Dissecting a Phishing Email: How to Spot a Scam Targeting DreamHost Users

Recently, I received a phishing email that attempted to impersonate DreamHost, a hosting provider that I have used before. This email claimed that my domain had been "temporarily deactivated" due to a payment issue and urged me to update my payment method.

In this blog post, I’m going to break down the elements of this phishing email to show you how I identified it as fraudulent and provide actionable tips to help you spot similar scams. Let’s dive in and I'll show you how to remain vigilant against these kinds of scams!

What is Phishing?

Before we dissect the email, let’s define phishing. Phishing is a type of cyberattack where scammers trick individuals into providing sensitive information—like passwords, credit card details, or personal data—by pretending to be a trustworthy entity. These attacks often come via email, text messages, or fake websites that mimic legitimate organizations.

Phishing emails like the one I received are designed to create a sense of urgency, prompting you to act quickly without thinking. But with a little scrutiny, you can spot the red flags. Let’s analyze the email I received, step by step.

Red Flag #1: Fake “From” Email Address

The first telltale sign was the sender’s email address. While the email appeared to come from DreamHost, a quick check of the “From” field revealed that the domain was not dreamhost.com. Scammers often use similar-looking domains (e.g., dreamh0st.com with a zero instead of an “o”) or completely unrelated domains to trick recipients.

Always check the sender’s email address carefully. Legitimate companies will send emails from their official domain. If the domain looks off, don’t trust the email.

Red Flag #2: Suspicious “Update Now” Button Link

One of the most glaring warning signs in this email was the destination of the “Update Now” button. At first glance, the button looks legitimate—it’s styled with a professional blue background and bold white text. However, when I hovered over the link (without clicking!), I saw that it was directed to a suspicious URL.

https://t<REDACTED>.com.br/a1q0w6e7f4t1v5b9n4h5-45s4d5s6a3dq/4a5q2sa4d8za3da/

This URL has no connection to DreamHost. Legitimate links from DreamHost would direct to their official domain, dreamhost.com. Instead, this link points to a suspicious domain with a random string of characters, a common tactic used by scammers to hide their true intentions.

In a virtual machine, I clicked the link just to show where I would have landed had I clicked the link from the email. Fortunately, the site was already flagged as deceptive.

But, what if it wasn't flagged yet? Or what if I chose to go to the site anyway? This is where the site landed:

The scammers likely already took their site down by the time I opened the email, which is why we're seeing this generic "coming soon" page.

Takeaway: Always hover over links in emails (without clicking) to see where they lead. If the URL looks unfamiliar or doesn’t match the company’s official domain, it’s likely a scam.

Red Flag #3: Blank “mailto:” Link for Support Email

At the bottom of the email, there was a link labeled helpdesk@dreamhost.com. This looked like a legitimate support email address at first glance. However, when I hovered over it, the mailto: link was blank, meaning it wouldn’t open an email client or send a message to anyone. This is a subtle but significant clue—real companies include functional contact links in their emails.

Hover over email addresses in suspicious emails to see if they’re functional. A blank or incorrect mailto: link is a sign of phishing.

Red Flag #5: Incorrectly Formatted Phone Number

The email included a phone number for supposed support.

The phone number contained inconsistent formatting—there are no dashes, parentheses, or proper spacing, which is unusual for professional communications. Additionally, the HTML code behind the link showed a different number (partially redacted with "N"s for safety) (tel: 421 2 581 NNN NN), which is likely tied to the scammer’s location or a fake call center. This discrepancy screams “scam.”

Be wary of poorly formatted contact information. Compare it with the official contact details on the company’s website. If it doesn’t match, don’t call or trust it.

Red Flag #6: Sense of Urgency and Threats

The email claimed that my domain had been “temporarily deactivated” due to a payment issue and urged me to update my payment method immediately. It even included a fake deadline (“Link validity until: 2025-04-30”) to create panic. This tactic is a hallmark of phishing—scammers want you to act without thinking.

Be skeptical of emails that pressure you to act urgently, especially if they threaten account suspension or deactivation. Take a moment to verify the situation through official channels before taking action.

Why This Matters

This phishing email was crafted to look convincing at a glance, with professional formatting and branding that mimics DreamHost. However, a closer look revealed multiple red flags that exposed it as a scam. If I had clicked the “Update Now” button, I likely would have been directed to a fake website designed to steal my login credentials or payment information.

Phishing attacks like this are a growing threat. According to the FBI’s 2022 Internet Crime Report, phishing and related scams resulted in billions of dollars in losses worldwide. By learning to spot these scams, you can protect yourself and your organization from becoming a victim.

How to Protect Yourself from Phishing Scams

Here are some actionable steps to stay safe:

1. Verify the Sender: Always check the sender’s email address. If it’s not from the company’s official domain, it’s likely a scam.
2. Hover, Don’t Click: Hover over links to see where they lead before clicking. If the URL looks suspicious, don’t click it.
3. Look for Poor Formatting: Spelling errors, grammatical mistakes, or inconsistent formatting (like phone numbers) are often signs of phishing.
4. Avoid Acting on Urgency: Scammers rely on panic. Take a deep breath and verify the situation through the company’s official website or customer support.
5. Use Two-Factor Authentication (2FA): Enable 2FA on your accounts to add an extra layer of security, even if your credentials are stolen.
6. Report Suspicious Emails: Forward phishing emails to your email provider or report them to organizations like the Anti-Phishing Working Group (APWG) at reportphishing@apwg.org.

Final Thoughts

This phishing email targeting DreamHost users was a stark reminder of how sophisticated cybercriminals can be. By dissecting this email, I hope I’ve shown you how to spot the subtle (and not-so-subtle) signs of a scam. At Cyber Hacktics, we’re committed to raising awareness about cybersecurity threats and helping you stay safe online.

If you found this post helpful, please share it with your network to spread the word about phishing awareness. Together, we can build a safer digital community!