The Problem

One of my clients recently noted that some of his clients were getting emails with this content:


Subject: Balance Invoice

would like you to confirm to me the status of your owed and unsettled payment if there is any. Please reply back to us immeditaly with the aggregate amount owed with the corresponding due dates for payment and invoices respectively .

I expect to read your immediate response and compliance to this message and I shall appreciate your obedience accordingly.

A. Real Person
Marketing Manager

[ An image of the client’s website header.]
I’m no expert on hackers and what they are up to,  but here is what I suspect is going on with these emails:

Scammer Collected Data

The scammer probably has a robot program that scans through websites collecting email addresses and links (this is called a harvester). It creates a database that has the original website, like, with any email addresses it found there, plus the web links to any other websites it found listed on your website. Then it scans the website links it found on your site (like where it repeats the process. Their database would link any emails found on to and vice versa. Once set up, a robot like this can run without any human intervention across millions of websites.

Then, they just build a query from their database that creates and sends an mail to all the related emails they found. Only one query is needed for the millions of potential emails that could be sent (involving all the different websites they scanned) and after the query is created the rest is all done without human intervention.

Keeping eMail Addresses From Harvesters

If your WordPress website is set up professionally,  it will automatically code email addresses, so a harvester can’t find them. My client’s website is set up this way.

The scammers associated emails with his website when they combed through the websites that he has linked on his site. They know your website is so they can just add “accountant@“ to the front to create that fake email address.

But Why?

One easy thing to do would be to make the email look like it is coming from to the recipient, but when they reply to the message, it actually goes to the scammer. I’m not sure why they ask for the information noted in the email.  They could have an automatic reply set up that asks for other things like credit card info or login info to Again, all without human intervention.

If someone is ignorant enough to give the scammer useful information, that information can be sold to other scammers or used directly.

For a relatively small amount of human effort, they can steal millions of dollars from credit cards. In some cases they might be able to log into a website and use the server to send out more spam emails – at someone else’s expense – or get into the customer database and steal credit card info there. That’s why the websites we develop do not retain any credit card info – all that goes directly to the credit card processor’s servers.

If a scammer can get an administrator’s login to a website, they can take full control and do anything they want with it. Sometimes they leave the website so it works ok, but get into the server and use it’s computing power to do various bad things – like cause or other major websites to crash.

What to Do

Be sure your WordPress website is protected by  the Wordfence Security plugin and has coded email addresses.    Wordfence prevents bad actors from doing nasty things to your website.  Still, there are no guarantees if some outlaw government decides they want to hack you.

If the scammer actually has the image link to your WordPress header in their database, you can mess with the emails by changing that header file:

  • First, open your website, right click the header graphic, choose open in a new tab and note the URL associated with the original header.  That URL will probably match the URL associated with the image in the email.
  • Second,  upload your original header again (or whatever image is at the URL in the email),so it gets a different URL.  Then replace your old header URL (or the file at the email image’s location) with the new one.  If you are using the Divi Theme, look for “Logo” under Divi > Theme Options.  You can upload the new header there or paste in the link to it.  Your website should now look the same as it always has.
  • Third,  redo you header graphic so it looks something like this:

  • Forth, upload the revised header file, with the same name as the original to the same location as the original using your FTP software (e.g. Filezilla).  That is,  replace the original file at the location determined in step 1 with the file as modified in step 3.

New emails coming to your associated email addresses from this scammer will now have this graphic at the bottom instead of your logo.

Beyond that, just train your people to recognize scam emails and promptly delete them.  Here are some things that reveal an email to be a scam:

  • When you examine the ‘From’ email address, it doesn’t match what is displayed in the email.  You can look at the ‘raw source’ code behind the email via a menu option in your mail software.
  • The content of the email has misspellings (like ‘immeditaly’ above) and/or odd grammar that one might expect from a sender with English as a second language.  In the above example,  the information request doesn’t make any sense.  Why would someone ask for “owed and unsettled payment if there is any”?  Further,  most correspondents will not ask for your ‘obedience.’
  • When you hover your cursor over a link in the body of the email,  the link doesn’t match where you would expect it to go.
  • Notice whether the email is generic or specific.  In the example above,  it is generic.  It doesn’t mention anything about you, about the sender or about the information they want from you.  It could go to anyone doing business with any company.
  • Legitimate companies don’t ask for your personal information or login credentials.  If they are already doing business with you,  they already have the information they need.
  • Look for attachments.  Often these emails will include a Word Document (.doc or .docx),an Excel spreadsheet (.xls or .xlsx)  or an executable (.exe).  These files can contain all kinds of nasty things and set them loose on your computer.  Unless you are expecting such a file from someone you know,  don’t open it.  Even if it is from someone you know and you aren’t expecting it.  Don’t open it until you confirm it with them – but not by replying to the email.  Scammers, as in the example above,  try to make it look like the email is coming from someone you know.