Scam Campaign Report: Coordinated Financial Lure Operation Involving Deer Creek Lending, Borrowly, and CheckGo
A cluster of connected entities has been identified as part of a coordinated smishing and unsolicited outreach campaign targeting consumers and small business owners with fraudulent financial service solicitations. The campaign involves three domains — go.checkgonow.com, start.borrowly.org, and tsretires.co — along with the payday lending company Deer Creek Lending, which has accumulated 33 complaints with the Consumer Financial Protection Bureau. All three domains were registered through NAMECHEAP INC, with go.checkgonow.com registered on March 21, 2025, start.borrowly.org registered as recently as July 1, 2025, and tsretires.co lacking a confirmed registration date in the available data. The shared registrar and overlapping complaint reports suggest these domains are operating within the same infrastructure network.
Community reports describe recipients receiving unsolicited text messages sent from short code 40652, impersonating financial brands including Borrowly and CheckGo. One reported message read: "CheckGo - You're request has been pending and now deemed accepted. View within 12 Hours to continue," followed by the link go.checkgonow.com/wfTSL2T7 and an instruction to text STOP to opt out. The artificial urgency created by a 12-hour deadline is a hallmark of social engineering designed to pressure recipients into clicking malicious or fraudulent links before they can assess the message's legitimacy. Multiple recipients have reported receiving variations of these messages referencing several brand names in sequence, indicating a rotating lure strategy across the same campaign.
Deer Creek Lending, a payday loan industry company, is connected to all three domains through co-reported relationships, each with a confidence score of 0.35. While this confidence level is moderate rather than conclusive, the consistency of Deer Creek Lending appearing alongside each of the three domains in consumer reports is notable. The 33 CFPB complaints on record against Deer Creek Lending suggest a pattern of consumer grievances predating this specific campaign, and the association with newly registered redirect and lure domains raises concerns about whether the company's name or infrastructure is being used — either directly or by affiliated lead generators — to solicit consumers deceptively.
The targeting pattern evident in community reports suggests the campaign is aimed broadly at both individual consumers and small business owners, with victims describing their businesses specifically receiving these solicitations. This dual targeting indicates the operators may be drawing from business contact databases in addition to consumer phone lists, widening the potential victim pool. The use of short code 40652 for delivery and multiple rotating brand names, including Borrowly, CheckGo, and apparent references to Deer Creek Lending, suggests the campaign uses a centralized sending infrastructure while varying the lure identity to evade filtering.
Consumers who receive unsolicited text messages referencing Borrowly, CheckGo, Deer Creek Lending, or any domain resembling those listed in this report should not click any links contained in the message and should not text STOP or interact with the sender in any way, as doing so can confirm an active phone number to the operator. Anyone contacted should report the message to the FTC at reportfraud.ftc.gov and to the FCC at fcc.gov/consumers/guides/filing-informal-complaint. Suspicious domains can be checked using tools such as the Google Safe Browsing transparency report at transparencyreport.google.com or the WHOIS lookup at lookup.icann.org to review registration details. Consumers can also forward spam texts directly to 7726 (SPAM), which alerts major carriers. Legitimate lenders do not solicit consumers through unsolicited texts with urgent countdown windows or unbranded redirect links.
This campaign represents a moderate to elevated threat level given the use of recently registered redirect infrastructure, a confirmed smishing delivery vector via short code, rotating brand impersonation, and an existing record of regulatory complaints against an associated lending entity. Recommended next steps include monitoring go.checkgonow.com, start.borrowly.org, and tsretires.co for takedown eligibility through NAMECHEAP INC's abuse reporting process at abuse.namecheap.com, flagging short code 40652 with the Common Short Code Administration, and continued tracking of Deer Creek Lending's CFPB complaint trajectory for escalation patterns.