The latest phishing scam to hit email boxes is particularly insidious – it looks just like a real digital invite to a party, from a real person in the recipient’s contact list.
The scam has been around for well over a year, spreading like a virus through email contacts, and has recently ramped up its New Hampshire, Massachusetts and Maine presence.
Recipients get a “Punchbowl’ invitation card, via email, from the email address of someone they know. The email has a link to view the card. When the recipient clicks on it, it asks them to input their password. When they do, no card appears. The scammers, though, have your password and can hack your account.
The scam is a phishing scam – once it has your email password, the scammers can hack into your account and access your contacts and other information, plant malware or do other harm.
One of the insidious things about this scam is that it comes from the actual email address of a person you know, unlike many scams that come from similar addresses but with some letters or punctuation changed.
It’s one example of how AI is quickly changing how scammers operate – cybersecurity experts say the latest scammers do a better job of targeting victims, using more personal information and seeming to be more legitimate.
One Haverhill, Mass.,, victim of the Punchbowl scam said Tuesday that she clicked on a fake Punchbowl invitation, though she wondered why the sender was having a birthday party, when his birthday had passed. By the time she double-checked and found out it was a scam and changed her email password it was too late – invitations from her email were now going to everyone on her contact list, as well as to some names she didn’t recognize.
“I’ve spent all morning emailing people telling them it’s not me, it’s a scam,” she said Tuesday.
Punchbowl is a real digital card company. On its website, Punchbowl lists ways to tell that a Punchbowl card is legitimate:
- Punchbowl evites come from the email address mail@mail.puncbowl.com, not a personal email address.
- All legitimate Punchbowl online invitations and digital greeting Ccrds sent from Punchbowl via text message in the U.S. will come from the short code 90403. Invites and Cards sent from Punchbowl via text message outside the U.S. will come from 877-642-0804.
- Invitation and card links always start with https://www.punchbowl.com.
The website also gives advice on what a real Punchbowl logo looks like, but many of the scams don’t have the logo, counting on the fact that recipients aren’t familiar enough to know what they’re looking at.
In a 2024 CBS story about the scam, Texas-based cybersecurity expert David Malicoat said that those who get a digital invitation should hover over the link before clicking to see the actual link address.
When Malicoat hovered over the “View the card” link in a fake Punchbowl invite “it would send you to a site that was located in Russia.”
In the two years since the scam began hitting the news, the cards have adapted. The scam originally used an RSVP link to capture victims. Now it also uses a link to simply view the card.
If you get a Punchbowl invitation or card by email or text – or one from Evite or any other digital card company – and it looks like it could be a fake:
- Do not open it
- If you do, don’t click on any links within the email
- Mark the email as spam
- Change your email password as soon as possible.
Malicoat said that those who click on the bad link should also warn contacts to ignore a surprise “Punchbowl” invitation. Recipients who have clicked on the link should be extra cautious when clicking on any links in the months ahead, since they may be related to their click on the Punchbowl link.