Beware of Blue Host Phishing Emails!
Look out for these in your inbox!
I have a had a few clients contact me this week asking about emails that they received from Blue Host (or apparently so) stating:
Your account contains more than [some number] directories and may pose a potential performance risk to the server.
Please reduce the number of directories for your account to prevent possible account deactivation.
The Blue Host phishing email goes on to suggest that this problem can be solved by creating a special “tmp directory” and includes what appears to be a log in link. I received one of these emails as my domains are all registered through BlueHost (though I now host all my sites at WPEngine). Here is what it looked like:
Beware! This email is not from BlueHost!
This email is a “phishing” email and if you receive it, you should delete it immediately. Do not click the link.
Not sure what phishing is? Wikipedia provides this easily understood definition: “[p]hishing is the illegal attempt to acquire sensitive information such as usernames, passwords, and credit card details […], often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.” You can read more about phishing here.
Digital Marketing Insights & Strategy
Delivered Directly to Your Inbox
How do we know this email is fake?
Our first tip that the email is not real comes from looking at the send from email address.
Notice it says “firstname.lastname@example.org via hovhaness.dreamhost.com.” In Gmail, the via indicates that the sender sent the email from a server other than the one listed in the email address. Gmail displays this information because many of the services that send emails on behalf of others don’t verify that the name that the sender gives matches that email address. In this case, someone who is pretending to be BlueHost has sent the email from DreamHost’s server. The fact that the email did not come from BlueHost’s servers is your first tip that something is amiss.
The second would come if you were to click the link:
You can see what appears to look like BlueHost’s website. This one is actually a near exact replica, except for one thing – the address bar does not say bluehost.com. Thus you can see that the link in this email took you to a website which is a duplication of BlueHost’s website, in an attempt to get you to enter your username and password, which would then be recorded and provided to the person who maliciously sent the email.
What if you already clicked the link and “logged in”?
If you already clicked the link and tried to log into your BlueHost account, thereby giving your domain or username and passwords to the phisher, you should:
- IMMEDIATELY go to https://my.bluehost.com/hosting/cpanel, log into your account and change your password. Make sure it is a strong password with random letters, numbers, and symbols. Don’t use things like the city where you live or any other recognizable words.
- Next, you should call customer support at BlueHost and inform them of the situation to see if they have any other suggestions.
- Then take a deep breath and chalk it up to lessons learned. Next time you’ll know what to look for if you get another suspicious email.
It is not good practice to click these links, because sometimes merely visiting a URL can install key logging software or other malware/viruses on your computer. I only did this on my junk computer for the proposes of education, then wiped it afterward. Try to identify these emails without clicking any suspicious links.