The message looks flawless. Over the past few days, millions of fake IONOS invoices have been circulating across Germany. First of all: IONOS is not to blame and is itself a victim. At the top is the familiar blue logo, next to it the sentence saying your IONOS invoice from July 12 is available, a customer number, an amount of €48, and a button inviting you to view the invoice. Anyone who actually uses the company as a provider may click in an unguarded moment. That single moment is exactly what the entire scam is built around.
Because the address the message comes from is not the real one. It only looks that way. What appears to be ionos.com does not contain a normal o, but a Greek omicron, and what appears to end in com does not contain a normal c, but a Czech c with a caron, the letter č. To the human eye, noreply@ionos.com and noreply@iοnos.čom are almost impossible to tell apart. To a computer, they are two completely different addresses. This is called a homograph attack. It uses foreign characters that closely resemble Latin letters to imitate well known names.

René Descartes once imagined an evil spirit using all of its power to deceive him and answered it with doubt as a method: accept nothing as true until it has survived careful examination. That is exactly what is required here, looking closely before taking action.
The fake contains even more warning signs if you know where to look. The text is filled with random letters inserted into the middle of words. That is not a typo. It is deliberate. The purpose is to bypass spam filters designed to detect fraudulent emails. The signature names a supposed chief executive whose name sometimes exists in the real company and sometimes does not. Even the recipient's email address has been corrupted. And the numbers that are meant to inspire confidence, the invoice number and the contract number, are completely fabricated. In this case, the scam even exposes itself because the invoice number shown at the top does not match the one in the body of the email. Anyone who checks carefully will find the crack.

The technical reality behind it is quickly explained and easily exposed. The real sender address, in its machine readable form, is xn--inos-0nd.xn--om-dma. That is the plain encoding of an internationalized domain name that software converts back into attractive looking characters. It is exactly this conversion that scammers exploit so that, from a distance, the address appears to be the trusted name people expect to see.
A good trick is this: simply click "Reply" and look carefully at the sender's email address.

From that follows a simple rule of caution that requires no technical expertise. Check before you click a link or enter information into any field, and check carefully. Examine the sender's address character by character, not at a glance, but letter by letter. Compare the information with what you know to be correct, in this case your customer number, which you can find in your own records. If it does not match, the matter is settled. And if even the slightest doubt remains, there is one final, reliable safeguard: call your service provider and ask whether the invoice actually came from them. A phone call costs only a few minutes. One wrong click can cost you your password and much more.
If you have already clicked and entered your information, change your password with the affected provider immediately and enable two factor authentication if you have not already done so. Do not open attachments, do not follow links, delete the message, or report it as phishing. This fake is crude enough that an alert person can recognize it. Yet it is sent out by the millions, and the scammers succeed if only a small number of people stumble. There is only one effective defense: doubt first, click later, and when in doubt, ask one question too many rather than one too few.
Updates – Kaizen News Brief
All current curated daily updates can be found in the Kaizen News Brief.
To the Kaizen News Brief In English