I Built This for My Mom — Then It Saved Me
A phishing email from someone I know and trust, sent through a legitimate service, with perfect formatting. I almost clicked.
I Started Building ScamSignal for My Mom
That's why I started building ScamSignal — a tool where anyone can paste a suspicious message and get an instant, plain-English answer: safe or scam. No jargon, no complicated steps. Just reassurance when you need it most.
I thought I was building it for her generation. For people who didn't grow up with the internet. For the Dorothys of the world — kind, trusting people who deserve better than to be preyed on by criminals.
I was wrong about who needed it.
The Email That Changed Everything
The email looked completely real:
• From: his real, personal Gmail address
• Mailed-by: gmail.com (legitimate)
• Signed-by: gmail.com (legitimate)
• Security: Standard TLS encryption
• Service: Punchbowl — a real, legitimate invitation platform
• Formatting: Perfect. Punchbowl branding, proper footer, working unsubscribe link.
The email body read:
"You're invited! Please click on the invitation to see more details and to RSVP.
Friends & Family Party!
Friday, March 20, 2026
7:00pm
[Open your invitation]"
Everything checked out. Real sender. Real service. Real person I know personally. I was about to click.
- The invitation came from a real person's compromised Gmail account
- Sent through a legitimate service (Punchbowl), making it pass all standard email authentication checks
- SPF, DKIM, and TLS all showed as valid — because the email WAS sent through Gmail
- BCC'd to recipients, hiding the fact it was sent to many people simultaneously
When a known contact sends you something unexpected — especially an invitation or link you weren't anticipating — reach out to them directly through a different channel (text, phone call) to confirm they actually sent it. A compromised account sends real-looking messages because it IS a real account.
The Trap Behind the Button
The tool I was literally building at that moment flagged it immediately.
The "Open your invitation" button didn't go to Punchbowl. It went to snvtraders.com/kkhk/ — a credential harvesting page disguised as a Google security check. The page displayed:
"Browser verification
Please complete the security check to continue
Security check
Please complete this security check to access Google
[I'm not a robot] reCAPTCHA
Protected by Google Security
Request ID: 4e923da7eb6841b3baf507ad6af92ff9"
It looked exactly like Google's real security verification — the Google logo, reCAPTCHA widget, "Protected by Google Security" footer, even a fake request ID for authenticity. But the domain was snvtraders.com. Once you complete the fake "security check," the page captures your Google credentials — your email, your password, your entire digital identity.
- The link destination (snvtraders.com) had nothing to do with Punchbowl or Google
- A fake Google 'Browser verification' page — Google does not require security checks to view party invitations
- A fake reCAPTCHA widget designed to feel routine and harmless
- A fabricated 'Request ID' to create false legitimacy
Always check the URL bar before entering any credentials. If you clicked a link expecting a party invitation and landed on a Google login page, something is very wrong. Close the tab immediately. If the domain in the URL bar doesn't match exactly what you expected (google.com, punchbowl.com, etc.), you are on a phishing page.
Why This Scam Is Different — and Terrifying
This attack used a real person's compromised Gmail account to send messages through a legitimate third-party service. That means:
• Every email authentication check passed (SPF, DKIM, TLS) — because the email was sent from Gmail
• Spam filters didn't catch it — because Punchbowl is a legitimate service
• The formatting was perfect — because it used Punchbowl's actual email template
• The sender was someone I know — because it was their account
The only thing wrong with this email was a single link destination buried inside a button. Everything else was indistinguishable from a real invitation.
This is where phishing is headed in 2026. The days of obvious scam emails are over. Attackers are compromising real accounts, leveraging real services, and producing messages that even security-conscious people cannot distinguish from legitimate communication at a glance.
- Compromised accounts bypass every standard email security check
- Legitimate third-party services (Punchbowl, Evite, Calendly) can be weaponized as delivery vehicles
- Perfect formatting because the scam uses the real service's actual email templates
- Targeting someone's real contacts makes the social engineering nearly impossible to detect
Accept that email authentication (SPF, DKIM) only proves WHERE an email was sent from — not whether the account owner actually sent it. A compromised account passes every check. Your best defense is behavioral: was this expected? Does the link go where it should? When in doubt, verify with the sender directly.
I Thought I Was Building This for My Mom
Then I — the person literally building an AI-powered scam detection tool — almost fell for a phishing email.
That's the moment I realized: the threat model is universal. This isn't a tool for our parents. It's a tool for everyone. A sophisticated attack that spoofs a real executive's personal Gmail, uses a legitimate invitation service as cover, passes every email authentication check, and presents a pixel-perfect fake Google security page — that fools most people regardless of age or technical ability.
Phishing and scams have gotten so good that we should be checking anything and everything. That's how bad this has become. Checking a suspicious message isn't paranoia — it's hygiene. Like washing your hands.
What You Should Do Right Now
Check before you click. If you receive an unexpected invitation, link, or attachment — even from someone you know — paste it into ScamSignal before clicking. It takes five seconds and it might save your Google account, your bank login, or your identity.
Verify through a different channel. If your cousin sends you an unexpected party invite, text them: "Hey, did you just send me a Punchbowl invitation?" It takes 10 seconds and it would have caught this attack immediately.
Watch the URL bar. If you click a link expecting a party invitation and see a Google login page, close the tab. Google does not require security verification to view a Punchbowl invitation.
Enable two-factor authentication. If my cousin had 2FA on his Gmail, this attack likely wouldn't have happened. Enable it today on every account that supports it — especially your email.
Assume any account can be compromised. Your friend's email, your colleague's calendar invite, your family member's social media DM. If it contains a link and you weren't expecting it, verify before you click.
Try ScamSignal free — paste any message, email, or screenshot and get an instant verdict. It's the five-second habit that stands between you and the most sophisticated scams of 2026.
I built ScamSignal because my mom kept getting scam texts. While I was building it, I almost fell for a phishing email from my own cousin — a compromised Gmail account, a legitimate invitation service, perfect formatting, every security check passed. The tool I was building caught what I missed. Scams have gotten so sophisticated that checking everything isn't paranoia — it's the new normal. Before you click, check it.
Get notified when we publish updates on this topic
We'll send you one email when new information is available. No spam.
Bank Account Phishing Alert
Fake urgent alerts appearing to come from your bank about suspicious activity, locked accounts, or failed transactions. Bank impersonation is the #1 most common text scam type, accounting for 10% of all smishing messages according to the FTC.
Business Email Compromise (BEC)
Scammers impersonate executives, vendors, or attorneys via email to trick employees into wiring money or redirecting payments. $2.77B in losses across 21,442 complaints in 2024 (FBI IC3) — the 2nd highest loss category. The 'Scripted Sparrow' group alone sent 6.6M automated BEC emails in September 2025.
Social Media Account Takeover
Scammers gain control of your social media accounts through phishing links, fake security alerts, or by tricking you into sharing 2FA codes. Once inside, they impersonate you to friends, post fake investment offers, or sell nonexistent items to your followers.