{"id":6440,"date":"2025-07-29T15:58:49","date_gmt":"2025-07-29T22:58:49","guid":{"rendered":"https:\/\/xmission.com\/blog\/?p=6440"},"modified":"2025-07-30T08:16:21","modified_gmt":"2025-07-30T15:16:21","slug":"lets-talk-phishing-part-3-when-scammers-pose-as-xmission","status":"publish","type":"post","link":"https:\/\/xmission.com\/blog\/2025\/07\/29\/lets-talk-phishing-part-3-when-scammers-pose-as-xmission","title":{"rendered":"Let\u2019s Talk Phishing\u2014Part 3: When Scammers Pose as XMission"},"content":{"rendered":"<h1 style=\"border-bottom: 0; margin-bottom: 0; padding-bottom: 0; padding-top: 1em;\"><strong>They&#8217;re getting smarter: Phishing attacks are now targeting XMission&#8217;s identity<\/strong><\/h1>\n<p><img decoding=\"async\" style=\"float: right; width: 240px; margin-left: 20px;\" src=\"https:\/\/xmission.com\/blog\/wp-content\/uploads\/2025\/07\/phish-scammer-300x241.png\" alt=\"Phish scammer\" \/>Over the past several months, we&#8217;ve seen a dramatic rise in phishing emails targeting XMission customers. Not from random overseas scam operations, but from threat actors who are mimicking XMission&#8217;s\u00a0<strong>branding, tone, and even our past support language<\/strong>.<\/p>\n<p>These aren&#8217;t your typical typo-riddled scams. They use our logo, our formatting, and our language. And they&#8217;ve been hitting inboxes with alarming frequency.<\/p>\n<p>We want to pull back the curtain on what we&#8217;re seeing, why it&#8217;s happening, and what you can do to protect yourself.<\/p>\n<h2 style=\"border-bottom: 0; margin-bottom: 0; padding-bottom: 0; margin-top: 1.5em;\"><strong>Phishing that looks like it came from us<\/strong><\/h2>\n<p>Below are\u00a0<strong>real examples<\/strong> of phishing emails we\u2019ve received reports of. The formatting and phrasing may seem familiar, but the links are not. These emails are <strong>not from XMission<\/strong>\u00a0and should be treated as malicious.<\/p>\n<h4><strong>&#8220;Notice: New Policy for Handling Suspicious Messages&#8221; (Spoofed Support Notice)<\/strong><\/h4>\n<p><a href=\"https:\/\/xmission.com\/blog\/wp-content\/uploads\/2025\/07\/Phish-Sample1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-6441\" src=\"https:\/\/xmission.com\/blog\/wp-content\/uploads\/2025\/07\/Phish-Sample1.png\" alt=\"\" width=\"640\" height=\"758\" srcset=\"https:\/\/xmission.com\/blog\/wp-content\/uploads\/2025\/07\/Phish-Sample1.png 640w, https:\/\/xmission.com\/blog\/wp-content\/uploads\/2025\/07\/Phish-Sample1-253x300.png 253w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>This email appears to offer additional security services, using language like &#8220;opt out of receiving flagged emails.&#8221; It includes a very convincing button with the familiar XMission blue.<\/p>\n<p><strong>What\u2019s wrong with it?<\/strong><\/p>\n<ul>\n<li>The link behind the &#8220;Opt Out&#8221; button points to a fake domain:\u00a0<code>https:\/\/xmssion.com\/redirect.php<\/code>\u00a0&#8211; note the subtle typo in the domain name.<\/li>\n<li>The tone mimics our security notices but includes no specific account or login references.<\/li>\n<li>XMission never updates your preferences via a single-click email action.<\/li>\n<\/ul>\n<h4><strong>&#8220;Mandatory Privacy Notice: Email Removal Option Now Available&#8221; (Privacy Bait)<\/strong><\/h4>\n<p><a href=\"https:\/\/xmission.com\/blog\/wp-content\/uploads\/2025\/07\/Phish-Sample2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-6442\" src=\"https:\/\/xmission.com\/blog\/wp-content\/uploads\/2025\/07\/Phish-Sample2.png\" alt=\"\" width=\"636\" height=\"573\" srcset=\"https:\/\/xmission.com\/blog\/wp-content\/uploads\/2025\/07\/Phish-Sample2.png 636w, https:\/\/xmission.com\/blog\/wp-content\/uploads\/2025\/07\/Phish-Sample2-300x270.png 300w\" sizes=\"auto, (max-width: 636px) 100vw, 636px\" \/><\/a><\/p>\n<p>This phishing attempt plays on privacy concerns. It offers to remove your address from marketing databases, using familiar opt-out language and visual styles.<\/p>\n<p><strong>What\u2019s wrong with it?<\/strong><\/p>\n<ul>\n<li>The link behind &#8220;Remove My Email&#8221; points to\u00a0<code>https:\/\/delete-my-email.web.app\/<\/code>\u00a0&#8211; which is\u00a0<strong>not owned or affiliated with XMission<\/strong>.<\/li>\n<li>While it sounds helpful, it\u2019s likely a credential harvester or malware site.<\/li>\n<li>Legitimate unsubscribe or privacy options will\u00a0<strong>always<\/strong>\u00a0route through the xmission.com URLs.<\/li>\n<\/ul>\n<h2 style=\"border-bottom: 0; margin-bottom: 0; padding-bottom: 0; margin-top: 1.5em;\"><strong>Why target XMission?<\/strong><\/h2>\n<p>We&#8217;ve asked ourselves this too. XMission is a regional ISP and hosting provider, not a global tech giant. So why the escalation in phishing campaigns against us and our users?<\/p>\n<p>Our best speculations:<\/p>\n<ul>\n<li><strong>We\u2019re one of the few providers that actively fight back.<\/strong>\u00a0XMission has taken legal action against spammers in the past. That kind of stance makes us a target.<\/li>\n<li><strong>Our users trust us.<\/strong> Our brand carries weight with our customers. That trust is exactly what phishers try to exploit by mimicking our brand.<\/li>\n<\/ul>\n<p>Regardless of motive, the outcome is clear: XMission users are receiving deceptive, targeted emails that attempt to exploit their relationship with us.<\/p>\n<h2 style=\"border-bottom: 0; margin-bottom: 0.5em; padding-bottom: 0; margin-top: 1.5em;\"><strong>How to spot these attacks:<\/strong><\/h2>\n<ol start=\"1\">\n<li><strong>Hover before you click.<\/strong> Look closely at URLs. Does it say &#8220;xmission.com&#8221; or a typo version?<\/li>\n<li><strong>Be wary of urgency.<\/strong>\u00a0Anything saying &#8220;click now&#8221; to avoid account shutdown or data loss should raise red flags.<\/li>\n<li><strong>Check for generic language.<\/strong>\u00a0Legitimate messages from us typically reference your account or specific service.<\/li>\n<li><strong>Never trust buttons blindly.<\/strong> If you&#8217;re unsure, log into your control panel directly at <a href=\"https:\/\/xmission.com\/control\" target=\"_blank\" rel=\"nofollow noopener noreferrer nofollow noopener noreferrer\">xmission.com<\/a>\u00a0instead.<\/li>\n<li><strong>Report it.<\/strong>\u00a0Forward suspicious messages to spam@xmission.com so we can investigate and take appropriate action.<\/li>\n<li><strong>Trust your spam folder.<\/strong> If a message says it\u2019s from XMission but landed in your junk\/spam folder, there\u2019s probably a good reason.<\/li>\n<\/ol>\n<h2 style=\"border-bottom: 0; margin-bottom: 0; padding-bottom: 0; margin-top: 1.5em;\"><strong>Enable security features<\/strong><\/h2>\n<p>If you&#8217;re using Zimbra webmail, here are two things you can do right now to strengthen your account security:<\/p>\n<ul>\n<li><strong>Enable Two-Factor Authentication (2FA):<\/strong>\u00a0Go to your account settings and\u00a0<a href=\"https:\/\/wiki.xmission.com\/Zimbra_Two-Factor_Authentication\" target=\"_blank\" rel=\"nofollow noopener noreferrer nofollow noopener noreferrer\">configure 2FA<\/a>. This will prevent your account from being accessed and used in future phishing campaigns, even if your password is compromised.<\/li>\n<li><strong>Enable the &#8216;spamheaders&#8217; Zimlet:<\/strong>\u00a0In Zimbra webmail, visit your Preferences, navigate to the\u00a0<strong>Zimlets<\/strong>\u00a0tab, and enable the\u00a0<strong>spamheaders<\/strong>\u00a0zimlet. This will help you see diagnostic headers and better evaluate suspicious messages.<\/li>\n<\/ul>\n<h2 style=\"border-bottom: 0; margin-bottom: 0; padding-bottom: 0; margin-top: 1.5em;\"><strong>What we\u2019re doing<\/strong><\/h2>\n<p>Our administration team is tracking these campaigns closely. We&#8217;re blocking domains, reporting abuse to registrars, and updating our filters in real time. But the most effective protection still comes from <strong>vigilant users<\/strong>\u00a0who know what to look for.<\/p>\n<p>We don&#8217;t send many emails specifically for our end-clients on our email platforms, so if you receive something claiming to be from us, and it seems off, <strong>trust your instinct and check with us.<\/strong><\/p>\n<p>And trust that we&#8217;re just as frustrated as you are.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>They&#8217;re getting smarter: Phishing attacks are now targeting XMission&#8217;s identity Over the past several months, we&#8217;ve seen a dramatic rise in phishing emails targeting XMission customers. Not from random overseas scam operations, but from threat actors who are mimicking XMission&#8217;s\u00a0branding, tone, and even our past support language. These aren&#8217;t your typical typo-riddled scams. They use [&hellip;]<\/p>\n","protected":false},"author":36,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[253,610,719,3,352,702,39],"tags":[464,796,501],"class_list":["post-6440","post","type-post","status-publish","format-standard","hentry","category-email-2","category-multi-factor-authentication","category-phishing","category-security-safety","category-system-administration","category-technical-support","category-zimbra","tag-no-spam","tag-phising-protection","tag-zimbra"],"_links":{"self":[{"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/posts\/6440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/users\/36"}],"replies":[{"embeddable":true,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/comments?post=6440"}],"version-history":[{"count":20,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/posts\/6440\/revisions"}],"predecessor-version":[{"id":6468,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/posts\/6440\/revisions\/6468"}],"wp:attachment":[{"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/media?parent=6440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/categories?post=6440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/tags?post=6440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}