Scam Campaign Report: Privacy Email Service Impersonation and Suspicious Contact Network
This report documents a cluster of 14 connected entities — including two phone numbers, ten domains, and two Zoho-hosted email addresses — that have been flagged and reported together in community threat intelligence submissions. The cluster centers on a pattern of references to privacy-focused email providers and technology review platforms, with the suspicious domain protonmaildotcom.wordpress.com serving as a central node in the reported relationship web. Unlike the legitimate ProtonMail service, this domain is hosted on WordPress infrastructure registered through MarkMonitor, Inc. as of March 3, 2000, and appears designed to mimic the branding of the well-known encrypted email provider ProtonMail.
The domain neomailbox.com and the spoofed WordPress domain protonmaildotcom.wordpress.com are the two most heavily interconnected entities in this cluster, each appearing in multiple high-confidence co-reporting relationships. Neomailbox.com was reported alongside zoho.com, blog.runbox.com, www.pcmag.com, and protonmaildotcom.wordpress.com, all at a confidence level of 1.00. The legitimate technology publication www.pcmag.com also appears repeatedly in reported-together relationships, suggesting that actors in this campaign may be referencing or directing targets to PCMag content — likely reviews of privacy email services — as a trust-building mechanism to add legitimacy to their outreach. Legitimate domains including fastmail.com, help.hushmail.com, runbox.com, and blog.runbox.com appear throughout the cluster, indicating that the campaign is constructed around the established reputations of real privacy email services.
Two email addresses — marydavis09@zoho.com and courier.company@zoho.com — are associated with this cluster, both hosted on the Zoho platform, which was registered in 2004 through MarkMonitor. The address marydavis09@zoho.com has been directly linked to phone number 469-532-5760 in a reported-together relationship at full confidence. Phone number 662-475-8594 also appears in the cluster. Neither phone number has recorded FTC complaints at this time, which may indicate the campaign is in an early or low-volume phase, or that victims have not yet reported contacts to federal agencies. The use of free or low-cost Zoho email accounts combined with standard phone numbers is consistent with social engineering operations that seek to avoid infrastructure costs while impersonating trustworthy services.
Community reports provide additional context. Two submissions with 6 upvotes each describe a user seeking privacy-preserving email services and evaluating providers including those named in this cluster. A separate 2-upvote report specifically notes that ProtonMail, HushMail, FastMail, NeoMailbox, Runbox, and Zoho were simultaneously targeted by distributed denial-of-service attacks and extortion attempts within a single week, with FastMail publishing a public statement referenced at blog.fastmail.com. This historical DDoS and extortion campaign against multiple privacy email providers is significant context, as it suggests threat actors have targeted this sector before and are familiar with its user base, making those users a plausible target population for follow-on social engineering using impersonation of these same brands.
Consumers who are contacted by either of the phone numbers in this cluster — 662-475-8594 or 469-532-5760 — or who receive email from marydavis09@zoho.com or courier.company@zoho.com should not respond, click any links, or provide personal or financial information. Hang up immediately on any unsolicited call. Do not interact with domains that mimic known services, such as protonmaildotcom.wordpress.com, which is not affiliated with ProtonMail in any way. To verify whether a domain or email address is associated with a known threat, consumers can use lookup tools such as the FTC's fraud reporting portal at reportfraud.ftc.gov, or check domain registration details through a public WHOIS service. Suspicious phone contacts can also be reported to the FCC. When evaluating privacy email services, only navigate to official domains — such as proton.me for ProtonMail — and avoid any third-party or WordPress-hosted pages claiming to represent those services.
Overall, this cluster represents a moderate threat level. The campaign appears to exploit consumer interest in digital privacy and the established reputations of legitimate privacy email providers to build false credibility. The direct linkage between a named email address and a phone number, combined with the coordinated co-reporting of ten domains at full confidence, indicates an organized and deliberate operational structure rather than isolated or coincidental contacts. Recommended next steps include continued monitoring of both phone numbers for emerging FTC complaint volume, further investigation of neomailbox.com and protonmaildotcom.wordpress.com for active phishing or fraud content, and submission of the identified Zoho email addresses to Zoho's abuse reporting team for account review and potential suspension.