Fake Paperless Post Invitation Steals Email Accounts

Not an April Fools joke

April 2, 2026

A phishing campaign is circulating right now that impersonates Paperless Post, the invitation and greeting card service. Several people in my client network have had their email accounts compromised by it in the past few days. This post covers how the attack works, what to do if you clicked the link, and how to protect yourself.

At a Glance

What it is: A fake Paperless Post invitation email, sent from someone you know whose account has been taken over.

What it looks like: A real-looking email with Paperless Post branding, a card image, and a "VIEW THE CARD" button. Subject lines vary — one example: "Memorable Milestone Celebration with Me."

What happens if you click: You land on a page that looks like an email login (Google, AOL, or other provider). If you enter your credentials, the attacker takes over your account and sends the same kind of email to your contacts.

What to do right now:

• If you entered your password: change it immediately, then check for unauthorized app access at myaccount.google.com → Security
• If you clicked but did not enter a password: check your third-party app permissions as a precaution
• If you didn't click: delete the email

Best protection going forward: Set up a passkey on your Google account. It stops this attack cold.

Details on each of these below.

---

What the Email Looks Like

You receive an email from someone you know. The subject line is something like "Memorable Milestone Celebration with Me." The email looks like a standard Paperless Post invitation, complete with the Paperless Post logo, a card image, and a "VIEW THE CARD" button. The footer includes real Paperless Post unsubscribe and privacy links.

The email is sent from the person's actual email account through their provider's real mail servers. It passes every standard email security check. Spam filters do not catch it. There is nothing in the email that distinguishes it from a legitimate message.

The only indicator that something is wrong is where the "VIEW THE CARD" button takes you. Instead of going to paperlesspost.com, it goes to a different website controlled by the attacker.

How the Attack Works

1. You receive the fake Paperless Post invitation from someone in your contacts.
2. You click "VIEW THE CARD."
3. You land on a page that asks you to sign in with Google (or your email provider). The page looks like a real login screen.
4. If you enter your credentials, the attacker now has access to your email account.
5. Your compromised account sends a new variant of the same invitation to your contacts. The cycle repeats.

Each new victim's version of the email is slightly different — the subject line, the card design, or the hook changes. But the mechanism is the same.

This campaign is not limited to Gmail. Accounts on AOL, Yahoo, and other providers have been compromised the same way.

Why It Gets Past Security

Three things make this campaign effective:

• The email comes from someone you know. It's sent from their real account, not a spoofed address. Your email provider treats it as legitimate because it is — the account has been taken over.
• The email passes all authentication checks. Because it's sent through the provider's own servers, SPF, DKIM, and DMARC all pass. Spam filters have no reason to flag it.
• The phishing domain is new and unregistered in blocklists. As of this writing, Google Safe Browsing has not flagged the domain used in the versions I've examined. The attackers rotate domains to stay ahead of detection.

What to Do If You Clicked the Link

If you entered your email and password on the page:

1. Change your password immediately. Go to myaccount.google.com → Security → Password. Do this for every account that uses the same password.
2. Check for unauthorized app access. Go to myaccount.google.com → Security → "Third-party apps with account access." Remove anything you don't recognize. Some attacks grant access to an outside app that keeps working even after a password change.
3. Check for email forwarding rules. In Gmail: Settings (gear icon) → See all settings → Forwarding and POP/IMAP. Make sure no forwarding address has been added. Also check the Filters tab for anything you didn't create.
4. Review your Sent folder and Trash. Look for messages you didn't write. In some cases, the attacker deletes the sent messages after sending them, so your Sent folder may appear clean. Check for bounce-back notifications from bad email addresses — those are delivery failure replies that the attacker can't suppress. In Gmail, these bounce-backs may not be obvious: in one case, they were hidden inside a reply thread, grouped under a legitimate conversation with 54 related items collapsed at the bottom. Look for unusually long threads and expand them.
5. Review recent security activity. At myaccount.google.com → Security → "Recent security activity" and "Your devices." Remove any sessions or devices you don't recognize.
6. Turn on two-step verification. At myaccount.google.com → Security → 2-Step Verification. Use an authenticator app or a hardware security key. Avoid text message (SMS) codes if possible — they can be intercepted.

If you clicked the link but did not enter a password:

You are most likely fine. Check your third-party app permissions (step 2 above) as a precaution — some phishing pages request app access instead of a password, and you may not remember clicking "Allow."

Should You Notify Your Contacts?

If your account sent phishing emails to your contacts, your first instinct may be to send everyone a warning. In practice, this is more complicated than it sounds.

If your contact list has dozens or hundreds of people, sending a bulk email creates its own problems. Most email providers limit how many messages you can send per day. A mass email from any account — compromised or not — can trigger spam filters, and a warning sent from the same account that just sent phishing emails may itself look suspicious to recipients.

A more practical approach is to triage your contact list:

• Most people will figure it out. A suspicious email from someone they know, with an unexpected invitation link, is something most adults will handle on their own — especially once they hear about the campaign from others.
• Reach out personally to the people who need it. Focus on contacts who you know are less technically experienced, or who are likely to reuse passwords across accounts. A phone call or individual text is more effective and more trustworthy than a mass email.
• If you do send a written notice, send it from a different email account, put recipients in BCC, keep it short, and do not include any links. A "don't click links" email that contains a link undermines the message.
• You may not know exactly who was targeted. The attacker may delete the sent messages from your outbox. Bounce-back notifications from invalid addresses may be the only record, and in Gmail those can be buried inside reply threads rather than appearing as separate messages. One person found 54 bounce-backs collapsed inside a thread with a legitimate reply — the only visible evidence that the attack had reached her contact list.

What Protects You

Passkeys are the strongest defense. A passkey is tied to the real website's domain. A fake login page cannot request or use it. In one case I worked on this week, a passkey-protected account stopped this attack mid-stream — the phishing page accepted the email address but could not proceed because there was no password to capture.

If your Google account supports passkeys, set one up at myaccount.google.com → Security → Passkeys and security keys.

Two-step verification helps, but it's not enough on its own. Some phishing kits can intercept verification codes in real time. A hardware security key or passkey is more resistant to this.

Use a unique password for your email. If you use the same password across services and one of them gets breached, attackers can try that password on your email account. Your email password should not be shared with anything else.

Look at the URL before entering credentials. Before typing your password on any page, check the web address. A real Google sign-in will always be at accounts.google.com. Anything else is a fake, regardless of how the page looks.

How to Report It

• In Gmail: open the phishing email, click the three dots, and select "Report phishing."
• Report the phishing URL to Google Safe Browsing.
• Report it to the FBI's Internet Crime Complaint Center (IC3) if you suffered financial loss or significant data exposure.
• If the phishing email impersonated Paperless Post, report it to Paperless Post so they're aware their brand is being used.

---

This type of attack works because it exploits trust — a real email from a real person you know, using a brand you recognize. The technical defenses (spam filters, authentication checks) don't help here because the email is technically legitimate. The defense is knowing what to look for and using account protections that can't be phished.

If you need help securing your email account or checking whether yours was compromised, you can schedule a support session or text me at 651.274.0996.