Showing results for 
Search instead for 
Did you mean: 

Spoof message allegedly from Virgin with subject "Your Bill Is Ready"

Up to speed

Hi Everyone,

I just got caught out by an email looking like it was from Virgin Media. I get them every month so I was running on autopilot. The email contained a pdf file "Your Virgin Media Bill is here___.pdf" which I opened in acrobat reader. The pdf contained Virgin and O2 logos and mentioned that the bill might have increased etc, with a button to click to view the bill. This opened a website in a browser asking for VM account login details which I submitted, after which I did not see my bill.

With hindsight it should have been very obvious that it was a scam email from the dodgy email address to the dodgy log-in page but I was not paying attention and I do get legit emails which do not display as you would expect in my email client so I have to select a different view. In this case I just went straight to attachments, spotted the pdf and downloaded it. Total idiot.

The full sequence is:

1. email containing...

2. pdf with button to click to see bill which takes you to...

3. website requesting VM username and password.

The pdf link is actually to a dropbox page which asks for the VM credentials. On submission the information is passed to a Wix-hosted website. All so blindingly obvious if I had taken the time to look first!

So the scammers are collecting VM accountholder email addresses and passwords so they can try to log in to your VM account. If successful they can collect and change all your details etc. so you might get locked out of your account. It would also give them access to other services you might have, e.g. your email.

In my case I knew something was up when I did not see my bill and instantly logged in to my account and changed everything - account log-in email address, password, memorable words, phone number etc. so the stolen credentials are useless to the scammers.

The time from me submitting the form to getting into my account was probably about ten minutes because VM insisted on sending a validation code to another email address for me to log in and it took some time to arrive. VM did it again when I wanted to change my account details which added to the delay in changing them. The question is did the scammers manage to get into my account in that brief period? I am assuming that I beat them to it because a couple of hours later I can still log in with my updated account/password credentials.

I scanned the pdf for malware and it came up clean so I suppose its main purpose was as a redirect to the dodgy login page. It is beyond belief that I did not even look at the url or stuff at the top of the page because I am so used to getting emails every month from VM.

I hope the above is of use to you. I have been using email and the internet since 1995 and this is the first time I have been caught out, Be warned!


Up to speed

Postscript - The spoof email mentioned above arrived in my inbox at 0951hrs this morning. I see another one from the same source but this time with subject "Your latest bill is ready" arrived in my inbox at 1344hrs, both allegedly from [removed] as virgin@media (I can examine the raw headers without actually downloading the email itself). The curious thing is that these emails pass all the validation checks - SPF, dkim, dmarc, - and have an X-spam score of zero. Not downloading/opening this one!


 [MOD EDIT: Personal and private information has been removed from this post. Please do not post personal or private information in your public posts. Please review the Forum Guidelines]

This is a scam operation so I included full details so people would know what to look out for. I thought I would contact security at Wix and Dropbox with the relevant details so they can investigate/shut down the spoofers but it turns out there is no way of doing so because I don't have an account with them. I am fed up with useless AI chatbots!

Hi @nigelss 

Thanks for posting and welcome back to the community.

Sorry to hear of this.

Please see more here - with how to report this mail. 

Best wishes.

Forum Team

Need a helpful hand to show you how to make a payment? Check out our guide - How to pay my Virgin Media bill

Yeah the ongoing lag with VM emails does not help with these sorts of situations or with two factor authentication. 

Cancel VM here
Complain to VM
Demand compensation from VM here
Demand your call recordings here
Monitor the state of your VM connection here

Very Insightful Person
Very Insightful Person

@nigelss wrote:

This is a scam operation so I included full details so people would know what to look out for. I thought I would contact security at Wix and Dropbox with the relevant details so they can investigate/shut down the spoofers but it turns out there is no way of doing so because I don't have an account with them. I am fed up with useless AI chatbots!

Try reporting here:

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Select Mark as Helpful Answer or 🖒 Kudos to say thanks

Joining in

I’m getting these almost every day. They’re driving me mad! 

Super solver

Thank for the warning, I will look out for any fake VM email saying your bill is ready.

I also have had a few phishing emails pretending to be virgin, one was picked up by by the VM spam filter, but the previous one got through. Usually the sender email address is different to a VM official address.

The wording was your billing information has expired, or your account is set to close.

A simple check is to look at the source header and check the sender IP address and look up the IP address which may not be VM but from an unknown server.

I also have had one from Virgin Money not tagged as spam, and last year when VM email was down, I had an email planning essential works via amazon on a German IP address not tagged as spam, but the  sender address did look like a VM .

In one case I had a blackmail email sent from my own email address ,tagged as spam.

I do get a lot of fake banking emails also including most of the UK banks, TSB, Natwest, LLoyds and also Betfair

So best to always check emails before clicking on any links to fake websites as they are not always tagged as spam, but may be spam so do not assume an email is genuine unless the email sender detail is checked first in the header.It is very easy for scammers to send a an email that may look genuine at first glance and end up submitting data or passwords for accounts that then enables hacking of an account, and if an email is hacked the hacker can then use that to hack associated accounts that use the email.

Hackers are continually trying to hack accounts and email and social media, I have had recent activity on social media and some emails.

The use of 2FA helps to keep out hackers and use long strong passwords, and also change your password quick if you think you may have been compromised or fooled by am email that may look genuine but is actually a fake.

It is best to always login via the actual VM web site rather than click on links in an email

Tuning in

Hi to all, I am now seeing these emails on a daily basis, always mark them as spam and delete but they change their email and domain so rapidly, always hover the cursor on the senders email and note the personal email addresses that these are sent from, always be careful what you click on.

they change their email and domain so rapidly-

The spammers continually change the sender address to avoid blacklists and spam filters.

I have had spam activity also on gmail,possibly by the same spammers sending to VM email and linked to romance fraud using my gmail email and evidence that they also know my VM email address.

I also think the spammers may be also hackers and will try to hack the emails and I have noticed activity that is unsusual both on my and by the same hackers so advise strong passwords and change them regularly including the app password.

In some cases the cyber criminals may use your address to register you with a company using your identity/email, in one case I have had to delete an account set up by an unknown hacker using my email for fraud.

So it is advisable to keep a check on the spam emails as some may be criminal activity.

As I can not remove my old VM email, the problem remains.

If an email is getting attention from spammers and hackers on a regular basis, it may be wise to cease from using that email and open a new free email in outlook or yahoo for example.

Cyder criminals use social engineering to Get your data to enable hacking, spam email can be part of that data collection using phishing emails. so they can hack your accounts, banks etc.

I did some check and most of the spam emails to my VM email are  form servers in other European countries but claiming to be UK companies so the websites in any links are probably fake. Many of the companies do not exist or have an address used which is just a postbox for many fake companies they set up.