It starts off with an innocuous invitation, then with your email being hacked. A new phishing scam is currently circulating in the community imitating Punchbowl event invites to steal login credentials and personal information.
Punchbowl, a popular site where users can send online invitations to birthday parties, holidays gatherings and the like, is being mimicked by bad actors who send emails containing malicious links to steal personal information. Scams imitating Punchbowl surfaced the past week in Peekskill.
Those who fall prey may wind up downloading malware or be led to fake login pages. Those victims in turn may have their email accounts hacked, then have emails sent without their knowledge to all of their contacts, repeating the vicious cycle.
One of those victimized is Peekskill resident Alex Smith, a pianist and head of a local tennis club. Smith said he fell prey to the scam a few weeks ago when he received a dinner invitation via email and was led to a fake login page, which he entered.
By the time Smith realized something was wrong, it was too late. Hijacking Smith’s email account, the intruders sent three batches of bogus Easter party innovations to all of his contacts.
“I was able to find all the recipients and email them back and say, ‘Hey, this is a scam,’ ” Smith said, adding that it took about a half an hour to contact to everyone. “But I did have some people click on it. I called the friend of mine, whose [fake] message I responded to, and he said that he just changed his email password and he hasn’t had any other negative effect. I immediately changed my email password.”
Smith feared the hijackers’ intrusion into his history of emails exposed his personal information, including bank and tax information. As a result, he changed his bank information and put a credit freeze on all his cards. The incident has taught him a lesson.
“I’m skeptical of anything that says it’s from Punchbowl right now,” Smith said. “For me, I would say not to click on anything and just text the person that it came from and say, ‘Are you really inviting me to something?’
One such email purported to come from Peekskill Herald publisher Regina Clarkin, with the message, “You’re invited! Please click on the invitation to see more details and to RSVP. Let’s Celebrate Together!”
Clarkin was alerted to the phony invitation by a friend who clicked on it and then was suspicious because of all the information needed to open the invite. After changing her passwords on both her personal and professional email accounts, Clarkin responded to her contacts, telling them she’d been hacked and “that as much as I’d like to host an Easter party, the invitation was a fake and please delete it.”
How do people know the difference between a scam and a legitimate invitation? The Peekskill City Police Department shared information from Punchbowl on social media, describing how to avoid becoming a scam victim…
Who Is It Coming From?
Legitimate Punchbowl emails typically show its red logo (left) and a blue verified check mark (right). (Punchbowl)
- All legitimate 0nline invitations and digital greeting cards sent by Punchbowl via email will come from [email protected].
- Legitimate emails will often show the Punchbowl logo and a blue verified checkmark next to the sender’s name. While this feature may not appear in all email clients, it should be visible in major ones.
- Official support emails will come from [email protected].
- Additional legitimate emails that may communicate with users include:
- All legitimate online invitations and digital greeting cards sent from Punchbowl via text message in the U.S. will come from our short code: 90403. Invites and cards sent from Punchbowl via text message outside the U.S. will come from 877-642-0804.
What Does It Looks Like?
- Invitation and card links always start with “http://www.punchbowl.com.”
- It is important for you to know that legitimate emails from Punchbowl will never contain an attachment.
- Visual indicators and errors to look out for
- Broken layouts or images that won’t load
- Logos or buttons that are incorrectly sized
- ALL CAPS, incorrect fonts, or red miscolored text
- Asked to sign in before viewing invitation or card
- Misaligned text in design or email
What to Do if You Suspect the Message Is Fraudulent
If you’re concerned about an Invitation or card that you received, or have gotten reports that recipients have received an invitation or card from you that you didn’t send, you can take the following steps to protect yourself:
- Do not open it, and do not click on any links within the email if you do.
- Please forward the email to [email protected]. It’s possible that someone has created an email to look like an Invitation or card from Punchbowl in a phishing attempt.
- Mark the email as spam within your inbox.
- If recipients have received an invitation or card from you that you didn’t send, we recommend that you update your email account password.
How to Help Others
If friends and family email you to say they received an invitation from you that you never sent AND they cannot open the links, we suggest that you reply with text along these lines:
“It looks like someone may have created an email to look like an Invitation from Punchbowl in a phishing attempt. Please do not click any links in the email. If/when I send actual invitations from Punchbowl, they will come from [email protected].”
