Avoid Email Phishing Scams – Social Engineering

New phishing campaigns are trying to trick WordPress admin users into giving out their username and password so that hackers can take over their sites.

What is email phishing?

Just as it sounds, email phishing is a social engineering trick that throws some “bait” into your inbox to try and reel you in as a fisherman does with fish.

Sometimes the bait (fake email) can look pretty darn authentic too!

WordPress core and many plugins such as WooCommerce, Gravity Forms and others send out email notifications to administrators.

It’s easy to get distracted when you are busy – I’ve fallen foul to that trap myself in the past.

Types Of WordPress Email Phishing Scams

Database Upgrade

A WordPress site often needs to update the database.

WordPress Database Upgrade Required

Sometimes after an update, you will see the above page asking you to upgrade the database.

The database upgrade is a page on your site and never an email.

Scam emails will send you to a link which looks like a standard WordPress login page.

The scammers record your username and password and can even log you into your site, so you don’t suspect anything.

Admin Email Correct?

Another WordPress core system notification prompts you to verify the admin email.

Admin Email Verification

Similar to the database upgrade, this is a page on your website and never an email.

The phishing email will redirect you to a fake WordPress login page where the scammers steal your login details.

How Can You Spot Scam Emails?

When you hover over a button or link in most email apps, you can see the attached URL. 

Have a look at the URL before you click through.

If it seems suspicious, don’t click it – type your website URL directly into a browser tab.

Keep The Hackers Out Using 2FA

For an additional layer of security, consider using multi-factor authentication for your WordPress logins.

Other Posts You May Like

Every extra WordPress plugin takes resources away from your website, possibly slowing it down, causing your SEO to plunge. But how many plugins are too many?
Learn how to use TTL (Time To Live) fields when updating DNS records to move your website quickly to another web host.
Protect your site from being slowed down and compromised from a brute force attack.