Scam Alert, May 2025

Email today seems to be as rife as ever with a variety of scams and spam strategies. These appear to come in trends as though the scammers and spammers are following fashion. Here we would like to draw attention to a few types currently being circulated to our customers.

This is more than a mere nuisance, but a serious attempt to con WooCommerce store owners into installing a supposed “security patch”. The “patch” is nothing of the kind but in fact a malicious plugin which creates a backdoor to the site, allowing hackers to take control.

This type of scam has been around before. However, in the example that was reported to us, our client received a highly convincing email containing a link leading to a website hosted on a domain that was almost (but not quite) the same as the official Woo site. This scam site was essentially a complete clone of a genuine page from the real WooCommerce site, but with a link to download the malicious software.

Among the giveaways here were the use of domain names that were close but not exact copies of woocommerce.com (using characters from other alphabets that are hard to spot, for example), the fact the email was sent as a phishing attempt to a recipient who is not an administrator of the store, nor are they registered with WooCommerce or WordPress, and the fact that no such security patch was available from the WooCommerce site itself.

More technical detail about this scam is available at Patchstack. However, as we can see that quite some effort has been made to make the phishing email and fake site seem convincing, to the extent of registering domains and creating fake reviews saying “thanks for the patch”, it’s likely this scam may well come around again in some form or other, and is likely to catch the unwary out.

So to emphasise, WooCommerce will make any genuine updates available within the WordPress admin area, not through email. No matter the topic, it’s well worth double checking domains used in email links (without clicking, of course), the domain name from which the email was actually sent (looking for what can be very minor discrepancies), and treating any such message with extreme scepticism. In other words, bin it.

In this instance, the spam and scam can overlap. Some of our customers have been reporting receipt of many messages which appear to be an automated response to a request for support from an IT help desk. That is, of course, a request our customers have not made.

These may be phishing attempts or they may be harmless junk, but it should be emphasised as always that one should not click any links within these emails. However, while a nuisance, the bulk of these messages are largely spam, spoofing or copying in dozens of email accounts. They are more likely to have been sent with a hope of catching someone out at random, rather than a direct exploit of a user account. With that said, this approach connects to a more worrying type of targeted phishing.

This latter type may well have been used in the recent spate of cyber attacks on major companies. Without knowing full details, we can only describe a rough scenario that may have occurred. However, in what has been broadly reported in these cases, emails and phone calls purporting to be from an organisation’s IT support team have targeted employees. These users may have then been convinced by the apparent credibility of the person they believe to be a legitimate support worker to disclose credentials. Obtaining the such credentials helped the hackers to access the companies’ systems.

Again, these type of scams have been around for quite some time – “spear phishing” being the name which has evolved for targeted phishing. Examples which we have encountered include fake emails that seemed to have come from a company director directly asking a named member of staff to transfer money to the hackers’ account. Most people have likely experienced phone calls from “Microsoft IT support”, “bank security” or “your broadband provider” and should know that engaging with these calls can put you at real risk.

Yet, the means of contact and exploitation, via social media, chat apps and video calls as well as by email and phone, and the use of remote control desktop software, are ever more diverse and the methods of creating a fake identity to fool the vulnerable (and the not-so-vulnerable, by the sounds of it) are ever more sophisticated. This means vigilance is absolutely critical for any unsolicited contact of this type, where the individual user is the weak point.

Now before we begin, we must of course emphasise that Marks and Spencer are not responsible in any shape or form for this topic and indeed offer extensive advice on the M&S Bank website how to guard against such scams through which scammers exploit the good name and reputation of M&S.

With that said, another scam that has been flooding inboxes goes along these lines. The scam email tells the unsuspecting recipient that they have won an Afternoon Tea Hamper, voucher or other prize from M&S. All that is required is to fill in a short survey online and then pay a small fee for postage or processing. All seems plausible so far, but this request for payment is just an excuse for grabbing card details. Victims of the scam report that no hamper was ever received but they had, in fact, been signed up to monthly payments for subscription to completely unrelated fake service. This can be some bogus “health” website or similar, which the scammer hopes the victim will not spot, like a gym membership one forgot to cancel.

As with the WooCommerce scam above, it is really important to scrutinise where an email has come from. Look at the domain name, and check the actual originating domain, as it is easy to spoof the sender. Is the survey on a domain name you have ever heard of? Is it anything to do with the company that is supposedly offering you the prize? What is the spelling in the email like? Why should you pay to receive a prize?

The bottom line: as M&S state, “We would never contact you via email and ask for your card number, expiry date or CVC”. As the old saying goes, if it seems too good to be true, it probably is.

Report email scams to report@phishing.gov.uk.

Report scam websites to the National Cyber Security Centre.

Concerned about messages you are receiving via our emails services? Contact us.