The latest "scam" trend for domain owners is fake website bug reporting. I've been on the receiving end for a few what are called "beg bounty" attempts. The first time you get one of these can be very worrying and they claim to be ethical hackers who have found a serious bug on your website.
They are deliberately targetting small-medium size website owners who wont have an IT dept. I was going to write a post about it one day from the perspective of a domain holder, but it would have to be a long one to explain properly. It involves DMARC which 80% of websites dont have set. I did look into it about 5 years ago when I tried to set SPF and DKIM and I asked my hots to be told its not something I should worry about as mail goes through their mail servers.
I dont have any mail lists anyhow and I dont even see where this area is something I could set up... bear in mind Im deliberately on a managed plan. Theres a few other things I should mention at this point, but that is when things start getting more complex and lengthy. I'll just leave it as I have DKIM and SPF and remain part of the 80%, accept my limitations in what is a complex area. I don't have financial transactions, nor mailing lists. Or more importantly don't ever send out emails with "click here" links. Id like to think this type of scam is actually more down to people using click here and disclosing financial info yada yada.
A couple of years ago Troy from "Have I been pwned" fame, warned that beg bounty for DMARC policies was about to explode - he wrote a fairly longe article about the security aspect side of things. Some website owners are forking out hundreds of £ pounds to these so called ethical hackers, only to find out that this isnt really a security flaw on the website.
As mentioned, the first one you get can be very worrying, but when I looked it even included the same typos as the one shown in Troys article.. Its just someone running automated scripts and hoping for a lucky break that you've scared the website owner with some vague information.
As recommended I totally ignore these so called 'beg bounties' and dont enter into any type of conversation. Its a shame really as it could end up where website owners ignore what really is a bug from a real white hat.
These guys can be persistent. For example from my mailbox:.
21/08/23
Hey Team any update? How long do I have to wait to hear from you for my reward?
19/06/23
Kindly update me about my reward, it's been quite a while since I sent you a vulnerability report. Please don't let my efforts be wasted
16/06/23
Should I expect a reply regarding my reward today?
14/06/23
Kindly let me know about my reward for the ethical disclosure of the vulnerability.
02/05/23
Kindly update me about my reward. I'm expecting a cash reward for reporting this bug ethically to you.