Author: Olly

Scary Fake Google Doc Share Email SCAM! WOW!

Honestly, this one was scary! There were ZERO red flags, apart from the fact I know this email address doesn’t exist. Absolutely EVERYTHING ELSE was 100% convincing.

Fake Google Doc Share Email

So I got this email to my work email, from an account with the same domain as my work. So this looked like a 100% convincing internal document share;

So we had another fake Google email as part of a scam recently, but that had a Googlemail.com email as the sender, and a few other things that indicated it was dodgy – this one didnt. This one was VERY professionally put together.

There is nothing there (apart from the fact I know finance@mydomain.url doesn’t exist) to indicate this is not a legitimate email.

Breaking Down the Fake Google Doc Share Scam

So, the email itself looked legit, the URL the button wanted to take me to was this (url obfuscated to avoid it being crawled or clicked);

hXXps://storage.cloud.google.com/utmcontenthttps04j84y674t474g7484t645g4674g484t54/index.html

So on the face of it, it isnt screaming SCAM as it came from what appeared to be a totally legitimate Google email!

NEVER CLICK ON LINKS IN EMAILS OR BUTTONS IN EMAILS IF YOU ARE UNSURE OF THE LEGITIMACY OF THE EMAIL. LEAVE THAT TO IDIOTS LIKE ME.

The URL itself (opened in a controlled environment) opened a page with what appeared to be a Captcha;

Looking into the source code, the page was quite simple and in fact looked like it had been ripped from a template somewhere – there were placeholders like this;

Which is quite surprising, considering how much effort they had put into the rest of it. That said, the implementation of this scam is quite advanced in that they are using an SVG (which is essentially an image) to contain the Base64 encoded payload.

What the page is trying to do is this; the captcha is there to stop Bots and stuff from finding their fake Google Login page, which is what the page was going to redirect me to once I filled in the Captcha.

hXXps://accounts.authenticationsystems.cloud

That is the URL that I decoded from the Base64 hash you can see in the above screenshot. The URL doesn’t work, so maybe had they had already been shut down by the time I got to it?

Why This Scam Seems to Go Nowhere?

So it seems strange that the final step in this puzzle is a dead end. Why go through so much effort, to then fall at the final hurdle?

Well in some cases, that the point. These scams are like a burn-and-rotate kind of scam. The first step is the super convincing email, the second step is like a “gatekeeping” step to stop bots and stuff from following links and flagging the website as malicious.

The final bit of the scam is the piece that can link the perpetrator – and this is the bit that get burned quickly after the scam has taken place. I have reached out to the Cloud domain registrar to see if that domain was in fact registered, and if so – who to – but due to GDPR I dont suspect they will give me any info. I’d like confirmation on whether it was ever registered or not though.

If it had loaded, it would have probably looked identical to a Google login page, and at that point if I had input my details, it would have pretended to log in, send my Google details to some dodgy person somewhere or store them in a file on their server, and then redirect me back to a legitimate Google login page.

I will update this post if I hear back from the Cloud registrar.

12 December 2025
Trustwallet Systems SCAM – Inactivity Alert: Wallet at Risk of Removal Fake Email

Things seem to be coming at me thick and fast at the moment. A customer of mine recently signed up to use my agency as their cbd payment gateway partner, we have been integrating it for a while now and we were about to go live when he got this Trustwallet Systems SCAM email;

The Trustwallet Systems SCAM Fake Email

Now most of you reading this may not have heard of a payment company called Trustwallet Systems – but the supplier I work with literally has the word Trust in their name. The similarities between the wording used here and the wording used by my supplier is spooky. Trustwallet systems seems to be actually crypto related, but the similarities between their name and the name of my payment partner are scary.

So what is this Trustwallet Systems SCAM?

I’m afraid this time I wasnt able to find out. All the warnings (Nord, Chrome, etc) suggested that it was Malware related – which would mean visiting the links would result in your PC being infected. And then you would probably get popups about how your device was infected and you had to pay some fake support company in Amazon gift cards to “fix it” for you.

The link at the end of the trail was already dead, so well done whoever reported them 🙂

This was spooky, well timed, and could have fooled my client – but thankfully my clients are switched on and always double check things like this with me first.

Stay eSafe peeps.

18 November 2025
Another Mailgun Scam – Payment Declined

I actually use Mailgun, its fantastic – so when I first saw the email subject land in my inbox, I was initially alarmed as I dont want a missed payment to affect the deliverability of website emails etc.

The Mailgun Scam Email

Google did flag the email as suspicious to be fair, but if this had come into a mail client like outlook or thunderbird it may not have been flagged and could have tricked someone.

Mailgun Scam: The Red Flags

OK, so as always we look for the red flags so we can all get better at spotting the scams.

Sender email: This seemed to come from a domain I own, which isn’t unusual.

Reply-to email: info@wasteconnections.com

Pretty sure that isnt an official mailgun email account!

The button: Linked to a huge sendgrid URL so wouldn’t have really been alarming as that’s not unusual. Sendgrid is an email marketing service. I have informed Sendgrid.

Digging Deeper into the Mailgun Scam

**NEVER PRESS BUTTONS OR LINKS IN DODGY EMAILS**

So, I pressed the button (lol) and it took me to some page that looked like it was processing something, and then boom, the Mailgun login window appeared;

This was hosted on Microsoft Azure, so I reported the website to the relevant department at MS.

If I had been tricked up to this point, I think I’d have been a bit alarmed at the fact they pre-filled my email I know Mailgun dont do this as I log into it most days.

None of the buttons apart from “Continue” seemed to do anything – seems to be a trend at the moment.

I added a fake password and pressed next, it asked me to confirm my password – this is NOT how the Mailgun website works. I confirmed my fake password, they then asked me for a 2FA which I also faked.

It seemed to hang at this point, I dont know if it was trying to log into my Mailgun account in the background or something.

I checked in the background and it is pulling a file from here;

hXXps://sourcebigwhale.cfd/10302025/sinch-connect/gobe.php

That must be the most sketchy looking domain name extension I have ever seen in my life haha. I have reported this domain as well.

The Mailgun Scam: Conclusion

This seems to be a classic “Credential and MFA phishing” scam, focusing on Mailgun for some reason. Perhaps as then once they are in they can send 30,000 spam emails or something.

Remember to check for red flags when getting an email or message that raises alarm bells, and if in doubt send it to me 🙂

Stay eSafe peeps!

Credential and MFA phishing Scam FAQs

Why do scammers create fake login pages that look like services like Mailgun or Sinch?

Because they know those are “backend” services that not many people outside digital teams understand. They rely on the fact that inboxes, tech teams, and marketing people will see the branding and think it’s legit. Once they have your login details, they can get into your email sending service and use it to send out further phishing emails that look totally legitimate (which then spreads the attack).

Why do these fake pages ask for passwords and then a 2FA code as well?

If they only took a password, the victim could still be protected by 2FA. Scammers now know this, so they make the fake form walk you through entering a 2FA token which they immediately use in real time to log into the real service as you. So they capture both your password and your temporary code.

How can I spot these scams before I click on anything?

Always check the actual domain name before typing in any credentials. If the domain is weird, cheap, or doesn’t match the official brand (for example something like “sourcebigwhale.cfd” instead of “mailgun.com”) then it’s almost certainly malicious. Legit login pages will always be on official domains, never random ones. Also, if a link comes out of the blue, treat it as untrusted until you verify it.

Mailgun Scam

We blogged about another MailGun Scam here.

Update 11/11/25: Just had word from NameSilo that they have suspended the dodgy domain, putting a stop to this scam;

Success!

6 November 2025
Final Notice: Vehicle Tax Renewal SCAM(Ref: ETHFA-5293-BUT31)

A good friend of mine asked me to check an email he had received, he had his suspicions already but I checked it for him anyway and he was right – Vehicle Tax Renewal SCAM.

The Vehicle Tax Renewal SCAM Email

The Vehicle Tax Renewal SCAM Analysis

First obvious alarm bell is the sender email;

I’m pretty sure that isn’t a Government email address. I have reached out to Tria to let them know they have either had an email account compromised or they have an hole in their mail servers. They got back to me instantly and have said they are investigating and provided me with some solid advice from a security point of view that would be very useful to someone that wasnt tech-savvy.

The second thing to do is (if on a PC) hover over the button and look in the bottom left corner of your browser (or wherever the link preview shows in your browser);

Doesn’t look very “Government-y” does it! The link below the button on the email also goes to this location.

NB NEVER EVER EVER CLICK ON LINKS IN THESE KIND OF EMAILS – I AM A TRAINED PROFESSIONAL (aka AN IDIOT) SO I DO THESE THINGS FOR YOU!

OOOOO and just when I thought it couldn’t get any juicier I clicked the link on desktop and was greeted with this;

Now this kind of screen here isn’t unusual, as even if I get sent a scam when its pretty new the scam/phishing websites have often already been taken down. The “Mobile_Only” message there intrigued me though, so I switched to a different useragent and refreshed the page and just like magic;

It’s interesting that they have made this a “mobile only” Vehicle Tax Renewal SCAM, the only thing I can think of is that people are more likely to not notice dodgy sender emails and where buttons actually take them too and are therefore more likely to fall for the scam. I think this is even backed up with the way they structured the URL;

hXXps://portal.vehicledd-penalty.taxdisc.service.a-reminder.org/security-check/alert?verify=rbt_83503

I believe they have structured it like that so that no matter what your phone/device screen size you only see part of it;

And therefore it raises less alarm bells.

None of the other links on the page go anywhere, which is unusual. Often I see with these types of scams they make all the other links 100% legit so it comes across more genuine.

However I suspect when the web people at .gov see people being referred to their website from suspicious looking domains it aids in them finding and shutting the scammers down, so this is probably another tactic to not get detected by these particular crooks.

What is the Vehicle Tax Renewal SCAM?

The link on the Vehicle Tax Renewal scam page itself is harmless, its just a form;

Notice the font is different on the “Bank Information” bit? They must have been getting mistakes when people were inputting card details so they added that bit in afterwards so they get two chances to scam you. The card details section did have the ability to check card details to an extent, as it knew my totally made up one was fake – but it did let me use test card details from stripe.

This scam is basically them just trying to steal your identity – if you fill this form out, it just emails them all your info and within a few mins of recieving it they would have rinsed you dry.

DO NOT FILL THESE FORMS OUT.

What to do about the Vehicle Tax Renewal SCAM?

If you are unsure if you have tax due, then you will get a letter from the DVLA through the post – and if you havent and are still not sure, use this link;

https://www.gov.uk/check-vehicle-tax

And put your reg in and it will tell your if your tax is due. Do not just rely on email and/or postal notices.

I left the scammers a little note afterwards – but it was a bit swear’y so I wont post it haha.

After I updated the card details to test ones from stripe (like mentioned above) it let me submit the form;

I was then redirected to the actual gov.uk website.

All in all, quite a well planned out scam but still very basic – they are just trying to steal your info so they can buy shit.

Get a VPN with browser protection like Nord VPN and when you get emails like this search for the official website for this kind of thing and Nord will help guide you to the correct website where you can safely either check or renew your tax.

If in doubt, speak to that friend you have that is proper nerdy n that. They will be able to help. If you dont have one of those friends, then i’ll be your friend, just comment below.

Stay eSafe peeps!

Vehicle Tax Renewal SCAM

Vehicle Tax Renewal SCAM

3 November 2025