
⚠️ It turns out email addresses can be obfuscated, meaning the display name can be altered to look legitimate while hiding the true sender. Grrr…. When I found this out I was a bit humbled. I thought knowing this was enough. Well, it’s just an example of why we need two points of safety at all times.
📌 In a web-browser, you can hover your cursor over an email address or URL and and examine the actual links or email address (not just the display text).
Exhibit C
The Text Message “You Need to Pay Your Bill” scam.
This is not as related to websites, but I’m sure a scammer could send texts too – probably about domain expiration or copyright infringement.
My mom recently received a text message about a $9 toll bill from New York State EZPass. She nearly made the payment through their link. She said scams usually have grammatical or spelling errors, so she trusted this one.
Maybe that used to be true, but not anymore. The barrier to entry is much lower for sending near-perfect phishing requests and even personalized cold email.
🚩The big red flag here is this: The toll system doesn’t send texts! They even have a highway sign about it.
This toll fee scam was clever—using a small and specific amount (just $9.62), which made it seem more legit. It also creating urgency, threatening harsh consequences if it’s not resolved. It also directing her to an official-looking website.
It could have been the real website even – because the link could have existed as a tripwire. If the link was clicked, add her to a segment of phone numbers for “people who clicked the link”. Then simply send a “having trouble finding your bill” message with a link to pay.
The first goal of a scam is to establish trust, the second goal is to influence action.
The first red flag was enough – I ran a quick search “Does NYS Toll System Send Text Message for Payment?” The answer was no, they do not.
Done, scam avoided.
Now, that you’ve seen some examples and tear downs, let’s review some tips. As of writing this post I have four. I’m sure there are more, and
Tip #1 : Develop a Sensitivity to all “Icky Marketing” and other Red Flags
Today’s scammers aren’t that different than the kind of tactics being used regularly by marketers. I know this because I study marketing and most of the advice and training is based on manipulating some basic psychological triggers.
Learning about this and getting clear on your own values around marketing and outreach is a big help in staying safe from scams.
Here are some of the common psychological triggers at play here, and some of the red flags I look for.
Psychological Triggers
- Urgency – Creating false time pressure to act quickly
- Authority – Impersonating trusted companies or officials
- Professionalism – Using flawless grammar and formatting
- Personalization – Including specific details about you or your business
- Legitimacy signals – Adding official-looking logos, disclaimers and footers
It’s not just illegal scams that utilize these psychological triggers – so one way to stay safe is to learn to recognize them.
They’re in sales pages, ads, and pretty much any piece of media intended to influence us. Learning the language of influence is a new kind of literacy that will help you navigate today’s modern information landscape. More on that later.
Red Flags to Watch For
Let’s recap some of the red flags that came up in the examples above in a quick reference list. Of course, these are specific to websites and domain management.
🚩 Requesting information or response without offering context or other information. For example, I get these texts that say, “Is this Ryan?”, with no other info, so they get no reply from me. To stay safe, we expect a second point of contact to be paired with any kind of information request. A phone message, etc… “In a moment I’ll send you a text about ____” to provide context.
🚩 Any request to click a download link from an email. Unless you completed a software purchase in the last 5 minutes, do not click! Also, with WordPress, all security and other updates are run directly through the dashboard inside the “updates” page. There is never an email where you download anything.
🚩 Heavy handed sales communication and psychological triggers. Having a sensitivity to icky marketing tactics doesn’t just create safety from illegal scams, but it also protects me from spending money on things I’d regret.
Tip #2 – Create Your Engagement Policy and Put Systems in Place to Uphold It.
To avoid scams, create some basic rules now that you can just live by. This protects you from those moments when you’re tired, stressed, or not thinking clearly.
If you set up some basic rules for yourself, you don’t need to figure things out on the fly. You simply follow your rules.
Some of my rules:
- Never engage or try to outsmart a scammer. Any engagement at all will add you to new lists because you essentially just verified you’re a real person, making your contact info more valuable on the data market.
- Use a Password Manager for ALL Your Accounts. Whenever I sign-up for an account, I save the details in 1Password. This protects me (and our team at Maple) since it checks the URL for legitimacy before inserting saved passwords or other details.
- Manage Your Contacts. If I join an email list, become a customer, or start working with someone, I add their email to my contacts.
- Establish a ‘No Response Policy‘. Never respond, click, download, or engage at all in a suspicious email or text message.
- Always get a second opinion. If you’re not sure about something, forward to your tech support person if you have one (or get one).
These are just some of my rules, I encourage you to add or improve upon them for yourself. Rules make it easier to make decisions under stress. The decision has already been made!
The next tip is a consideration that doesn’t neatly fit into the above category, but is equally important.
Tip #3 – Checking Your Assumptions
Here’s something that might surprise you: most successful scams don’t rely on complex technical tricks. Instead, they target something much simpler – basic aspects of being a human such as curiosity, pride, shame, etc…
For example, someone who struggles with being organized about their internet records, and holds onto the belief they need to do everything themselves is less likely to ask for help. Because they’re disorganized about renewals and account access they might not trust that their website is renewing – or might not understand what they are paying for, or what they need.
Smart scammers are playing a percentage game. They don’t care that most people delete the email. The tiny percentage of people who click make it worth it for them.
Email is cheap, and it’s becoming even cheaper to personalize these messages with AI, so they will continue so longs as it’s working for them. My policy of saving contacts means I can filter any incoming emails that aren’t coming from verified contacts. I may still review them, but I know what’s what.
Admitting our limitations and assumption isn’t the kind of safety people talk about much – but it’s one of the most important. Staying humble is key. The person who thinks they can’t be outsmarted is much easier to fool, because their assumptions can simply be used against them. create multiple points of safety.
It’s following simple security rules and having a reliable support system in place. Just like Carrie did by forwarding that suspicious email to us, and just like my mom asking me about that text before making a payment.
Remember: It’s not about outsmarting scammers. It’s about having simple awareness, rules we can rely on, and knowing who we can ask for help.
Tip #4 – Elevate your Standards
An important part of our work with clients requires approvals, credentials, or access – so these scams make our work more complicated in some ways – but it also means we’re being rewarded for our customer-centric approach to doing business.
At Maple we have a clear connection-first approach to client operations.
Here’s how we handle these kind of things:
Sensitive Information is Handled in Person
When we need clients to provide sensitive credentials or two-factor authentication, we handle these important steps by phone. We’ll send them to our website to book a quick appointment—even just five minutes—to efficiently coordinate a call to handle it. It’s also a nice opportunity to connect.
Managed Software Updates
For our clients, any software update alerts and links are accessed from inside the website and never sent as links in email, or require manual download/uploads. Any software on your site is reviewed and configured by our team, and for Standard Care Plans, we handle all the updates on behalf of our clients.
No Surprises Policy
Our clients have a portal where they can find links to their invoice history and any outstanding invoices. We don’t send surprise invoices – and we always discuss invoice details from our main email accounts.
Care Plans and Website Monitoring
A website care plan service gives clients peace of mind, because they don’t need to be responsible for any technical details or updates. We have a dashboard of client websites and get alerts (even text messages) if something goes wrong. Since we keep backups daily, we can easily restore a website if it’s compromised or if anything happens to it.
We’re Here to Help!
If you ever receive something suspicious, please reach out—even if you’re not on a care plan. Just forward the email to me with your questions.
Nobody can wear all the hats! Getting support from experts inherently makes you safer and gives you freedom to be creative and connect with your audience. Honestly, I love managing websites for clients and I’m proud of the high standards we have for software, hosting, and keeping clients informed and safe.
Stay informed and safe out there! And reach out any time.
Leave a Reply
You must be logged in to post a comment.