You wake up one morning to an email in your inbox titled ‘critical security vulnerability on your website’. Like many site owners, you may panic. Is your website secure? What do you need to do? Should you respond?
A number of our customers have reported seeing emails just like this, claiming their sites are insecure and offering assistance to fix them.
How the scam typically works
Rest assured, these emails are fake, and there is nothing to be concerned with. The email details how they’ve found a critical security vulnerability. Usually, this “vulnerability” is nothing more than a simple missing HTTP header, or some other optional feature that doesn’t render your website particularly vulnerable. The scammer here is relying on website owners not knowing this, however, and will play up the possibility of a critical security issue.
These “vulnerabilities” don’t actually represent a threat at all, but rather the scammer would use this as leverage for payment, known as a bug bounty.
Bug Bounties
A bug bounty is a request for money as a reward for finding a security issue and is common amongst large companies who actively solicit members of the public to test their systems. For example, Google, Facebook, and Twitter all run bug bounty programs. However, as you might have guessed, receiving a request for an unsolicited bounty is not going to be legitimate.
If you engage with these emails, the requests usually become more aggressive with threats to disclose the vulnerability publicly or use them to cause damage to your website.
What should you do if you receive this email?
We recommend you don’t engage at all with these messages. In our experience replying presents a greater risk as the scammer will try and coerce you into giving them money. We suggest simply discarding these messages, which is the safest thing to do.
For further information explore our relevant article here: Bug bounties and website vulnerability scams – How do I handle them? – Knowledgebase – Prostack
If you’re unsure and have any concerns about the security of your server, please contact the ProStack Support Team as soon as possible and we will investigate further and resolve any concerns you may have. Get in touch today!