The Email That Almost Looked Like Todd How one suspicious message reveals the most dangerous attack style of 2026

The Email That Almost Looked Like Todd How one suspicious message reveals the most dangerous attack style of 2026

There's a moment every business professional has experienced. You glance at your inbox, you see a familiar name, and without thinking — you click.

That's not carelessness. That's human nature. And attackers have built an entire industry around it.

This week, one of our clients forwarded us an email that stopped us cold. On the surface, it looked routine — a message from "Todd Cardenas" with a document attached, timestamped 7:57 AM on a Thursday morning. Nothing alarming. The kind of email that gets opened between a first and second cup of coffee.

Except Todd didn't send it.

What the email was actually doing

The display name said Todd. But the real sender — buried in the headers that almost nobody reads — was adammiller@admillerinc.com. A domain with no prior relationship. A name that meant nothing. A sender Microsoft's own system quietly flagged with a warning: "You don't often get email from this address."

Most people dismiss that banner. Attackers know that too.

Attached to the email was an .ICS file. A calendar invite. It sounds harmless — the kind of thing you'd click to accept a meeting. But this one carried a long, randomized numeric filename that's a signature of automated attack toolkits designed to slip past security filters undetected.

Here's what happens when someone opens it: their calendar application doesn't just display the file. It processes it. Embedded inside can be links to credential-harvesting pages, auto-executing scripts, or silent redirects that establish a foothold on your network before you've even finished your morning emails.

This particular combination — spoofed identity, unfamiliar domain, calendar-file payload — is what security professionals call a Business Email Compromise attack. It was the number one cause of financial loss from cybercrime last year, responsible for billions in damages globally.

The three seconds that matter most

Here's what we tell every client: the moment between seeing an email and acting on it is the most important moment in your cybersecurity posture. Not the firewall. Not the endpoint detection. Those three seconds.

Before you click anything, ask yourself three questions:

Does the sender's email address match who they claim to be — not just the display name, but the actual domain? Did you expect this communication, or did it arrive without context? Is there any reason someone who knows you would send this type of file, from this address, right now?

If any of those answers feel uncertain, you don't click. You pick up the phone and call the person directly. Not reply to the email. Not send a Teams message that goes to the same compromised account. A phone call.

What BITbyBIT clients do differently

Since 1987, we've watched the threat landscape transform from floppy disk viruses to nation-state ransomware. But the most persistent attack vector hasn't changed: it's a message, it's urgent, and it's asking you to do something before you think too hard about it.

Our managed clients have three layers protecting them from exactly this scenario. SentinelOne's AI-driven endpoint detection flags malicious calendar payloads before they execute. Our security awareness training means their teams have seen this exact attack pattern in simulation — so when the real thing arrives, it feels familiar in the wrong way. And our dark web monitoring catches credential exposure early, before attackers can use it to make their spoofed emails even more convincing.

But none of that replaces the three-second rule.

The email that almost looked like Todd? It's sitting in a quarantine folder now. The client called us first. That call cost them thirty seconds.

The alternative could have cost them everything.

---

Is your team trained to catch what your filters miss? Start a conversation with BITbyBIT at info@bitxbit.com — we've been protecting businesses since before the internet was a threat surface.

Is your business ready for Microsoft Copilot? Let’s find out.

For most business owners today, the marketing hype around Microsoft Copilot and AI raises more questions than it answers. You are likely asking yourself what it actually does, how it differs from tools like ChatGPT, and what your business needs to have in place before rolling it out.

We are here to give you a clear, no-nonsense breakdown.

Join us live on June 9th at 11:00 AM ET for our AI Readiness webinar with Julie Hodges from Microsoft. We will break down exactly what Copilot does inside Word, Excel, Outlook, Teams, and PowerPoint, what it does not do, and how to prepare your IT environment for a successful rollout.

Register for the June 9th webinar  HERE

If you would rather discuss your specific business needs directly, please reply to this email to schedule a brief consultation. I would be happy to walk you through an AI readiness assessment.

We look forward to seeing you at the webinar!

🚨 Texas Toll “Final Notice” Text Scam: What You Need to Know

If you received a text message like this, stop and do not click the link:

“Texas Toll Final Notice: Unpaid charges! Must pay by Jan 31, 2026, at scamlink . Late payment leads to penalties under state law.”

This is a classic smishing attack (SMS phishing), and it’s circulating heavily across Texas right now.

---

Why This Message Is a Scam

At first glance, the message feels urgent and official. That’s intentional. Here’s how you can tell it’s fake:

1. The Website Is Not Legit

• Real Texas toll agencies do not use random domains like:

  tx.gov-drf.cc
  

• Official Texas government websites always end in .gov, not .cc, .co, or other foreign domains.

2. Urgency + Threats = Red Flag

• Scammers rely on panic:

  • “Final Notice”

  • “Must pay by Jan 31”

  • “Penalties under state law”

• Legitimate toll agencies send multiple mailed notices before threatening penalties.

3. No Account or Toll Details

• There’s no:

  • License plate number

  • Toll road name

  • Invoice or statement number

• Real toll notices always reference specific trip details.

4. Government Agencies Don’t Collect via Text

• Texas toll authorities do not demand payment via SMS links.

• Payments are handled through official portals you access directly—not through unsolicited texts.

---

What Happens If You Click the Link

If you click the link or enter information, scammers may:

• Steal your credit card number

• Capture name, address, and phone

• Install malware on your phone

• Sell your data on the dark web for future scams

Even if the page looks professional, it’s designed to harvest your data.

---

What You Should Do Instead

✅ If You’re Unsure About a Toll

• Go directly to the official site of your toll authority:

  • NTTA

  • TxTag

  • EZ TAG

• Type the website manually—never click text links

❌ If You Receive This Text

1. Do not click the link

2. Delete the message

3. Report it as spam on your phone

4. Optionally forward it to:

   • 7726 (SPAM) for most carriers

---

Why These Scams Are Increasing

Scammers know:

• Many Texans use toll roads

• People fear legal penalties

• SMS messages feel more “urgent” than email

They combine fear + speed + fake authority to trick victims before they think critically.

---

Key Takeaway

No Texas toll agency will ever demand payment through a random text link.
If it didn’t come by mail and doesn’t point to a verified .gov site, assume it’s a scam.

When in doubt: slow down, don’t click, and verify independently.

🚨 Phishing Alert: “A RingCentral Account Has Been Created for You”

🚨 Phishing Alert: “A RingCentral Account Has Been Created for You”

When a Legitimate Brand Is Used to Create Confusion

Recently, an email surfaced claiming that Coinbase Global Inc had created a RingCentral account on behalf of the recipient. At first glance, it looks credible:

• Well-known brands

• Professional formatting

• A legitimate-looking sender domain

• No obvious spelling disasters

But this is precisely why these emails are dangerous.

---

What Makes This Email Suspicious?

Let’s break down the red flags.

1️⃣ You Didn’t Request the Account

Security starts with intent. If you did not initiate a RingCentral account or register for an event tied to Coinbase, that alone is reason to pause.

Attackers rely on:

• Curiosity

• Urgency

• Confusion

“Maybe I forgot signing up…”

That moment of doubt is what they exploit.

---

2️⃣ Brand Pairing That Feels “Off”

Coinbase and RingCentral are both legitimate companies — but why would Coinbase create a phone or meeting account for you?

This technique is known as brand laundering:

• Use multiple trusted names

• Lower your defenses

• Make the email feel official by association

---

3️⃣ Account Creation Emails Are High-Risk by Design

Any email involving:

• New account creation

• Login links

• Profile deletion

• Password setup

…should always be treated as high-risk, even if the sender appears valid.

---

4️⃣ “Delete Your Account” Links Are a Trap

The message conveniently offers a way to “delete the account” by logging in.

That’s dangerous because:

• The link could lead to a fake login page

• Credentials entered there can be captured

• MFA tokens can be harvested in real time

Never click account-management links from unsolicited emails.

---

What Should You Do Instead?

✅ Safe Response Checklist

If you receive an email like this:

✔ Do not click any links
✔ Do not reply
✔ Do not forward internally without context

Instead:

• Go directly to the vendor’s website manually

• Log in using a known, trusted bookmark

• Check if the account actually exists

• Report the email to IT or security

---

Why This Matters for Businesses

Emails like this are often the first step in:

• Credential theft

• MFA fatigue attacks

• Business email compromise (BEC)

• Lateral movement inside Microsoft 365

For organizations without:

• Security awareness training

• Email filtering

• User-reported phishing workflows

…it only takes one click.

---

Final Thought: “Looks Legit” Is No Longer a Defense

Modern phishing isn’t sloppy.
It’s clean.
It’s branded.
It’s convincing.

The safest mindset is simple:

If you didn’t ask for it, don’t trust it.

---

📞 Need Help Protecting Your Users?

If you want help implementing:

• Security awareness training

• Phishing simulations

• Microsoft 365 hardening

• Email threat protection

👉 Visit www.bitxbit.com or call 877-860-5831

🚨 Fake “Booking Confirmations” and Localized Scams Surge Across North Texas

Arlington, TX — March 2026

A new wave of scams targeting North Texas residents and businesses is becoming increasingly sophisticated, blending familiar brands, local references, and everyday platforms into messages that appear legitimate at first glance.

One recent example circulating in the region involves a fake booking-style confirmation for a computer protection plan, complete with a charge of nearly $400 and a listed customer support number. While the message appears routine, cybersecurity professionals say it reflects a broader trend of social engineering attacks designed to trick recipients into initiating contact with scammers.

---

A Growing Problem Nationwide — and in Texas

According to the Federal Trade Commission, consumers reported more than $12.5 billion in fraud losses in 2024, marking a significant increase from previous years.

Texas has been particularly impacted. Data from the FBI Internet Crime Complaint Center indicates that Texans lost over $1.35 billion to internet-related crimes, placing the state among the highest in the nation for reported losses.

Security experts say many of these incidents begin with seemingly harmless messages — invoices, shipping notices, or booking confirmations — that prompt recipients to act quickly.

---

Scams Are Getting Local

Authorities across North Texas have issued multiple warnings in recent months about scams tailored specifically to the region:

• The Texas Department of Transportation has warned drivers about fraudulent TxTag toll payment texts, emphasizing that the agency does not request payments via unsolicited messages.
• Texas officials have also cautioned residents about fake DMV violation texts, which attempt to collect fines through links or mobile payments.
• Law enforcement in the Dallas area has reported fraudulent municipal court messages, often including QR codes directing victims to spoofed payment sites.
• In nearby Denton County, officials have identified impersonation scams involving callers posing as law enforcement, sometimes using convincing scripts or voice manipulation.
• With Arlington preparing to host matches for the 2026 World Cup, the Federal Trade Commission has also warned of ticket and travel scams tied to major events.

“These scams are no longer generic,” one cybersecurity professional noted. “They’re tailored to what people in a specific region expect to see.”

---

How the “Booking Confirmation” Scam Works

The fake booking confirmation scam typically follows a consistent pattern:

• A message confirms a purchase or subscription the recipient did not knowingly make
• A recognizable brand name is included to build trust
• A phone number or link is provided to “resolve” the issue

Experts warn that the goal is not the transaction itself — but the response.

Once a victim calls or clicks, scammers may:

• Request remote access to a computer
• Direct users to fraudulent websites
• Attempt to capture login credentials or payment information

The Federal Trade Commission has previously warned that these types of tech support and subscription scams often rely on urgency and fear to prompt immediate action.

---

Businesses Face Elevated Risk

While individuals are frequently targeted, businesses may face greater consequences if an employee interacts with a scam message.

Potential risks include:

• Unauthorized system access
• Compromised credentials
• Financial fraud
• Exposure of sensitive business data

Cybersecurity professionals emphasize that traditional defenses alone are not enough.

“Many of these attacks don’t involve malware initially,” experts note. “They rely on human interaction first.”

---

What Residents and Businesses Should Know

Authorities and cybersecurity professionals recommend the following precautions:

• Do not call phone numbers provided in unsolicited messages
• Avoid clicking links or scanning QR codes from unknown sources
• Verify any charges or notices directly through official websites
• Report suspicious activity to your IT team or appropriate authorities

The Federal Trade Commission also advises consumers to report scams to help track trends and prevent further incidents.

---

A Shift in the Threat Landscape

The rise of localized, highly convincing scams signals a shift in how cybercriminals operate. Instead of broad, generic messages, attackers are increasingly leveraging regional familiarity and trusted brand names to improve their success rates.

For North Texas residents and businesses, the message is clear:

If something appears legitimate but feels unusual, it’s worth verifying before taking action.

🚨 The “Geek Squad” Email Scam: What It Is and How to Protect Your Busines

🚨 The “Geek Squad” Email Scam: What It Is and How to Protect Your Business

4

A Real-World Example of a Growing Threat

Recently, a suspicious email surfaced claiming a successful Geek Squad subscription renewal with a charge of $189.99. It included a support number and urged immediate contact if the charge wasn’t authorized. 

At first glance, it looks legitimate:

• Professional branding
• A believable subscription service
• A clear dollar amount
• A sense of urgency

But this is not a real charge. It’s a social engineering attack—and a common one.

---

🔍 What This Scam Is Really Doing

This is known as a refund scam, and it works like this:

1. You receive a fake invoice or renewal notice
2. It claims you’ve been charged (you haven’t)
3. You panic and call the number provided
4. The scammer:
   • Gains your trust
   • Requests remote access to your computer
   • Or convinces you to “reverse” the charge (which actually sends them money)

The goal isn’t the $189—it’s access to your systems, banking, or identity.

---

🚩 Red Flags in This Email

Let’s break down what gives this away:

1. Urgency Without Verification

“Contact support immediately if unauthorized”

This is designed to trigger a reaction before you think.

2. Suspicious Sender

The email comes from a Gmail address, not a corporate domain—huge red flag.

3. Phone Number Trap

The number is the attack vector. Once you call, you’re in their funnel.

4. Generic Language

No real account details, no proper authentication—just enough info to look real.

5. Brand Spoofing

They reference “Geek Squad” and “Best Buy Total” to leverage trust.

---

🧠 Why This Works (Even on Smart People)

This isn’t about intelligence—it’s about psychology:

• Fear of being charged
• Desire to fix things quickly
• Trust in familiar brands

Even experienced professionals fall for this when they’re busy or distracted.

---

🛡️ What You Should Do Instead

If you or your team receive something like this:

DO:

• Verify charges directly through your bank or official website
• Forward the email to your IT/security team
• Delete the message

DO NOT:

• Call the number in the email
• Click links or download attachments
• Provide any personal or financial information

---

🏢 Why This Matters for Your Business

This isn’t just an annoyance—it’s a business risk.

If one employee falls for this:

• Attackers can gain access to your network
• Financial fraud can occur
• Cyber insurance claims may be denied if controls aren’t in place

And here’s the hard truth:
Most IT providers are not actively training or protecting users from this type of attack.

---

🔐 How Bit by Bit Helps Prevent This

At Bit by Bit Computer Consulting, we go beyond keeping systems running—we focus on protecting your business:

• ✅ Security awareness training (so users spot scams like this)
• ✅ Endpoint protection and monitoring
• ✅ Email filtering and threat detection
• ✅ Incident response planning
• ✅ Compliance alignment for cyber insurance

---

📞 Don’t Wait Until It’s Too Late

If your team received this email and didn’t immediately recognize it as a scam, that’s your warning sign.

👉 Let’s fix that before it becomes a problem.

Contact Bit by Bit Computer Consulting
🌐 www.bitxbit.com
📞 877.860.5831

🚨 The $849 AppleCare+ Scam: How Criminals Are Tricking Smart People Right Now

🚨 The $849 AppleCare+ Scam: How Criminals Are Tricking Smart People Right Now

4

A New Wave of Apple-Themed Scams Is Making the Rounds

A growing number of people are receiving alarming emails that look like legitimate Apple order confirmations. The message claims that an expensive AppleCare+ protection plan — often around $800+ — has been purchased on your account.

At first glance, it looks convincing.

It includes:

• An order ID
• Device names like iPhone, MacBook, and iPad
• A total charge amount
• A “security warning” about suspicious activity

But here’s the truth:

👉 It’s a scam designed to scare you into calling a fake support number.

---

How the Scam Works

This type of attack is called “callback phishing.”

Instead of asking you to click a link, the attacker wants you to:

1. Panic about the charge
2. Call the number provided
3. Speak to a fake “Apple security agent”

From there, they may:

• Ask for your Apple ID credentials
• Request remote access to your computer
• Convince you to “reverse charges” through fake steps
• Steal payment information

---

The Biggest Red Flags

Let’s break down what gives this scam away:

1. Fake departments
“Apple Protection Places division” isn’t real.

2. Urgency and fear tactics
Real companies don’t pressure you to act immediately over the phone.

3. Third-party phone numbers
Apple does not route security issues through random call centers.

4. Generic messaging
No personalization, no real account verification.

---

What You Should Do Instead

If you receive a message like this:

✅ Do NOT call the number
✅ Do NOT click any links
✅ Do NOT provide any information

Instead:

• Log directly into your Apple ID at the official Apple website
• Check your recent purchases
• Contact Apple support through their official site or device

---

Why This Scam Works So Well

These attackers are getting smarter.

They:

• Use real product names
• Mimic Apple formatting
• Create believable dollar amounts
• Trigger emotional reactions (fear + urgency)

Even experienced professionals fall for these when caught off guard.

---

Final Thought: Slow Down and Verify

The biggest mistake people make is reacting too quickly.

When you see a message like this:

“Act immediately or risk losing access”

That’s your cue to pause, not panic.

Because in cybersecurity, urgency is often the scammer’s strongest weapon.

---

💡 Need Help Protecting Your Business?

At Bit by Bit Computer Consulting, we help organizations:

• Detect and prevent phishing attacks
• Train employees to recognize scams
• Implement real security protections that insurance companies require

👉 Visit www.bitxbit.com or call 877.860.5831 to learn more.

Cybersecurity isn’t just protection—it’s prevention.

🚨 The $399 “Support Plan” Scam: How Fake Bookings Are Tricking Businesses and Consumers

It starts with something that looks completely normal.

A booking confirmation.
A receipt.
A familiar brand name like “Norton.”

And before you know it… you’re staring at a $399 charge for something you never intended to buy.

---

What Happened Here?

Let’s break down what this example shows:

• A booking confirmation through Booksy
  
• A “Norton 360 PC Premium Protection Plan” purchase
• A charge between $319–$399
• A support phone number included
• A sense of urgency and legitimacy

At first glance, it looks like a routine transaction.

It’s not.

This is a social engineering scam, and it’s getting more sophisticated.

---

⚠️ The Red Flags You Should Never Ignore

This message contains several classic warning signs:

1. Brand Impersonation

“Norton” is a trusted name—but this is NOT actually from them.

Scammers rely on familiar brands to lower your guard.

---

2. Suspicious Phone Number

The message pushes you to call support:

📞 +1 (805) 259-5180

This is the trap.

Once you call, they:

• Try to “verify” your system
• Ask for remote access
• Attempt to extract payment or data

---

3. Vague Product Description

“PC Premium Protection Plan”
No clear licensing details, no official SKU, no vendor validation.

That’s intentional.

---

4. Urgency + Confirmation Combo

They tell you:

• Your order is confirmed
• It will be activated in 1–2 days

This creates pressure to act quickly before you “lose money.”

---

5. Unfamiliar Platform Usage

Why is a cybersecurity product being sold through a booking platform?

Because attackers are exploiting trusted platforms to bypass suspicion.

---

🧠 How This Scam Actually Works

This is not about selling software.

This is about getting you to engage.

Once you:

• Call the number
• Click a link
• Reply to the message

You’ve entered their funnel.

From there, they escalate:

• Remote access scams
• Fake refunds
• Credential theft
• Bank or card fraud

---

🏢 Why This Matters for Your Business

If this reaches your employees, you now have:

• ❌ Risk of unauthorized remote access
• ❌ Compromised credentials
• ❌ Financial fraud exposure
• ❌ Potential compliance violations

And here’s the uncomfortable truth:

👉 Traditional antivirus will not stop this.

Because this isn’t malware first—it’s human manipulation first.

---

🔐 What You Should Do Immediately

If you or your team receives something like this:

DO:

• Verify purchases directly through official vendor portals
• Report the message to IT/security immediately
• Educate your team on phishing and social engineering

DON’T:

• Call the number provided
• Click links in the message
• Provide remote access to anyone unsolicited

---

🛡️ The Bigger Picture: Tools Aren’t Enough

You can have:

• Antivirus
• Firewalls
• Email filters

…and still fall for this.

Because attackers are targeting people, not just systems.

That’s why modern protection requires:

• Security awareness training
• Endpoint detection and response (EDR)
• 24/7 monitoring (MDR)
• Clear internal processes

---

💡 Final Thought

If it looks legitimate but feels off…

👉 Trust that instinct.

Scammers are counting on you being busy, distracted, or just trusting enough to not question it.

---

🚀 Call to Action

Don’t wait until a $399 scam turns into a $40,000 breach.

👉 Get a real security strategy in place today.
🌐 www.bitxbit.com
📞 877.860.5831

Will your business be ready? Can you survive a breach or outage?

Hi Hacker,    If cybersecurity jargon like SOC, MDR, and zero-trust overwhelms you, you're not alone. Most business leaders need clarity and peace of mind, not technical terminology. Understanding the tools is just the first step.   The real question is: How do you build a cybersecurity fortress that actually works for your business?   That's why I'm personally inviting you to join us for an executive briefing:   The 2026 Cyber Threat Landscape: A Leader's Guide to Business Resilience Date & Time: April 7th at 11:00 AM ET Register for the Webinar In just 30 minutes, you'll hear directly from cybersecurity experts on: The critical gap between owning security tools and having true security operations What 24/7 monitoring and incident response actually look like in practice How to build a security strategy that delivers confidence, compliance, and peace of mind This isn't a technical deep dive. It's a strategic conversation designed specifically for business leaders like you.   Want a sneak peak? We've just published a new article that cuts through the noise: "SOC & MDR Explained (In Plain English): Your 24/7 Cybersecurity Answer."    It breaks down exactly what a Security Operations Center and Managed Detection and Response mean for your business, and why they matter.   Read the Blog Looking forward to seeing you there.    Best regards,  Ivan Shore  VP of Sales and Marketing  Bit by Bit  Bit by Bit, 115 West 29th Street, 12th floor, New York, NY 10001

Trial-Ready Cohort-Down Syndrome Study Info

Trial-Ready Cohort-Down Syndrome Study Thank you for letting us talk at your membership meeting Thursday night. It was truly a special experience. My name is Tania Romero, and I am the primary Research Coordinator for the TRC-DS study on the Cognition and Memory team here at UTSW. I also oversee our recruitment efforts for the team.    As mentioned, the TRC-DS study stands for Trial-Ready Cohort-Down Syndrome.  It is an observational study looking for healthy adults between the ages of 25 and 55 with Down syndrome to participate and become part of a larger movement advancing Alzheimer's disease therapies and potential cures for people with Down syndrome. It is a 4 year (48 month) study where you will be required to come in about 8 times. The first visit will last about 4-5 hours The MRI will be done on a separate day. Study procedures include cognitive testing, MRI, blood draw, and a visit with a neurologist.  Below are links to three flyers with information. TRC-DS Research Study Brochure TRC-DS Research Study FAQ TRC-DS Research Study Flyer Please let me know if you are interested in the study.    Tania Romero, BSPH Clinical Research Coordinator I- Neurology  Cognition and Memory  UT Southwestern  5303 Harry Hines Blvd. 9th Floor, Dallas, TX 75390-8869 Office: 214-648-9331 Text: 214-620-0377  It's not too late! Advocates for Special People PO Box 121652 Arlington, TX 76012 Email not displaying correctly? View it in your browser