The secret is out: Fake Punchbowl invites are phishing attempts

NORTH TEXAS — If you've received an online 'Punchbowl' invitation that says "Sssshhhhh," the secret is out. It's fake. A phishing attempt to get access to your data: and even the experts admit, it's a good one.

"It looks very authentic," said North Texas-based cybersecurity expert David Malicoat.

After reviewing one of the suspicious emails, Malicoat notes that hackers have become so good at fooling the public that typical warning signs for phishing attempts, like bad grammar and unfamiliar email addresses, are missing in the fake Punchbowl invites.

The addresses that appear to be sending the invitations are legit, likely stolen from previously hacked friends and family. When in doubt, he suggests hovering over the link before clicking.

"I was able to hover over the link that it wanted you to click on," said Malicoat, "but in this case, when you hover over it, it'll show you the website that if you click that it would go to, and in this case it would send you to a site that was located in Russia."

Punchbowl has provided a warning in the Help section of its website. Malicoat believes that doesn't go far enough and doesn't warn users soon enough.

Often by the time targets realize the invitation is a fake, they've already clicked. Malicoat believes the company should proactively warn users on the website's front page.

Punchbowl company officials disagree.

"I certainly respect that person's opinion, but you need to peel off the layers of the onion a little bit in terms of how a consumer would interact with our site," said Matt Douglas, the CEO of Sincere, Punchbowl's parent company. "Putting something on the website's not gonna help someone who receives an email into their own inbox. And that's what guests of an invite would first interact with. So it'd be kind of a red herring to put something on the website."

Douglas also said that customers can report phishing attempts to help@punchbowl.com; however, he maintains that the overall problem is minor, saying more legitimate invitations are sent than illegitimate.

"That being said, if even one person gets one, that's one too many," said Douglas.

If you've received a fake invitation and already clicked on the link, Malicoat suggests changing your email password immediately.

He warns us to never reuse a password from another site.  Also, warn contacts to ignore a surprise 'Punchbowl' invitation and be extra cautious clicking on any link now and in the months ahead.

"I want people to be able to say, 'I understand at least fundamentally, how it works. I don't have to be an expert. I don't have to be a cyberwarrior. But in the end, I want to take a little bit of caution,'" said Malicoat. "Take your time. Make sure if you're looking at that email, looking at that text, looking at that website, that it looks and feels like it's supposed to. They're getting better at what they're doing. So, therefore, we have to be."