I consider myself reasonably savvy when it comes to online scams, but this one almost got me.

I’ve been a target of scams for an awfully long time now. When I worked at AOL, back in the heyday of dial-up Internet, scammers would contact employee screen names via the Instant Messaging system, hoping to compromise an account that had access to billing information. Today, I get the usual “Nigerian prince” e-mails, as well as things that target my web hosting account. There are lots of Internet miscreants that would love to take control of an unsupervised web site and use it to distribute malware or host other unpleasantness.

But when I received this email, I wasn’t thinking scam.

Dear Bluehost customer CHARLES ZEGERS:

Your web hosting account for DOMAIN.NET has been deactivated, as of 07/06/2017. (reason: site causing performance problems)

This deactivation was due to a Terms of Service violation associated with your account. At sign-up, all users state that they have read through, understand, and agree to our terms. These terms are legal and binding.

Although your web site has been suspended, your data may still be available for up to 10 days from the date of deactivation; if you do not contact us during that 10 day period, your account and all of its files, databases, and emails may be deleted.

If you feel this deactivation was made in error, or in order to gain access to your account, please call our customer service line as soon as possible at (888) 401-4678 and speak with our Terms of Service Compliance department.
Please read the following, derived from our Terms of Service agreement, for additional information regarding the matter.

You must confirm the current copy of our Terms of Service here:
http://helpdesk.bluehost.com.LONGSTRINGOFCHARACTERS.test-hf.su/domain/DOMAIN.NET

Engaging in any activity that, in Bluehost’s sole and absolute discretion, disrupts, interferes with, or is harmful to (or threatens to disrupt, interfere with, or be harmful to) Bluehost’s services, Bluehost’s business, operations, reputation, goodwill, subscribers and/or subscriber relations, or the ability of Bluehost’s subscribers to effectively use Bluehost’s services is prohibited.

Thank you,
Bluehost Technical Support
http://www.bluehost.com
For support go to http://helpdesk.bluehost.com/
Toll-Free: (888) 401-4678 Option 2

I received the message at about 11pm last night, and at first, I assumed it was real. I’ve received similar messages before for other sites I manage or host, usually for benign reasons. One site got red-flagged by a host because there were executable .php files stored in a backup area that popped up on a scan as potentially harmful. Another was asked to find a different host because it was generating too much traffic for a shared hosting plan to handle. (In the business we call that “good problem to have.”) And once, a site was actually compromised due to a shady WordPress plugin my client had installed.

I also assumed it was a mistake. The domain they listed as causing the problem isn’t currently associated with any web site; it’s something I registered for a client, but the site is not yet built.

What I did next probably saved me a world of trouble. Rather than simply clicking the link in the email, I signed on to my account. I checked to see if there were any flags or alert messages for me at sign-on. I made sure the domain wasn’t pointing at anything. (I also tried to contact Bluehost via their support chat, but as it was closing on midnight, I didn’t wait very long in the queue.) Still assuming the message was a mistake, I went to bed, planning to resolve the issue in the morning.

This morning, I called Bluehost’s security support line. While I was on hold I took a closer look at the message and noticed something very important. The URL in the message wasn’t actually from Bluehost.com. It was from “test-hf.su” – but with a long string of seemingly random characters and then a Bluehost subdomain. That’s when I finally figured it out… it wasn’t a mistake, it was some sort of phishing scam.

When I did get support on the phone, I told them I’d received what I thought was a phishing scam email. They confirmed that others had reported receiving similar messages and asked me to forward this one for review.

How to avoid email scams

Even though I was initially fooled by this mail, it didn’t get me. Here are a few tips that might help you avoid similar scams:

  1. Don’t over-react. Read the message closely. Try and figure out what might have triggered it.
  2. Verify. If you receive a legitimate message like this from your web host (or your ISP, or your bank, etc.), odds are you’ll get a similar message on their web site when you sign in to your account. If you get an email like this, log in and check. That said…
  3. Don’t use the links. There are lots of ways to disguise a link, to make you think you’re going to a legit site when you’re actually headed to one of the web’s many Knockturn Alleys. As a general practice, don’t click links in email unless you’re absolutely sure the source is legit. And even then…
  4. Use protection. If I had been foolish enough to click that link, there’s a decent chance that my anti-virus/anti-malware software would have stopped me… or at least popped up a very stern, “Hey Dummy, are you SURE you want to do that?” message. Make sure you have something similar installed on your computer.