Scammers are getting quite clever these days. It’s more difficult for the average website owner to distinguish between the authentic and the fake. Even so-called web experts can be fooled. To illustrate how sophisticated some scams can be, I would like to share a recent incident that happened to one of my clients.
My client has her website hosted on GoDaddy. She has a website care plan with us which includes basic security features like backups and malware scanning.
Last night at about 9pm PST, she received the following email:
Subject: [Incident ID: 31937773] Regarding your hosting account
From: GoDaddy <networkviolations@godaddy.com>
Information regarding your account
Dear Sir/Madam,
We take security seriously so all customers can build and manage their websites in a safe environment.
We’re writing to let you know that we recently completed a routine security checkup of all our servers and platforms. Our scans flagged your [client’s domain name] hosting account as containing known malware. Due to the negative impact to our systems, we’ve removed the following malware from your files:
public_html/counter/3.bin
Unfortunately, our scans also flagged other content that could be malicious, but due to the nature and usage of these files, we did not remove them as this should be reviewed by a website administrator first. We recommend you log in to your hosting account to review the following content and remove if necessary:
public_html/post.php
public_html/text.add.php
public_html/wp-content/themes/maya/404.php
For speedy help, or any questions or concerns, please call our hosting security team at 480.366.3501 to resolve the issues immediately.
We appreciate your attention to this matter.
As always, thanks for hosting with us!
Thank you,
GoDaddy
Network Violations Team
networkviolations@godaddy.com
480-505-8871
[Investigation ID:31937773]
Copyright © 1999-2017 GoDaddy Operating Company, LLC. 14455 N. Hayden Rd, Ste. 219, Scottsdale, AZ 85260 USA. All rights reserved.
Seems legit, right? Let’s look a bit more closely.
First of all, a superficial comparison shows that the scam email does not have the same branding as a real GoDaddy email. Second, and more importantly, the scam email does NOT reference either my client’s name or her customer number, which any legitimate email from GoDaddy would. The image below shows my client’s email side by side with an email I received from GoDaddy about a domain purchase.
Next, we need to examine the supposedly suspicious files listed in the email. Logging in to my client’s hosting account, I searched for the files, but did not find them on the server. I also looked for any unknown files which hackers may have added, but this search came up empty as well.
After that, I scanned my client’s site for malware using multiple tools, including Sucuri and Wordfence. They marked her site as clean.
Lastly, I looked at the phone number listed in the email. This part is quite interesting. You will notice that the number they give you to call is 480.366.3501, which is not the same as GoDaddy’s official support number: 480.505.8821. Even the one they list at the bottom has a different ending of 8871 instead of 8821.
Most people will not think twice about it and call the number because they’re scared that their site is infected with malware.
When you call the number, a woman’s voice will thank you for calling and ask you to enter your PIN number (which you need to use for GoDaddy’s support). But if you listen carefully, you will notice that she does NOT mention GoDaddy at all in the recording. For comparison, I called GoDaddy’s official support number. A woman’s voice thanked me for calling GoDaddy and gave me multiple options, including selecting a language and support department. Only later did she ask for my PIN and she always referenced GoDaddy in the call. By contrast, the scam number immediately wanted my PIN and, if I kept going, my credit card number too.
Please remember: GoDaddy will NEVER ask for your credit card number because of a malware scan. They already have your billing information on file and they will not ask for it over the phone.
Unfortunately, many people panic and give the scammers whatever information they request. This scam operates on fear and lack of close attention to detail.
Another thing that is concerning: If you do a Google search on the text of the scam email, you’ll end up with misleading information in the GoDaddy forums and other groups about whether it’s a scam or not. Forum contributors (including some apparently representing GoDaddy) will tell you that the email is legitimate. I’m not sure if these responders are a) simply not aware of the scam, (b) not looking closely enough to tell, or (c) working for the scammers to spread the belief that the emails are legitimate. The last possibility would be diabolical, if true.
At any rate, don’t be fooled! Before taking action on such an email, make sure you consult with your website administrator first. Better still, talk to your website administrator about the security measures in place for your site. These should at least include malware scanning and regular backups. If you need any assistance with securing your site against hackers, feel free to contact us. We are happy to help!
I got a similar email and phone call referencing it, and was certain it was a scam, but… nope.
I chatted on the GoDaddy site, and was told that that IS one of their numbers. And then I called the regular number and treed over to website security (I think), and they had all the information about the earlier call.
It sucks that they want about $83/year to guard THEIR servers, it seems.
Hi Elena-Beth,
Thanks for sharing your experience. When researching this issue, I found mixed experiences, as some people said that it was not a scam in their case, that there really was a hack, etc. However in my client’s case there was no evidence of a hack that I could find.
I guess my point is to be extremely careful when giving out information online or over the phone if you’re not 100% sure who is on the other end, because hackers can appear quite legitimate sometimes.
Also I am suspicious of any answering service which does not immediately state their business name, e.g. “Thank you for calling GoDaddy.” And this recording did not.
Anyway, I’m glad that your case got sorted. Thanks again for sharing!
Cheers,
Jessica
Thanks so much for this article! I got several of those scam emails — and they were definitely scams. But after receiving the fourth one, I decided to do a search on “Go Daddy email malware scam” and found your article — which really made things clear! I appreciate the detail with which you explained how to spot the scams!
Hi Cher, apologies for the late reply. I’ve gotten a bit lax on responding to comments. I’m glad you enjoyed the article! If you need any help in future, feel free to reach out via my contact page: https://imaginehigher.com/contact/
What I don’t understand is there doesn’t seem to be a free way to eliminate the malware. GoDaddy wants $300/year to do it. That’s ridiculous!!! It makes me very suspicious that the whole thing is a scam. There MAY be malware on my site? Well, I’m guessing there may NOT be malware, too.
Hi Cathy, apologies for the late reply. Yes, that’s why I use Flywheel for hosting. They not only detect malware but clean it up for free. WP Engine is also a good hosting provider when it comes to security.
Good article. I just ran into this myself for a new client I took on. The scammers have improved their technique since your initial post. The email my client received included the correct customer number, full name, and a good list of files on the site (WordPress based). What’s more, all of the links are correct and the header includes the correct GoDaddy phone number. The only issue is the phone number at the bottom for “security experts”. I called the main GoDaddy number (confirmed against the web site) and confirmed the new number was no good. Needless to say, I have some work to do with my client if these guys had this much information.
Stay vigilant folks!
Just a note to say the same thing happened to me – got an email from GoDaddy about malware on my website. Called them, they investigated and found no malware. The email appeared to be from GoDaddy. He briefly mentioned the $83 annual security but did not push it, and in fact, said I probably didn’t need it.