Possible new WordPress “update required” phishing scam

Head’s up for WordPress users on rumors of a new variation on an older scam. It’s especially tricky right now because the newest versions of WordPress actually do send you email saying (truthfully!) that it’s automatically updated itself.  Here’s how one person reported the issue:

USING WORDPRESS? Beware of a VERY legit looking email going around that says your site has been updated to WordPress 3.8.2. Do NOT click the link, it’s to steal your info!

I got the email and so did a friend who unfortunately clicked on it!

I manage dozens of WordPress sites but haven’t seen this specific scam yet (I expect to see them soon.) But late last year a similar message about a “required database update” was making the rounds.

The security rule of thumb in all instances of email solicitations to log in, to provide personal info, etc. is to

  • Ignore the links — don’t click on them and don’t copy them down
  • Close the email
  • Navigate to the correct URL into your browser either from memory (if it’s a site known to you) or after finding the real URL via Google/Bing.
  • Log in

If the notification was legitimate your WordPress site (or bank, or Netflix, Gmail, Amazon, etc.) will let you know.  Follow those instructions, not the ones in the email.

Same as for phone calls from alleged banks, utilities, etc. by the way: scams are so prevalent that basically no legitimate company representative will ask for your personal info, login info, or credit information in a phone call they initiated.

Posted in , tagged with: #, #, #

David Innes, RealBasics.com

I've been building and maintaining websites since 1997 and building and supporting similar hypertext-driven software since 1987. I've done maintenance, support, and maintenance for physical and digital systems since 1981. And no, I still haven't seen it all but by now I usually know where to look. More about David Innes...