logo
https://whitelabel-manager-production.ams3.digitaloceanspaces.com/thumbs/x-1024x732-12-e9c64.jpg_800x.jpg
June 11, 2026
Author: Adam Collins
Type:
Scam Trends
#Phishing & Identity Theft

Why Am I Getting Office365alerts Emails About Costco or BT

A phishing campaign using the sender name "office365alerts" is circulating fake emails impersonating Costco with subject lines about "Maximizing Your Costco Membership." These emails link to lookalike domains — including at least one Ukrainian-hosted site using Punycode encoding — that are designed to steal your credentials or install malware. Do not click any links.

In a Nutshell

  • Watch out for emails from "office365alerts" offering to maximize your Costco membership.
  • Check links for the "xn--" prefix, which scammers use to disguise malicious Ukrainian web servers as legitimate sites.
  • Never trust the @microsoft.com sender address, as attackers easily spoof this to bypass your spam filters.
  • Log directly into your Costco account in a separate browser tab to verify any membership alerts.

What is the office365alerts Phishing Campaign?

Two distinct phishing emails have been attributed to a sender using the "office365alerts" label:

  • Email #1 — Costco Membership Lure: The email claims to help recipients "maximize" their Costco membership. Despite appearing to come from a Microsoft-associated address, it routes victims to a malicious site: xn--xgvsmpcra-zna36clafc13b18bk4a3331bea.sawitgokil.com
untitled-design-9-773c6.jpg

Source: Reddit

That xn-- prefix is the giveaway. It is Punycode — a special encoding used to disguise non-Latin characters in domain names to make them look legitimate in browsers and email clients. The domain itself is hosted in Ukraine, with no connection to Costco or Microsoft. (Source: Reddit r/phishing)

  • Email #2 — BT Home Survey Lure The same "office365alerts" sender has also been observed distributing a fake BT (British Telecom) home survey email. Multiple victims across the UK have flagged this. The same infrastructure appears to be running both campaigns simultaneously.
untitled-design-10-c2f1d.jpg

Source: Reddit

Why Does the Email Appear to Come From @microsoft.com?

This is email spoofing, and it is more common — and easier to pull off — than most people realize.

Email protocols were designed decades ago without authentication in mind. The "From:" field in an email is simply text — any sender can put anything there. Unless the receiving mail server checks for SPF, DKIM, and DMARC records (authentication protocols that verify the sender is who they claim to be), a spoofed address sails straight into your inbox.

In this case, scammers are exploiting the implicit trust people place in @microsoft.com addresses. Seeing that domain, many recipients assume the email is legitimate before reading another word.

Key insight: Receiving an email from a trusted domain like microsoft.com or costco.com does not mean Microsoft or Costco sent it.

What is Punycode, and Why Should You Care?

The malicious link in the office365alerts Costco email — xn--xgvsmpcra-zna36clafc13b18bk4a3331bea.sawitgokil.com — is a Punycode-encoded domain. Here is why that matters.

Punycode is a method of encoding Unicode characters (non-Latin scripts like Cyrillic, Greek, or Chinese) into the ASCII format that the internet's Domain Name System (DNS) uses. This was designed to allow multilingual web addresses. Attackers have weaponized it.

How it works in an attack:

  1. An attacker registers a domain using characters from a non-Latin script that look identical to Latin letters — for example, a Cyrillic "а" instead of the Latin "a."
  2. Many email clients display the visual Unicode version, not the underlying Punycode. The domain appears to say "costco.com" while actually resolving to something else entirely.
  3. The victim clicks, lands on a convincing fake page, and enters credentials that go straight to the attacker.

This technique is known as a homograph attack or IDN homograph attack. Security researchers have confirmed it works reliably in most email clients, including older versions of Outlook.

How to Spot a Phishing Email: A Practical Checklist

Use this checklist any time you receive an unexpected email from a brand like Costco, Microsoft, Amazon, or a bank.

 Check the actual sender address

The display name ("Costco Customer Service") can say anything. Click or hover to reveal the real sending address. If it is not from @costco.com, it is not from Costco. Watch for subtle substitutions: costc0.com, c0stco.com, or domains with extra words attached.

 Hover over links before clicking

Hover your cursor over any link in the email. Your email client should show you the actual destination URL in the bottom status bar. If the URL looks strange — especially if you see xn-- at the start — do not click.

 Watch for urgency language

Legitimate companies rarely email you with threats like "your account will be terminated today" or "you have 2 hours to respond." Urgency is manufactured to short-circuit your judgment.

 Verify independently

If you think an email might be real, open a new browser tab and navigate to the company's official website directly. Do not use any link from the email. Log in there and check for any actual notifications.

 Do not reply to the email

Replying to a phishing email confirms to the attacker that your email address is active. This guarantees you will receive more scam attempts.

Costco's Actual Fraud Policy

For the record: Costco will never email you asking for your password, credit card number, or Social Security number. The company's official fraud prevention page states clearly that any email requesting personal or financial information is not from Costco.

Costco has also confirmed it does not accept PayPal as a payment method, so any "Costco" email mentioning PayPal is immediately fraudulent.

If you receive a suspicious email claiming to be from Costco, you can report it directly to Costco's customer service team.

The Bigger Picture: Why Retail Brands Are Prime Phishing Targets

Costco is one of the most impersonated retail brands in phishing campaigns, and the reasons are structural. Membership-based retailers like Costco generate recurring communications — renewal notices, order confirmations, reward notifications — that customers are conditioned to open and act on.

According to recent phishing research by Bitdefender, nearly 37% of global email spam between March and September 2025 targeted recipients in the United States.

Microsoft, Costco, Amazon, American Express, and DocuSign were among the brands most frequently impersonated by cybercriminals during that period.

Read more on how PayPal Scam Uses Docusign to Bypass Security.

What makes modern phishing especially dangerous is AI assistance: scammers now use algorithms to mimic brand tone, replicate logos pixel-perfectly, and personalize messages — making fraudulent emails nearly indistinguishable from legitimate ones.

What to Do If You Clicked

If you already clicked a link in a suspicious Costco or office365alerts email:

  • Change your passwords immediately — starting with your Costco account, then your email.
  • Enable two-factor authentication (2FA) on all affected accounts.
  • Check for unauthorized charges on any card linked to your Costco account.
  • Run a malware scan on the device you used when you clicked.
  • Report it to the FTC at reportphishing.antiphishing.org or forward the email to phishing@costco.com.
  • If you entered your credit card details, call your bank or card issuer immediately to report potential fraud and request a new card.

How to Protect Yourself Going Forward

Use a password manager. Password managers will not autofill credentials on a lookalike domain. This is one of the most underrated defenses against phishing.
Bookmark sites you use frequently. Navigate to Costco, your bank, and other regular sites from bookmarks — not from email links.
Enable DMARC/SPF enforcement (if you manage a business email domain). These protocols significantly reduce the chance of spoofed emails reaching your inbox.
Consider a separate email address for retail signups. This isolates shopping-related phishing attempts from your primary inbox.

How ScamAdviser Helps Spot the Traps

ScamAdviser is a digital reputation engine that analyzes websites in real-time. Instead of forcing you to guess whether a domain is legitimate, it runs an automated background check on the link to determine its safety.

1. The Trust Score (1 to 100)

When you paste a suspicious link into ScamAdviser, its algorithm evaluates the URL using over 40 distinct technical data sources. It then outputs a simple Trust Score:

High Score (close to 100): The domain has a verified track record, reliable infrastructure, and consistent traffic.
Low Score (close to 1): The domain shows immediate red flags for phishing, malware distribution, or counterfeit activity.

2. Stripping Away Punycode Deception

In the Costco campaign, scammers rely on complex Punycode (xn--) to trick your browser into displaying a familiar brand name. ScamAdviser exposes this by pulling the true WHOIS data (ownership records) behind the link. It instantly reveals that the domain was newly registered, lacks valid corporate contact details, and is hosted on a high-risk server layout (like the Ukrainian infrastructure used in the office365alerts campaign) completely unrelated to Costco.

3. Analyzing "Hidden" Technical Signals

ScamAdviser looks at technical data points a standard user cannot easily see:

  • Domain Age: Phishing sites usually have a lifespan of only a few days or weeks. ScamAdviser flags domains that were created incredibly recently.
  • Server Neighbors: If a website is hosted on a server known for housing dozens of other flagged scam sites, ScamAdviser lowers its Trust Score based on this malicious neighborhood data.
  • SSL & Security Certificates: It checks if the encryption protocols match the legitimate standards expected of a multinational brand.

Practical Ways to Use It

  • The On-Demand Link Checker: Before clicking a link in a text message, social media ad, or unexpected email, copy the link address and paste it directly into the search bar at ScamAdviser.com.
  • Real-Time Web Protection: ScamAdviser offers browser extensions and mobile applications. When active, these tools use real-time databases to block or display warning screens if you accidentally click on a dangerous link, preventing a homograph attack from loading on your screen.
  • The Multi-Source Rule: While automated tools like ScamAdviser are incredibly powerful for detecting fresh phishing infrastructure, they are an assist tool, not an absolute guarantee. A high score does not mean you should let your guard down, and a low score on a brand-new, small business website can sometimes be a false positive. Always combine automated scores with independent verification.

Adam Collins is a cybersecurity researcher at ScamAdviser who operates under a pseudonym for privacy and security. With over four years on the digital frontlines, he specialises in translating complex threats into actionable advice. His mission: exposing red flags so you can navigate the web with confidence.

See Full Bio

See other articles in this category
Report a Scam!
Have you fallen for a hoax, bought a fake product? Report the site and warn others!
Report a Scam

Scam Categories

Scam Tags

#Online Shopping Scams #Phishing & Identity Theft #Fake Online Stores #Fake Online Store #Misleading Claims #Other Scams, Hoaxes and Frauds #Fake Product Scams (Counterfeits) #Investment Scams #CryptoCurrency & Bitcoins Scams #Impersonation scams #Text Message Scams #Adult Video Site Scams #Marketplace Scams #Social Media Scams #Malware Scams #Phone Scams #Gift Card Scams #Romance and Dating Scams #Social Media Hoax #Subscription Scams #Fake Job Scams #Work from Home Scams #Advance Fee Scams #Free Gift & Prize Scams #Giveaway Scams #Crypto Trading Scams #Online payment scams #Gaming Scams #Gambling & Betting Scams #Travel & Holiday Scams #Ponzi & Pyramid Schemes #Data Breach #Online Survey Scams #Business Email Compromise Fraud (BEC) #Amazon Scams #Charity Scams #Facebook Scams #Adult Dating Site Scams #Courier & Delivery Scams #Money Recovery Scams #Lottery Scams #Extortion Scams #Bait & Switch Scams #Tiktok Scams #Immigration Scams #Crypto Mining Scams #Fake IT & Tech Support #Credit & Debit Cards Scams #Employment Scams #Inheritance Scams #Fake Invoice Fraud #Money Flipping Scams #Catfishing Scams #Instagram Scams #Forex & Stock Trading Scams #Credit Scams #Social Security Scams #Pay to Click Scams #Utility Scams
About Us Check Yourself Contact Disclaimer
Developed By: scamadviser-logo