Fraudulent emails posing as official GrubHub Holiday Crypto Promotion messages promised recipients a tenfold Bitcoin return if they sent cryptocurrency to a specified wallet, using addresses like merry-christmas@b.grubhub.com to boost credibility. The messages urged urgent action with unrealistic returns — a classic crypto reward scam using what appeared to be legitimate brand subdomains to bypass email authentication. GrubHub has stated it contained the issue and is working to prevent recurrence.
What This Means
This incident demonstrates that even well-known brands’ communication channels can be mimicked or abused, making phishing emails increasingly difficult to distinguish from legitimate messages. The use of real subdomains and personalized details increases the risk that users or partners will fall for scams promising extraordinary returns, leading to direct financial loss and erosion of trust in organizational communications. Email authentication protocols and third-party vendor security remain critical weak points across enterprise environments.
What To Do Next
- Educate and alert users: Remind everyone that legitimate companies do not ask for cryptocurrency payments to provide rewards — unrealistic offers are almost always scams.
- Verify email authentication: Ensure your email systems check SPF, DKIM, and DMARC results on inbound mail and are configured to reject or quarantine messages that fail authentication.
- Audit domain and subdomain usage: Tighten access controls on DNS and third-party vendor accounts to prevent unauthorized subdomain usage that could enable convincing spoofed emails.
- Report suspicious messages: Mark phishing messages as such in your email client and report them to the impersonated organization’s security team so they can investigate and block similar campaigns.