Phishing Scam: Contact Form Submissions

You are probably familiar with the concept of phishing, or e-mails that trick you into giving your personal information (credit card, social media logins, etc.) by posing as legitimate businesses or individuals. There is a new phishing scam online that targets website contact forms. Even with reCaptcha verification embedded in the form, it can still make its way through.

It’s getting past reCaptacha because real people are filling the form out (or at least the recaptcha part), and not bots like most mass-phishing scams.

Victim of a Phishing Scam: Hand holding iPhone with lots of calls from telemarketers
Photo by Lindsey LaMont on Unsplash


Posing as illustrators and stock photo photographers, they fill out the contact form with the below (format & names may vary):



This is Melaina and I am a professional illustrator.

I was surprised, putting it lightly, when I came across my images at your web-site. If you use a copyrighted image without an owner’s consent, you should be aware that you could be sued by the owner.

It’s illegitimate to use stolen images and it’s so low!

Here is this document with the links to my images you used at [your URL] and my earlier publications to get the evidence of my ownership.

Download it now and check this out for yourself: [PHISHING LINK]

If you don’t get rid of the images mentioned in the document above during the next several days, I’ll file a complaint on you to your hosting provider stating that my copyrights have been severely infringed and I am trying to protect my intellectual property.

And if it doesn’t work, trust me I am going to report and sue you! And I will not bother myself to let you know of it in advance.


So that’s the email – what do you do about it?  Nothing. Why? Because that link is not what the email says it is.

Important Note: Opening the contact form notification e-mail will not download a virus – but clicking the link in it will!

Clicking the phishing link is the trigger — so avoid all links in the email! Delete the e-mail and move on with your day.

Phishing emails with bad grammar or misspelled words are easy to spot.  But ones like this that are well-crafted are harder to ID.  That’s why it’s a good rule of thumb to NEVER click on a link in an email you were not expecting.  If you know the person who sent it, call them to verify.  If you know the company/service, go directly to their website to log in.  Be safe rather than sorry.

GoDaddy Workspace Mail has already begun to crack down on this issue, and other email providers will likely follow.

Having other issues with your contact forms? We can help you with all your website needs over at