The story you are about to see is true. The names have not been changed to protect the innocent. This does not mean everyone in the story was guilty. It means the actual, private citizens involved in the real crimes had their identities exposed because it was necessary to tell the story – This is Not Dragnet.
Here is the thing nobody tells you about phishing in 2026. The green checkmarks lie. Not in the sense that they’re broken. They work exactly as designed. They just answer a question you didn’t ask, and the gap between the question they answer and the question you care about is precisely where somebody walks in and takes your email password.
I got one of these this week. It landed looking like a bill from BTC, my phone company down in the Bahamas. Clean layout, the right blue, a friendly amber button begging to be pressed. Spam filter waved it right through. Every authentication check it’s supposed to face came back clean. And it was, top to bottom, a fake built to steal the login to my mailbox. My email program disables all those clicky buttons so I wasn’t at risk. But I went ahead and disabled that protection so you can see if you did hover over the “View Your BTC Bill Here” button.
Let me show you how I know this was spam, because the method is not hard and once you see it you can’t unsee it.
First, the face of the thing
This is what showed up. Screenshot it, don’t click it. That’s rule zero and we’ll come back to why.

The phishing email body, as rendered in the inbox.
Looks fine, right? That’s the point. Somebody put work into the shell. To me, it looks like one of the many phishing tools out there. But read the words, not the design. Now read that third line nice and slow like you’re talking to the deputy trying to convince him on the number of drinks you had tonight.
login with your current Email address and password with your current Email address to view your bill below.
OK, you might have missed it but we want to stay out of the drunk tank and definitely don’t want to visit phishing jail. It is not asking for my BTC account login. It is asking for my email address and my email password. My phone company wants the keys to my Gmail? To read a bill? No. No legitimate business would ask you to type the password for a completely different company’s service into their form. That one mangled sentence is the entire scam, proving you aren’t lying and are just a really bad driver. Don’t argue FLOCK already sent the footage to your insurance company (too soon?). Everything else on the page, the branding, the button, the polite footer about topping up your phone- exists to get your thumb moving toward that box.
And notice the sludge in the writing. “Password with your current Email address” is garbled in a way a real marketing team never ships. “Dear Valued Customer” and “your account number” sitting there as literal words instead of, you know, my actual account number. That means there was no lookup behind this. No database. Just a template fired at a list of strangers, and I was one of the strangers.
So, the body alone convicts it. But I wanted to know who actually sent it, and that story lives underneath, in the part your mail app hides by default.
The headers, where the real sender can’t hide
Every email carries a stack of routing data called headers. Your inbox shows you a tidy summary and buries the rest. In Gmail on the web you pull the full thing with the three-dot menu and “Show original.” Apple Mail, it’s View then Message then Raw Source. Outlook has “View Source.” This is safe. You’re reading text, not loading anything.
Here’s what came out. I’ve swapped my real address for MYEMAIL@MYDOMAIN.COM so I’m not painting a target on myself, but everything else is exactly as it arrived.
“BTC Customer Care <info@btcbahamas.com.bs>” <chunl@ad-mailssrv.com>
BTC Reminder: Your Bill Is Ready To View
To: undisclosed-recipients:;
Arc-Seal: i=1; a=rsa-sha256; t=1783604993; cv=none; d=google.com;
s=arc-20260327; b=TR9PDI7hWjTs5wQuuijXdEIhAGEjNNakzw5Bp67RAUAiKJb5hEQ…
X-Received: by 2002:a05:6870:b28b:b0:44a:e7ac:b14 with SMTP id
586e51a60fabf-451638625a0mr5232016fac.11.1783604993988;
Thu, 09 Jul 2026 06:49:53 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AHgh+RrUKScJAMF5tbRMas+OtOGqcuYGMo3B…@MYDOMAIN.COM
Return-Path: <chunl@ad-mailssrv.com>
Authentication-Results: mx.google.com;
dkim=pass header.i=@ad-mailssrv.com header.s=mail header.b=NC9wNWz3;
spf=pass (google.com: domain of chunl@ad-mailssrv.com designates
216.238.85.98 as permitted sender) smtp.mailfrom=chunl@ad-mailssrv.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ad-mailssrv.com
X-Sender: chunl@ad-mailssrv.com
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ad-mailssrv.com;
s=mail; t=1783604990; bh=V6RzeLQT3vq6fahWIUkelCnfOdbx5v5Nrw6ui2No2sQ=;
References: <CACgOgHOSx2rkdEpojfFiDZDd9zZYiQ37oMhcBgv1a3KtnawE_Q@mail.gmail.com>
<CACgOgHMJYmbSiVBhxhOCZLs4jsvWWh0PaNFC6=+gQYYkE+Zknw@mail.gmail.com>
<307138249.105070.1783532677875@appsuite.candwmail.com>
<1408935225.14071.1783600792344@appsuite.batelnet.bs>
<4aef38f02ea786aa3c4e5372aaca766a@ad-mailssrv.com>
[ …twenty more ad-mailssrv.com IDs… ]
Content-Type: multipart/alternative; boundary=”=_b4783516e823df369…”
Received-Spf: pass (google.com: domain of chunl@ad-mailssrv.com designates
216.238.85.98 as permitted sender) client-ip=216.238.85.98;
Delivered-To: MYEMAIL@MYDOMAIN.COM
Received: from mail.ad-mailssrv.com (mail.ad-mailssrv.com. [216.238.85.98])
by mx.google.com with ESMTPS id 586e51a60fabf-451917b9352si1709758fac.121
for <MYEMAIL@MYDOMAIN.COM>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 09 Jul 2026 06:49:53 -0700 (PDT)
Received: from authenticated-user (mail.ad-mailssrv.com [216.238.85.98])
by mail.ad-mailssrv.com (Postfix) with ESMTPSA id 23C95388654;
Thu, 9 Jul 2026 13:49:50 +0000 (UTC)
Now we go hunting.
Anomaly one: the name is a mask
Look at the very first line.
“BTC Customer Care <info@btcbahamas.com.bs>” <chunl@ad-mailssrv.com>
See the trick? The whole string BTC Customer Care <info@btcbahamas.com.bs> is a display name. It’s a label. Anybody can type anything they want in there, and your mail app renders it big and friendly at the top of the message. But the actual sending address, the one that can’t be faked into being someone else, is the part hanging off the end. chunl@ad-mailssrv.com. That is who really sent this. Some address at a domain that has nothing to do with BTC, dressed up to read like BTC in the preview pane.
This alone is the spoof. Everything after it is just me confirming how brazen it is.
Anomaly two: the checkmarks that don’t mean what you think
Here’s where most people get fooled, so pay attention, because the security industry taught everyone the wrong lesson.
You’ve heard that if an email passes SPF, DKIM, and DMARC, it’s legit. Three technical checks that prove the sender is who they say. And look, this email passes all three:
dkim=pass spf=pass dmarc=pass
Green across the board. So it’s real? No. Read what passed.
header.from=ad-mailssrv.com
domain of chunl@ad-mailssrv.com designates 216.238.85.98 as sender
Every one of those checks validated ad-mailssrv.com. Not BTC. Not btcbahamas.com.bs. The scammer owns ad-mailssrv.com outright, so of course he can sign mail from it correctly. DMARC’s job is to check that the signature matches the “From” domain, and since the real From is his domain and the signature is his domain, they match. It aligns. It passes.
Here’s the sentence to carve into a bar somewhere. Authentication proves the envelope came from who the envelope claims. It says nothing about the fake name pasted on the front. The checkmarks were guarding the door while the guy came in through the kitchen with BTC’s logo on his shirt. A clean SPF/DKIM/DMARC pass on a throwaway domain is not a sign of safety. It’s a sign the sender did his homework.
Anomaly three: sent to nobody, blasted to everybody
To: undisclosed-recipients:;
Delivered-To: MYEMAIL@MYDOMAIN.COM
The “To” field is empty. undisclosed-recipients means I wasn’t addressed, I was BCC’d along with who knows how many other people in one big blind blast. A real bill goes to you, by name, at your account. This went to a crowd. That matches the generic “Dear Valued Customer” in the body. Nobody personalized it because nobody knew or cared who was on the list.
Anomaly four: the part that made me reach for another drink
Scroll down to that References header, the long stack of message IDs. Most of them are ad-mailssrv.com, the scammer’s own plumbing, padding out what looks like a long email thread. Boring. But sprinkled in at the top are these:
<…@mail.gmail.com>
<307138249.105070.1783532677875@appsuite.candwmail.com>
<1408935225.14071.1783600792344@appsuite.batelnet.bs>
Those are not the scammer’s domains. Batelnet and candwmail are real Caribbean telecom mail systems. C&W is Cable and Wireless, which is BTC’s parent company. So the fake email is carrying message IDs that point at genuine phone-company mail infrastructure, stitched into the header to make the whole thing look like it grew out of a real conversation with BTC.
Two ways to read that, and both are bad. Either the scammer scraped or forged those IDs to fake a legitimate reply chain, or an actual thread involving those providers got hijacked and this is a reply spat out from the attacker’s own server. A clean billing email does not produce this. This is deliberate construction, and it’s the single scariest thing in the pile, because it means somebody went out of their way to make the lineage look real.
Interesting thing I mentioned in passing earlier. I’ve spent a lot of time in the Bahamas, so it’s likely one of the businesses there lost control of my email address. Maybe? Worth going back to the Bahamas and revisiting all the locations I’ve ever been to, where somebody might have harvested my email address.
Anomaly five: the return address on the envelope
Received: from mail.ad-mailssrv.com (mail.ad-mailssrv.com. [216.238.85.98])
That IP, 216.238.85.98, is a Vultr cloud server. Rented compute. A VPS you can spin up in five minutes with a credit card. It is not the infrastructure a national telecom uses to send your monthly bill. And “ad-mailssrv.com” is a domain named to sound like generic mail-server machinery so your eye slides right past it. That’s on purpose too.
So what do you actually do
You don’t need to click the button. I disable active content in my emails so I don’t get stupid at 2AM while shopping for new boat stuff. I keep saying it because it’s why I have a job fixing phishing events. Here’s the part people miss: you don’t need to click to get robbed. Harvesting pages often fire the moment they load, logging your address and any tracking token buried in the link, which also tells the operator your inbox is live and worth hitting again. So don’t “just take a peek” by pasting the URL into your browser either. Reading a link is safe. Loading it is not, even if you never type a password.

With this little monster, there’s no executable payload in the body. No JavaScript, no iframes, no embedded objects, no data URIs, no obfuscated script. It’s a plain HTML email template. So it won’t detonate anything just by rendering in a preview pane.
If anybody is interested: izakibizou[.]com
Registrant Organization: XServer Inc.
Registrant Street: GRAND FRONT OSAKA TOWER A 32F
Registrant Street: 4-20 Ofukacho, Kita-ku
Registrant City: Osaka
Registrant State/Province: Osaka
If you want to know where the button really goes, read the raw HTML source the same way you read the headers, and search for “href” or “http.” The destination is right there as text. A landing domain that has nothing to do with BTC or Cable and Wireless is your confirmation and your evidence.
Then stop analyzing and report it. Forward the whole thing to your provider’s abuse or security team and let people with the right tools take the page down. You’ve already done the part that matters, which is not clicking.
The one loose thread I’d chase
Those real telecom message IDs still bug me. If any of them trace to actual mail I’ve received, then this isn’t a cold spoof, it’s somebody working an account of mine to build convincing reply chains. That’s a different and worse problem, and it’s worth checking my own sent and received history against those IDs before I call this closed.
Because that’s the real lesson here. The email passed every automated test on the way in. The filters liked it. The checkmarks blessed it. The only thing that caught it was a human being reading the actual words and asking one stubborn question: why does my phone company want my email password? Everything else was confirmation. The machines will not save you from this one. You have to look.