When the Email IS Real: How Scammers Hijack Brands You Trust
The Nordstrom crypto scam passed every email security check. Here's why "check the sender" is no longer enough.
The Email That Broke Every Rule
It was a crypto scam.
The email, disguised as a St. Patrick's Day promotion, promised to "send you right back 200% of the amount you sent" in cryptocurrency. BleepingComputer reported that the breach occurred via an Okta SSO → Salesforce Marketing Cloud compromise, allowing attackers to send scam emails through Nordstrom's legitimate email infrastructure. The scammer's wallets accumulated over $5,600 before takedown. Some recipients noted the emails reached addresses never publicly exposed — suggesting a system-level breach, not a mailing list scrape. The only visible red flag? A single misspelling: "Normstorm" instead of "Nordstrom" in the email headers.
- Email came from a verified brand address that passed all authentication checks
- Misspelling of the brand name (Normstorm instead of Nordstrom)
- Cryptocurrency promotion from a retail brand — Nordstrom has no crypto products
- Promise to double your crypto deposit (classic doubling scam language)
- Sent to email addresses not associated with Nordstrom accounts
When a trusted brand suddenly promotes cryptocurrency, investment returns, or anything outside their normal business — that's your red flag, regardless of whether the email looks "real."
Why "Check the Sender" No Longer Works
That advice is now dangerously outdated.
Modern businesses use complex email infrastructure — marketing platforms like Salesforce, HubSpot, SendGrid, and Mailchimp that are authorized to send emails on the company's behalf. When an attacker compromises one of these platforms, they inherit the company's full email authentication. The result: scam emails that are technically indistinguishable from legitimate marketing.
Nordstrom isn't an isolated case. A campaign dubbed PoisonSeed has been systematically targeting CRM and bulk email providers — Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho — to hijack corporate email infrastructure for crypto phishing. In March 2025, Akamai's own SendGrid account was compromised, sending Coinbase-themed scam emails from a genuine @akamai.com address. By January 2026, the campaign had expanded to target 4,768 organizations across the US, UK, Germany, and other countries. Similar attacks recently hit Betterment and GrubHub.
How to Spot a Brand Infrastructure Attack
- A brand promoting something outside their core business (retail store → crypto, airline → investment opportunity)
- Any request involving cryptocurrency, wire transfers, or gift cards
- Promises of guaranteed returns, doubling, or free money
- Misspellings of the brand's own name (this happens because attackers often template across multiple brands)
- Urgency that doesn't match the brand's normal tone (Nordstrom doesn't do "ACT NOW" promotions)
- Links that go to domains unrelated to the brand (even if the email itself is from the brand)
- The email went to an address you've never used with that brand
Trust the content, not the sender. If a brand you shop at is suddenly asking you to invest in crypto, it doesn't matter that the email "looks real" — the message itself is the red flag.
The Bigger Picture: Why This Will Get Worse
Every major company uses dozens of third-party services that can send email on their behalf. Each service is an attack surface. And because these emails pass every authentication check, they land in your primary inbox — not spam.
We're likely to see this pattern escalate. The next attack won't misspell the brand name. It won't promote something as obviously wrong as crypto from a clothing retailer. It'll be a subtle variation that's much harder to catch.
And it's not just email infrastructure that's being weaponized. A phishing-as-a-service platform called Starkiller — reported by The Hacker News in March 2026 — attacks from the other direction: instead of compromising the sender, it compromises the destination. Starkiller proxies real login pages through a reverse proxy, capturing credentials and MFA tokens in real time. Sold as a subscription service by a threat group called Jinkusu, it represents the commercialization of credential theft at scale.
Together, these two trends — legitimate senders sending scam content (Nordstrom) and perfect login pages stealing your credentials (Starkiller) — mean that both ends of the email security chain are now compromised. The sender looks real because it IS real. The login page looks real because it IS real. The only reliable signal left is the content and intent of the message itself.
This is exactly the kind of evolving threat that ScamSignal's AI analysis is built to detect. Our analysis doesn't just check who sent the email — it analyzes the language, the asks, the links, and the behavioral patterns to catch scams that pass every traditional security check.
What You Should Do Right Now
- <strong>Old rule:</strong> "If the sender is real, the email is safe." → <strong>New rule:</strong> "Even real senders can be compromised. Read the content critically."
- <strong>Old rule:</strong> "Check for the padlock/verified badge." → <strong>New rule:</strong> "Authentication only proves the email came from that domain — not that the domain wasn't compromised."
- <strong>Old rule:</strong> "Scam emails look sketchy." → <strong>New rule:</strong> "The best scam emails look exactly like real ones, because they ARE sent from real infrastructure."
The moment a message asks for money, crypto, gift cards, or personal information — pause. Paste it into ScamSignal. Our AI analyzes the content and behavioral signals, not just the sender, so it catches brand infrastructure attacks that traditional email security misses.
The Nordstrom crypto scam marks a turning point in email security. When a verified email from a trusted brand can be a scam, "check the sender" is no longer enough. The new rule: trust the content, not the envelope. If a message asks for money or crypto — regardless of who it's from — verify before you act. Paste it into ScamSignal and let AI catch what authentication can't.
Get notified when we publish updates on this topic
We'll send you one email when new information is available. No spam.
Got a suspicious message?
Paste it into our free scanner and get an instant AI analysis — no account required.
I Built This for My Mom — Then It Saved Me
A phishing email from someone I know and trust, sent through a legitimate service, with perfect formatting. I almost clicked.
4 Scams Reddit Caught Before Anyone Else in 2026
These threats are flooding r/Scams right now — but haven't hit mainstream news yet. Here's what to watch for.
6 Scams Hitting Your Phone Right Now in 2026
Real examples based on active fraud campaigns reported by the FBI, FTC, and international intelligence agencies. Here's what to watch for — and what ScamSignal catches that you might miss.