When the Email IS Real: How Scammers Hijack Brands You Trust
The Nordstrom crypto scam passed every email security check. Here's why "check the sender" is no longer enough.
The Email That Broke Every Rule
It was a crypto scam.
The email, disguised as a St. Patrick's Day promotion, directed recipients to a cryptocurrency 'doubling' scheme — send us crypto, get double back. The only visible red flag? The email misspelled Nordstrom as 'Normstorm.' That's it. One typo was the only thing standing between a verified brand email and a successful scam.
Some recipients reported the emails went to addresses they'd never used for Nordstrom. This wasn't a simple phishing campaign — it was a compromise of Nordstrom's email infrastructure itself, likely through a third-party integration like Salesforce or Okta.
- Email came from a verified brand address that passed all authentication checks
- Misspelling of the brand name (Normstorm instead of Nordstrom)
- Cryptocurrency promotion from a retail brand — Nordstrom has no crypto products
- Promise to double your crypto deposit (classic doubling scam language)
- Sent to email addresses not associated with Nordstrom accounts
When a trusted brand suddenly promotes cryptocurrency, investment returns, or anything outside their normal business — that's your red flag, regardless of whether the email looks "real."
Why "Check the Sender" No Longer Works
That advice is now dangerously outdated.
Modern businesses use complex email infrastructure — marketing platforms (Salesforce, HubSpot, Mailchimp), identity providers (Okta, Auth0), customer support tools (Zendesk, Intercom), and transactional email services (SendGrid, Amazon SES). Each of these integrations has access to send email as the brand. If any one of them is compromised, the attacker sends email that is technically, cryptographically indistinguishable from the real thing.
This is called a supply chain email attack, and it's one of the hardest scam types to detect because every traditional security signal says the email is legitimate.
How to Spot a Brand Infrastructure Attack
- A brand promoting something outside their core business (retail store → crypto, airline → investment opportunity)
- Any request involving cryptocurrency, wire transfers, or gift cards
- Promises of guaranteed returns, doubling, or free money
- Misspellings of the brand's own name (this happens because attackers often template across multiple brands)
- Urgency that doesn't match the brand's normal tone (Nordstrom doesn't do "ACT NOW" promotions)
- Links that go to domains unrelated to the brand (even if the email itself is from the brand)
- The email went to an address you've never used with that brand
Trust the content, not the sender. If a brand you shop at is suddenly asking you to invest in crypto, it doesn't matter that the email "looks real" — the message itself is the red flag.
The Bigger Picture: Why This Will Get Worse
Every major company uses dozens of third-party services that can send email on their behalf. Each service is an attack surface. And because these emails pass every authentication check, they land in your primary inbox — not spam.
We're likely to see this pattern escalate. The next attack won't misspell the brand name. It won't promote something as obviously wrong as crypto from a clothing retailer. It'll be a subtle variation that's much harder to catch.
This is exactly the kind of evolving threat that ScamSignal's AI analysis is built to detect. Our analysis doesn't just check who sent the email — it analyzes the language, the asks, the links, and the behavioral patterns to catch scams that pass every traditional security check.
What You Should Do Right Now
- <strong>Old rule:</strong> "If the sender is real, the email is safe." → <strong>New rule:</strong> "Even real senders can be compromised. Read the content critically."
- <strong>Old rule:</strong> "Check for the padlock/verified badge." → <strong>New rule:</strong> "Authentication only proves the email came from that domain — not that the domain wasn't compromised."
- <strong>Old rule:</strong> "Scam emails look sketchy." → <strong>New rule:</strong> "The best scam emails look exactly like real ones, because they ARE sent from real infrastructure."
The moment a message asks for money, crypto, gift cards, or personal information — pause. Paste it into ScamSignal. Our AI analyzes the content and behavioral signals, not just the sender, so it catches brand infrastructure attacks that traditional email security misses.
The Nordstrom crypto scam marks a turning point in email security. When a verified email from a trusted brand can be a scam, "check the sender" is no longer enough. The new rule: trust the content, not the envelope. If a message asks for money or crypto — regardless of who it's from — verify before you act. Paste it into ScamSignal and let AI catch what authentication can't.
Get notified when we publish updates on this topic
We'll send you one email when new information is available. No spam.