I’ve been contacted by the real Kroll (www.kroll.com) a few times over the last few years regarding various real class action lawsuits they are involved in, including as recently as a few months ago. So when I received the email below, although it seemed phishy from the start, it was relevant enough that I opened it.
It was one of those “Hey, this looks like a phish…but I remember receiving a real email from this company!” situations. I think a large percentage of scam victims have a similar experience. That is what scammers are hoping for: that you will find some justification to overcome your initial skepticism.
So, I opened the email and started to look around. It pretty quickly provided a bunch of clues that it was fraudulent.
First, it has multiple references to FTX, which could refer to international currency trading or cryptocurrency. Either way, I do not know what a legal settlement from a class action lawsuit could have to do with either.
The sending email address says it is from emailshopify.com.
I checked the DMARC outcomes (see image below with sampled email header information):
It says SPF, DKIM, and DMARC checks pass. So, it really is from shopifyemail.com. I know Shopify (I am even an investor), but I do not know the domain shopifyemail.com. Is that a real Shopify domain or a fraudulent one where the scammers just threw in a legitimate brand name somewhere in the domain name to fool victims?
I went to GoDaddy’s WhoIs service to check the DNS domain registrant details (see below).
It really is from a domain owned by Shopify, Inc. (in the Organization field). It was first registered in 2018. Not a new domain, although recently updated. This latter point could be a problem. Sometimes scammers take over neglected domains and start sending scams from there. Although larger organizations usually do not have this problem as they are usually on top of their domains.
Instead, this is one of the many scam emails that are sent by scammers using legitimate services. Today, a large percentage of phishing emails originate from compromised legitimate domains or from legitimate services that have some sort of service that can be manipulated to send (scam) emails to unsuspecting victims. I wrote about a similar scam that originated from Intuit.com a few years ago.
Last week, I saw a list at KnowBe4 of nearly 100 domains of legitimate companies being used by scammers to send phishing emails. Scammers like to use legitimate domains because they want to pass the DMARC checks. If they do not use a legitimate, trusted domain to send their scam email, the email could fail the SPF, DKIM, and DMARC checks and end up in the receiver’s Spam or Junk Mail folder by default. That is not good for the scammer.
Scammers often register their own new domains, enable DMARC, and then use them for the scam. Emails from those malicious domains pass the DMARC checks, but it is easy for them to be reported by victims and shut down. If the scammers use a large legitimate company’s domain, like one owned by Shopify, it is far less likely to be shut down.
You might initially ask why Shopify is not doing a better job of stopping scammers from using its services to send mass amounts of phishing emails. The answer is that it is very difficult to detect and stop without causing onerous operational interruption to its legitimate services to customers. Scammers are very adept at figuring out how to bypass the legitimate service’s scam detection mechanisms and making it difficult to stop them. This is not a Shopify problem. It is a problem shared by tens of thousands of companies and is a really hard fight to win.
The REPLY TO address says Kroll Desk <news@ginsgin.com>. Ginsgin.com legitimately sells ginger root but is certainly not affiliated with Krolls. So, this thing has scam written all over it.
But let me click on its CLICKME link to see where it takes me. I first hover over it and it shows (see image below):
It is going to take me to ginsgin.com…so its legitimate domain is compromised. But it is just a quick redirect to the ftx-notices.live domain. The landing page shows me this. Nice Kroll and FTX branding.
I do a Whois lookup on the ftx-notices.live domain. Nothing useful there except that the domain is barely a month old (see below):
Young domains are far more likely to be used fraudulently. And that domain is not affiliated with Krolls or Shopify. We call that domain misalignment.
I put in my email address (it will take any email address and give you the same outcome) and get this:
It is telling me that I can only accept my funds by inputting my crypto wallet information and it will not accept “Newly created wallets…to safeguard against potential fraudulent transactions”.
How kind of them to look out for my interests.
I click on the Withdraw Now button and get this (see below):
This is a standard-looking prompt asking me which cryptocurrency wallet I plan to use to accept my money. I choose MetaMask and I get this prompt (see below):
The QR code takes me to:
wc:27b8e1e4f606ada6a83fc6b90579ae37b254cfbe80eca9d986aa03c63e9e23e1@2?expiryTimestamp=1771014953&relay-protocol=irn&symKey=a68b4d08facd7ff0e839dc0811f2199a7edbd7b282f4252d05723a6269a10f94
Which is essentially trying to launch my MetaMask crypto wallet.
Well, I will end my fun and games here.
Had I put in my cryptocurrency wallet details, they would have surely drained whatever value I had in there.
Lessons Learned:
- Scams are sometimes successful because you are waiting for a contact from the brand involved or are vaguely familiar with something related and the scammer sends just the right fake message at the right time.
- Lack of details of my good fortune (i.e., what Kroll case it involved) is not a good sign.
- If you see a semi-strange, but somewhat familiar domain, like emailshopify.com, it cannot hurt to verify it using a WhoIs domain lookup service to see if you can find out if it is owned by a legitimate company or not.
- Legitimate platforms, like Shopify, are frequently used in scams. Any platform that allows others to send emails to others is at high risk of being involved in a scam.
- Emails involving three domains (e.g., emailshopify.com, gingins.com, ftx-notices.live), none of which match the main branding (e.g., Kroll) are rarely in good emails.
- Passing all DMARC checks (e.g., SPF, DKIM, DMARC) does not mean the email is not a scam.
- Young domains are often involved in scams.
- Never hand your cryptocurrency wallet, credit card, or personal information over to an unexpected email asking you to do a strange thing you have never done before (e.g., receive funds from Kroll using a cryptocurrency account).
Well, I guess I will not be getting rich from the settlement of my class action lawsuit, but I will not be getting scammed either.
Here's how it works:
