I almost got scammed today | Hendrik Erz

I almost got scammed today

The internet is full of scammers, and their most beloveth tool is emails. Therefore, whenever you receive an unsolicited email, you should be very careful whether even to reply. But even with many years of experience and after doing proper research, scammers can get you. Let me today share an episode where I almost got scammed myself.


I would describe myself as a very knowledgeable person when it comes to internet things. I gathered my first experiences with it as a teenager and have stayed online for most of my life. Additionally, since I am very interested in the more technical parts of the internet, I also like to acquire in-depth knowledge about the soft- and hardware of the internet. And, since I’m a sociologist, I’m also very intrigued by the social interactions the internet facilitates.

However, even though I would argue that I am very well-versed in avoiding scams, spammers, and phishing attempts, I am also not infallible. Therefore, let me share you one episode of today to help you avoid those people, because we all are potential targets for shady schemes as long as we are logged in.

The Incident

First some background. As you may know by now, I’m the project lead for the Markdown editor Zettlr, and as such I also have registered a domain for it: www.zettlr.com.

On the very day that domain became available on the internet, I started to already receive swathes of spam mails, which is another episode which I’ll dedicate another article to in the future. But back to topic.

Even though Zettlr is not a company, its name is kind of a trademark. Therefore, if someone else across the globe were to also market a product called “Zettlr”, this could become a real problem for the users of the app who cannot be expected to know that there might be scammers out there. Just imagine if someone copied the Zettlr website and hosted it on, for example, zettlr.fm — people would potentially download malware because the “fm” in the address bar of the browser instead of the correct “com” would be almost impossible to spot.

Therefore, I was alerted when I received the following email yesterday:

(Please kindly forward this to your CEO, because this is urgent. If you believe this has been sent to you in error, please ignore it. Thanks)

Dear CEO,

We are the domain name registration service company in China. On April 26, 2022, we received an application from Hongmei Ltd requested "zettlr" as their internet keyword and China (CN) domain names (zettlr.cn, zettlr.com.cn, zettlr.net.cn, zettlr.org.cn). But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?

Best Regards
Jeff Liu

A couple of things to note about this email. First, the language is not correct English, but since it was transparently sent by a non-native speaker, this should not arouse suspicion. Also, the email address was fine, and the email provided a very convincing email signature.

I googled the company and everything fit together. The only thing that made me a little suspicious was that the person was referring to April 26th as the date where that registrar received the request to register those domains. I converted the time I received this email (about 9pm) from Central European Summer Time (CEST) to the China Standard Time (CST), which is eight hours ahead of the Greenwich Mean Time (GMT). This means that the email must’ve been sent at 3 in the morning for the person writing. It seemed a little bit odd, but I mean I also know people sending out mails at night (*tries not to look into the mirror*).

Also, since the email arrived at the public email address, there was no danger of it ending up in even more spam lists than it is probably already listed on. So I replied out of curiosity:

Dear Jeff Liu,

thank you for bringing this to our attention. Indeed, Zettlr is the brand name of our app. We have never heard of a company called Hongmei Ltd. We do not have any business relationships with this company.

However, we do have a large user base in China, and as such, it might easily confuse them if another company unaffiliated with us uses this name. Users might visit zettlr.cn or zettlr.com.cn and expect our homepage which is hosted at zettlr.com, but see a completely different website.

Does this company have a product called “Zettlr” at all? Because if not, this almost sounds like an attempt to fool users who expect to download our application — in the best case simply to collect ad-revenue, in the worst case to provide malware.

What procedure do you suggest in this case?

Best regards,

As you can see, I was already plainly aware of the potential ways of scamming my users, but didn’t yet consider that the email itself could be a scam.

At the same time, I knew that I would not purchase those .cn-domains. So there were two ways in which this could play out: either the registrar is nice and just doesn’t allow this likely non-existent company to buy the specific names, or they would do it anyway but my protest would have been noted at least.

In order to prepare my users (especially in China), I tweeted an announcement that they should be careful and make sure to actually go to zettlr.com, and not to zettlr.cn or anything else:

Such a warning is always important and correct – independent of the scam I received! Since anyone can register any domain name if they wanted to, it is always good practice to remind people to make sure they are actually visiting zettlr.com and not any other website.

Relatively quickly after sending out my reply, I got another email from a different domain (specifically: from the domain of a large Chinese media corporation) with these contents:

To whom it concerns,

We will register the China domain names "zettlr.cn" "zettlr.com.cn" "zettlr.net.cn" "zettlr.org.cn" and internet keyword "zettlr" and have submitted our application. We are waiting for Mr. Jeff Liu's approval. These CN domains and internet keyword are very important for us to promote our business in China. Although Mr. Jeff Liu advised us to change another name, we will persist in this name.

Kind regards

So … alright? Now I became definitely suspicious. Even though it seems very reasonable that someone may – for benign or malicious reasons – register those domains, it seems very unreasonable that (a) whoever that is would persist on their choice this much and (b) that whoever that is would actually go and contact me directly.

Fortunately, I didn’t have to do anything to receive an additional reply this morning:

Dear Hendrik,

Based on your company having no relationship with them, we have already suggested that they should choose another name to avoid this conflict, but they persist in this name as China domain names (zettlr.cn, zettlr.com.cn, zettlr.net.cn, zettlr.org.cn) and internet keyword. In our opinion, maybe they do the similar business as your company then register it to promote their company.

As is known to all, the domain name registration based on the international principle is opened to company and individual. Any company or individual have the right to register any domain name and internet keyword which are unregistered. Your company haven't registered this name as China domain names and internet keyword, so any company is able to obtain them by registration. But in order to avoid this conflict, the trademark or original name owner have priority right to register China domain name and internet keyword during our dispute period. If your company is the original owner of this name and want to register these China domain names (zettlr.cn, zettlr.com.cn, zettlr.net.cn, zettlr.org.cn) and internet keyword to prevent anybody from using them, please inform us. We can send you an application form with price list to help your company register these China domain names and internet keyword during our dispute period if you want to register them.

Best Regards

How nice of them: If I want to, I could just purchase the domain names prior to them, snatching the precious domain names from that fantasy company and assert my dom(a)inance!

As I already mentioned, I never had any intention to register any Chinese domain names. And after this email, I knew that I was being scammed, so I did not reply to that email. We’ll see if they will come at me with some email warning me that their “dispute period” is coming to an end. They probably will.

After the email, I went on the internet because I was interested in what this “internet keyword” thing was that they refer to. And, the internet did not disappoint me. The first result was actually on the website from which I received the original email, but the second link brought me to an old forum thread from 2008 where people already warned that this is a scam. The third result brought me to a blog that also publicized their conversation with the scammers. It is almost sad to see that my scammers (if they are different people) just copied and pasted the same email instead of becoming creative and varying the email’s text.

Lessons Learned

So what did we learn today? First, the internet is just as much as in its early days a swamp of scammers who try to get your money. And we learned that no matter how much you know about scamming tactics, there is always a non-zero probability that they will get you.

Additionally, I have been warned, since Apple Mail already flagged the emails as junk. However, since my spam filter is sometimes overly eager, I have learned that not all emails that are flagged as spam are actual spam. Today I learned that the spam filter is apparently better than I think it is. To be clear: The email was extremely convincing and it is absolutely important not to deduce that “flagged as spam” always means “actual spam”.

I would like to add another point that is very relevant to you, especially if you do not have a public email address listed on some website. The email reached me via info@zettlr.com, which is also publicly listed on the Zettlr website. Therefore, for me it was very harmless to just reply to see what they would do next.

The reason is that spammers generally follow a two-step verification process to see if they can actually spam you with viagra ads: First, they will send an email with a very harmless request to a long list of email addresses that they have harvested from the internet. If that does not result in an error, the chances are good that the email is actually registered. But the second step is that they want you to reply to that email. Because if you reply, they not only know that the email is registered, but also that there is someone monitoring it. There are many email addresses out there that have simply been abandoned and there is no gain if you are either talking to an automated system, or sending emails to an abandoned mailbox.

Therefore, if you receive potential spam: Never reply to such emails!!! I was able to reply because the info-address is likely already on every spam-list conceivable as it is public. For me, the worst that could happen is that I have to just de-register the email address for a few weeks until the spam stops, before re-registering it. But you don’t have that option with a private email address that your friends and family need to contact you.

This is the reason why I am only listing my work email here on this website. If you text me and I believe you are not a scammer, I will reply from my private email to you instead of my work mail.

Conclusion

This is just a very small part of the amount of “business collaboration requests”, “app development requests” or whatnotelse I receive every week via the public email address. But I thought I would share it with you, first because I haven’t been that close to actually falling for some scam in years, and second because I can use this to give you an insight into how scammers can also get you.

Maybe, if I find the time, I can collect a proper list of ways for you to make sure that you are not being scammed with real examples from my junk mailbox. Until then, always remember: If in doubt, simply don’t reply.

Return to the post list