If you’re not quite sure what “phishing” is, review my primer on hacking, phishing, and Phish.
A client of mine got a very realistic looking email last week. At first look, that sure seems real, doesn’t it?
![Email with Dreamhost logo in header. "Your payment method isn't valid. Hello, We couldn't renew one or more items in your account. That's not a big problem as long as you take care of it immediately. Domain Name: [redacted] Renewal Date: March 21, 2021. Renewal Charge: $15.99. Charge Date: March 21, 2021. "Renew Now" orange button](https://mrwweb.com/wp-content/uploads/2021/03/dreamhost-phishing-scam-email.png)
It appears to be from the client’s website host and mentioned the client’s actual domain. This isn’t a laughable Nigerian Prince. In this situation, we got lucky and the “Renew Now” link was broken. Why lucky? Because this email is fake.
How to Recognize a Phishing Email
Here’s how we could tell:

The “Dreamhost Billing Team” is what we’d expect but that is definitely not a Dreamhost email address. In some cases you may find that the email is a little more convincing but still not the same as who you’d expect it from. Look hard!
The second clue was the email’s “Renew Now” link. You can always preview a URL in the lower-left corner of your browser by hovering over it with your cursor or long-pressing it on a phone.

It’s very tiny, but that URL preview is crucial to notice. It does not go to Dreamhost but rather some very long German domain that includes the word “dream”.
I must also mention that in extreme cases, these domains can look exactly like the expected domain but still be fake. Read on for how to protect yourself no matter what.
How to Protect Yourself
So when you get an email from a website host, bank, or really any website, check that the “From” email looks correct and that any links you check go to a trusted domain. But to be extra safe, don’t click those links!
You can never follow a fake link if you don’t click it in the first place. So whenever you get a notification, go directly to the site. You can do that by typing the domain—dreamhost.com—directly into your browser, using a bookmark you setup earlier, or even just searching for the company and following the first non-ad result.
What To Do If You Click a Link
Hopefully you don’t ever need this, but I’d be remiss to skip it.
- If you clicked the link and visited a web page. Run an antivirus scanner.
- If you typed out your password. Change your password immediately for all sites that use it.
Sidenote: This is why using a unique password is good. If it’s compromised, you only have to change your password on one service. - If you entered credit card details. Put a hold on the credit card immediately.
Ever since there have been things of value, there have been people trying to lie, cheat, and steal. So phishing isn’t a new phenomenon, it’s a classic form of deception with the veneer of a $12 domain from GoDaddy. And that means technology won’t keep us safe. Stay vigilant and protect your stuff by closely examining emails and directly visiting the sites you can’t afford to have hacked.