This campaign centers on a smishing operation tied to a financial solicitation brand operating under the name "CheckGo." The primary delivery mechanism is phone number 470-750-9964, a Georgia area code number that has generated no FTC complaints to date but has been flagged in community reporting as associated with phishing activity. Victims have received unsolicited text messages purportedly from a representative named "Mark from CheckGo," claiming that an unspecified request has been reviewed and accepted, and directing recipients to follow personalized links. The messages include a nominal opt-out instruction to reply STOP, a common legitimacy signal used by scammers to lower recipient suspicion.
The domain infrastructure supporting this campaign spans two generations of registration, both through NAMECHEAP INC. The older domain, start.checkgo.org, was registered on 2023-08-24, while a near-identical variant, start.checkgos.org, was registered on 2025-06-26, suggesting the campaign was refreshed or expanded with a new subdomain cluster in mid-2025. The base domain checkgo.org is also present in the cluster. The close naming similarity between checkgo.org and checkgos.org is a hallmark of typosquat or brand-mimicry infrastructure, with the newer domain likely serving as an active redirect or landing page host as the older infrastructure aged or was flagged.
Cross-entity relationships confirm that all three domains and the 470-750-9964 number have been reported together across multiple community submissions. The highest-confidence linkages, scored at 0.50, connect start.checkgos.org directly to the phone number, consistent with that domain being the currently active payload delivery point observed in live message samples. The 0.35-confidence associations between the remaining domain pairs and the phone number reflect corroborating co-reports rather than direct technical linkage, but collectively they establish a coherent and unified infrastructure pattern across the cluster.
Geographic context places at least one confirmed report in Dallas, TX 75236, with the BBB scam type classification listed as phishing and the associated business identified as Checkgo. The messaging template observed in community reports uses unique URL tokens per recipient, such as start.checkgos.org/xTKfV2e8 and start.checkgos.org/oDBUNQM7, indicating a bulk SMS platform capable of generating individualized tracking links. This technique is consistent with credential harvesting or financial lead-generation fraud, where the appearance of a personalized, pre-approved offer is used to draw targets into submitting sensitive information.
The threat level for this cluster is moderate and actively evolving. The June 2025 re-registration of a variant domain under the same registrar, combined with live community-reported message delivery and unique-token URL generation, indicates an ongoing and operationally maintained campaign. The absence of FTC complaint volume does not reflect low activity but rather an early or underreported stage of deployment. The combination of brand impersonation, personalized phishing links, and fresh infrastructure points to a campaign that is currently in active distribution.