Intro: More phishing emails are posing as "official notices" — domain differs by one or two characters, sender name and avatar are spoofed, even forged ticket numbers and signatures. Here's a breakdown of the common similar-domain and sender-impersonation patterns, and verification principles — so you can recognise risk before opening a link.
Background
Attackers bulk-register similar domains or use compromised legitimate mailboxes, sending "order update," "security reminder," "invoice reissue" emails. Emails embed short links or QR codes that steer to high-fidelity pages demanding verification codes, recovery phrase, or patch downloads.
Some emails even pass SPF/DKIM, misleading users into trusting them fully. The real risk markers hide in the domain detail and link redirection.
Common impersonation points
1) Similar domains: extra/missing letters, digits or dashes replacing letters, "ledger-support" inserted as subdomain; reply-to differs from the displayed address.
2) Sender display name: uses "Ledger Official" / "Security Team" wording plus a download button or QR code; the signature may contain fake phone numbers or ticket IDs.
3) Links & attachments: short links redirect multiple times; attachments are .zip/.exe/.html. Official emails do not distribute firmware or ask you to install browser extensions.
4) Copy & format: often with "immediate action," "account frozen," "refund expiring" pressure language; crude layout or mixed-language formatting, odd timezone/date formats.
5) Reply bait: asks you to reply with "verification code / recovery phrase," or to continue in a chat app "for faster processing."
Common misconceptions
Q: If DKIM/SPF pass, is the email trustworthy?
A: Not necessarily — compromised legitimate mailboxes can also pass. Still need to verify domain and link.
Q: Can I click the "click to fix" button?
A: Don't. Type the URL manually or view the advisory in-app.
Q: Does a PDF/ZIP attachment mean it's real?
A: No — official emails don't distribute patches via attachment or collect keys.
Q: Is it safe to reply with a verification code?
A: Verification codes, recovery phrase, and private keys must not be emailed — official support never asks.
Principles
1) On receipt, check domain and link redirection first. Anything that doesn't match the official domain is high-risk. For short links, preview the real destination offline before deciding whether to visit.
2) Sensitive operations happen only in the official app or on the official site. Do not enter keys, verification codes, or login credentials via email buttons or attachments. When in doubt, verify the ticket ID through official support.
3) Keep email headers, timestamps, and link screenshots. If confirmed phishing, rotate related credentials on a trusted device and report so the source can be blocked.
Safety reminder: We will never ask for your recovery phrase, PIN, verification codes, or private keys. Anyone requesting them is attempting fraud — do not share and do not proceed.
