BEWARE GREETING CARD SCAMS FROM TRUSTED SENDERS

28 May 2026 7:28 AM | Terry Findlay (Administrator)
ADAM ENGST 20 comments

“You’re invited!”

Not really, but that’s the message scammers are now using to steal users’ login credentials with a greeting card scam that’s making the rounds. Here’s how it works.

You receive an email from a friend, someone who has you in their contacts, inviting you to a party. The message appears to come from an invitation site like Paperless Post or Punchbowl, and there are few details beyond a suggestion to open the invitation. It’s a legitimate message, in the sense that it really does come from your friend, whose account has been hacked. But that’s all that’s legitimate about it.

Examples of greeting card scams

If you click the View the Card link or Open Invitation button, you’ll immediately be sent to a site that asks you to log in with your email credentials. Provide your username and password, and your email account will be the next one compromised. Once the scammer has access to your email account, they can also get into financial and other confidential accounts that allow passwords to be changed with email verification.

How One Experienced User Got Caught

I’ve seen three of these scams recently, and while all three came from intelligent, experienced Internet users, one was even from an old industry friend who was professionally mortified to have fallen for it (the middle screenshot above). He explained that four factors allowed the social engineering attack to succeed:

  • He was expecting an invitation from his sister, who’s having a significant birthday next year. The phishing email came from her account, so it seemed entirely plausible.
  • He and his partner were having a calendar meeting about their plans for the next few months, so the phishing email arrived at the “perfect” time. They were both eager to act on the invitation so they could plan around it.
  • Because they were in the middle of planning, he hurried through the process to learn more and respond. In his rush, he ignored warning signs like the non-Punchbowl URL, the slightly funky-looking email, and the solicitation for email credentials. Like so many people, he’s become accustomed to entering his username and password on certain websites and didn’t take the time to question it.
  • He was using his iPhone and either didn’t know or had forgotten that you can touch and hold any link in Safari to preview it. On his Mac, he likely would have hovered over the Open Invitation button, seen the fake URL, and stopped.

How Can You Identify and Avoid Greeting Card Scams?

The good news is that these scams are easy to spot if you take the time to look carefully. Red flags include:

  • Does the invitation make sense? Two of the three I received were from people on the other side of the country, so being invited to an Easter luncheon seemed unlikely. The third one was sent to a mailing list where the sender wouldn’t have known most of the subscribers, so that was also implausible.
  • Do you have to click to see any details about when the event is, where it’s being held, and so on? Legitimate invitations should make at least some of that information available up front.
  • Do the links go to any site other than the actual greeting card provider? Before clicking, preview the URL—on a Mac, hover over the link; on an iPhone or iPad, touch and hold it.
  • Are you asked to sign in with your email address and password? A greeting card service might ask you to create a service account or sign in to RSVP, but no legitimate service will ever ask for your email password.

The most important advice I can give is to enable multifactor authentication for your email account, which will stop takeovers in their tracks.

Otherwise, all you can do is slow down a little, pay attention, and exercise some caution, which is solid advice for all online activities these days.

After initial publication, a rep from Paperless Post provided three ways to verify a legitimate Paperless Post invitation:

  • It will always come from a @paperlesspost.com email address
  • It will only link to paperlesspost.com
  • It will never ask you to log in or download anything to view a card

Plus, if you get what looks like a suspicious Paperless Post invitation, you can forward it to phishing@paperlesspost.com so their team can investigate it.

Paperless Post recently posted about this, and Punchbowl also offers advice on detecting scams.

How Can You Help a Friend Whose Account Has Sent a Greeting Card Scam?

Unfortunately, the more serious damage to the sender has likely already occurred, but it’s still important to alert them that their email account has been compromised and to urge them to change their password immediately.

If possible, do that via text message, phone call, or an email to a different email address or to a friend or family member who might be able to get in touch more directly.

What Should You Do If You Fall Prey to a Greeting Card Scam?

First off, no judgment here. As with my industry friend, if all the factors align, anyone can be fooled. It may seem as though he was just unlucky, and while that’s true, I think many of the necessary factors can align more often than we expect. That’s why the scam works.

If the compromised account was a Gmail account, immediately go to your Google Account’s Device Activity page. Sign out of any sessions you don’t recognize. This kicks the scammer out of your account before they can do further damage. (Other email providers may have equivalent security pages.)

Next, change your password and enable multifactor authentication. Be aware that changing your password doesn’t automatically revoke access that the scammer may have granted to a third-party app while they were in your account. Gmail users should go to the Third-Party Apps & Services page, review the list carefully, and remove any unfamiliar entries.

Regardless of your email provider, review your email settings to see if the scammer set up mail forwarding or filters that would redirect your messages. If so, delete them immediately.

It’s worth looking through recent sent and received emails to see if there’s any indication of which accounts the scammer may have targeted, but they likely deleted such messages.

You could try sending an email to all your contacts to alert them not to click the greeting card scam link, but if you have hundreds of contacts, it likely isn’t worth the significant effort involved. If you do this, it’s probably best to send in BCC’d batches of 10 to 20 at most to reduce the risk of triggering spam filters.

Now comes the tedious part. You’re going to have to log in to every account in your password manager, starting with the most important (financial, government, tech giants like Amazon and Google, and so on). If your stored password doesn’t work, change it immediately, then review account activity to determine the ways it might have been compromised. Also, turn on multifactor authentication for any accounts where it’s available.

If that sounds awful, consider it incentive to exercise caution out there!

About us

We are Victoria's Mac Users Group. We all about all things Apple: Macs, iPads,  MacBooks, Apple Watches, iPhones, AirPods, etc.

Become a member

Join with other Apple product users who want to learn and share information about Apple devices.
JOIN NOW

events

  • Sidney SIG
    27 Jun 2026 10:30 AM
    Zoom
Powered by Wild Apricot Membership Software