Still Life with Robin: Phishing in a Punchbowl

 by Peggy Robin

There are so many email scams and phishing messages out there that if I sent out warnings about all the threats I hear about, I'd be doing nothing but that, all day long. However, some of them are so egregious -- and so clever and so widespread -- that even some of the savviest and most cautious list members have fallen for them.

That seems to be the case right now with the Punchbowl Invitation phishing scam. It's come in to the Listserv's posting address and/or to my personal Gmail address at least four times in the last couple of weeks.

It goes like this:

Someone on your contacts list sends you what looks like a Punchbowl invitation to attend an event. Punchbowl is a legitimate party-invite app, similar to Evite or Paperless Post, although the one making the rounds right now is just a copycat, created by some fairly sophisticated hacker(s). 

They start by acquiring someone's hacked email address, giving them access to that person's entire contacts list, and then each person on that list receives what looks like a legitimate, colorful invitation to some sort of party or celebration.

If you are on the receipient list, you may find it hard to see anything pointing to the fakery. It comes from someone you know....and it's always nice to be invited to a party, right? Your alarm bells are probably not going off -- even if you are unaware of any big milestone event coming up in that person's life. 

Anyway, you are likely curious, and so you click to open the "envelope." You see the animated envelope draw closer and then the flap opens -- just as it always does in these invitation apps -- but then you don't see the details of the event. The next thing you see is the requirement to click on a link to continue to the event.

That's where the GOTCHA comes in. If you don't fall for it and you don't click on the link, you can just delete the damn thing and you don't need to worry about it another minute. But if you thought it was real and you responded accordingly...change your email password immediately! That way you will limit the damage.

However, if the scammers have already accessed your contacts list and have started a new round of phishing emails using your name and email address, the next thing you must do is email all your contacts and tell them, "Sorry, that invitation wasn't from me but from a scammer who temporarily hijacked my email address. Please delete without opening it."

Here's a TV news segment (Las Vegas Fox 5) about the Punchbowl phishing invite: 

Cybercriminals use fake event invitations to install malware and steal data

By Lisa Sturgis

Published: Feb. 12, 2026

Fox5 Las Vegas image (does not open the video
Please click on the headline above)

LAS VEGAS (FOX5) — Cybercriminals are sending fake event invitations that appear to come from Punchbowl, a popular website for digital greeting cards and invitations.

The fraudulent invitations tell recipients to click a link for full details on the event. The emails may advise users to open the link on a desktop or laptop for the “best experience.”

Punchbowl did not send these invitations. They come from cybercriminals who use the links to install malware on victims’ devices.

Clicking on the link allows bad actors access to the device and all personal information stored on it. 

How to avoid the scam

Security experts recommend checking the sender’s email address before responding to any invitation. Personal email accounts or odd-looking web addresses indicate the invitation is not from Punchbowl.

Unusual requests, such as asking users to open a link on a laptop, are red flags. Hackers often provide instructions to help them bypass security measures.

Users should be suspicious of unexpected emails, especially those that ask them to click a link.''

~~~~~~~~~~~~~~~~~~~~~~~~

Now here are the instructions straight from the real Punchbowl people:

How Do I Know if the Punchbowl Invitation or Card I Received is Real or Spam?

Here are a few things to look out for if you suspect you may have received a fake Punchbowl message and steps to take to protect yourself.

Who it’s coming from

• All legitimate Online Invitations and Digital Greeting Cards sent from Punchbowl via email will come from mail@mail.punchbowl.com.
  • Legitimate emails will often show the Punchbowl logo and a blue verified checkmark next to the sender’s name. While this feature may not appear in all email clients, it should be visible in major ones.

Punchbowl logo and blue (verified) checkmark

• Official support emails will come from help@punchbowl.com.
• Additional legitimate emails that may communicate with users include:
  • mail@mail.punchbowl.com
  • help@punchbowl.com
  • info@punchbowl.com
  • privacy@punchbowl.com
  • security@punchbowl.com
  • support@punchbowl.com
  • updates@punchbowl.com
  • accessibility@punchbowl.com
• All legitimate Online Invitations and Digital Greeting Cards sent from Punchbowl via text message in the U.S. will come from our short code: 90403. Invites and Cards sent from Punchbowl via text message outside the U.S. will come from 877-642-0804.

What it looks like

• Invitation and Card links always start with “https://www.punchbowl.com”.
• It is important for you to know that legitimate emails from Punchbowl will never contain an attachment.
• Visual indicators and errors to look out for:
  • Broken Layouts or images that won’t load
  • Logos or buttons that are incorrectly sized
  • ALL CAPS, incorrect fonts, or red miscolored text
  • Asked to sign in before viewing invitation or card
  • Misaligned text in design or email

What to do if you suspect the message is fraudulent

If you're concerned about an Invitation or Card that you received, or have gotten reports that recipients have received an Invitation or Card from you that you didn't send, you can take the following steps to protect yourself:

• Do not open it, and do not click on any links within the email if you do.
• Please forward the email to help@punchbowl.com. It's possible that someone has created an email to look like an Invitation or Card from Punchbowl in a phishing attempt.
• Mark the email as spam within your inbox.
• If recipients have received an Invitation or Card from you that you didn't send, we recommend that you update your email account password.

How to help others

If friends and family email you to say they received an invitation from you that you never sent AND they cannot open the links, we suggest that you reply with text along these lines:

"It looks like someone may have created an email to look like an Invitation from Punchbowl in a phishing attempt. Please do not click any links in the email. If/when I send actual invitations from Punchbowl, they will come from mail@mail.punchbowl.com."

~~~~~~~~~~~~~~~~~~~~~~~~

Wishing you a scam-free spring and lots of invitations toREAL events put on by people you love and trust!

---------------------------------------

Still Life with Robin is published on the Cleveland Park Listserv and on All Life Is Local on Saturdays.