cPanel won’t send you messages asking you to verify your email address
A new email scam has been circulating around the web. In this scam, the target will receive an email message from what appears to be an email address associated with cPanel. The email message says that you need to verify your email address or they will temporarily put your website on hold until verification is complete.
Here’s a transcript of the email message:
24/7 Support: (735) 665-2302
[Email address removed] – Important Message
Please verify your email address.
We`re required to put websites on hold if we can`t verify the email address on file.
All you need to do is click the button below (it only takes a few seconds). You won`t be asked to log in to your cPanel account – we`re simply verifying ownership of this email address.
VERIFY YOUR EMAIL ADDRESS
If you don`t verify your email address, we`re required to temporarily put your website on hold until verification is complete.*
Thanks for being a valued customer.
*ICANN, the Internet Corporation for Assigned Names and Numbers, requires that all domain registrars maintain correct and current WHOIS contact data for domain owners.
Please do not reply to this email. Emails sent to this address will not be answered.
Copyright 1999-2015 All rights reserved.
The email message contains a button that says “verify your email address.” If you click the button you will be directed to a phishing website that looks like the real cPanel webmail account access page. The page asks you to sign into your email account and will have your email address predicted in the email address field; all you need to do is enter your password.
Don’t enter your password! If you do, scammers will have access to your email account and will be able to do whatever they want with it, even change your password. If you were tricked by this email message and submitted your password to the phishing website, change your password immediately.
Here are some tips to create a secure password:
- Use unique passwords wherever possible. Don’t reuse passwords for multiple accounts.
- Use passwords with numbers, letters, and special characters such as !@$#.
- Use two-factor authentication to add an extra layer of security along with your password.
- Use a reputable password manager if you have trouble remembering multiple passwords.
Keep in mind that cPanel will never email you a message asking you to verify your email account. There is simply no need to do that and your website will not be “on hold” or suspended simply because you did not verify your email account.
As you may have guessed, the purpose of this email scam is to phish your email account’s password. When you click the “verify your email address” button in the email you are directed to an insecure site using HTTP that was designed to look like the actual cPanel webmail page. The unencrypted page asks you to log into your email account so that it can be verified; However, you can type any series of numbers and letters as the password and the page will accept it as your password and then direct you to an encrypted webmail page native to your site.
The moral of this short story is to avoid any email messages you get from cPanel or other services that ask you to verify your email account or face some type of penalty or inconvenience. They are usually fake and designed to phish your credentials.
If you did fall for a scam, change your password to a strong and unique password immediately, review your email security settings and options (maybe try a secure email service like Tutanota), and contact your email service provider if you have any questions concerning the security of your account.