Many South African businesses are currently receiving emails that appear to come from Xneelo, warning that their domain is about to expire or that urgent payment is required. In many cases, these emails are not from Xneelo at all. They are phishing emails designed to trick users into clicking fake payment links or entering sensitive information.

At Pathfind Media, we have seen a noticeable increase in these messages affecting clients. Some emails look convincing at first glance, especially because they may mention domain names, hosting, expiry dates, or payment reminders. However, the goal is usually the same: to get you to click a fraudulent link and enter banking, login, or card details on a fake website.

‍

Why are these emails happening?

Phishing scams have become more common because scammers can gather a surprising amount of information from public sources.

For example, it is often possible to look up where a domain is hosted using publicly available DNS and hosting lookup tools. Scammers can then use this information to create emails that appear relevant to a specific domain or hosting provider.

They may also target common email addresses such as:

• info@
• sales@
• admin@
• accounts@
• support@

These addresses are often active on company domains, which makes them attractive targets. In some cases, businesses also have catch-all email accounts, meaning emails sent to non-existent addresses may still be delivered.

‍

Why do these scams look so convincing?

Modern phishing campaigns are not always filled with obvious spelling mistakes or poor design. Scammers often adjust their wording, layout, links, images, and formatting to avoid spam filters.

They may also create emails that imitate the tone or branding of real companies. This makes it harder for automated systems to block every scam without accidentally blocking legitimate emails too.

That is why spam filtering alone cannot be your only protection. Human caution is still essential.

‍

What is the scam trying to do?

In most cases, the scammers do not already have your banking details, card information, or hosting login credentials. Their goal is to trick you into giving them that information.

A fake domain renewal email may lead you to a phishing website where you are asked to:

• Make an urgent payment
• Enter card details
• Log in to a fake hosting account
• Confirm billing details
• Update your domain information

Once entered, these details can be stored, reused, sold, or shared with other scammers.

‍

How to check if a domain renewal email is real

Before clicking any link or making a payment, take a moment to verify the email.

Check the following:

1. Look carefully at the sender’s address
   The display name may say “Xneelo”, but the actual email address may be different or suspicious.
2. Do not trust links blindly
   Hover over links before clicking, or rather, avoid clicking links in unexpected emails altogether.
3. Check your actual domain or hosting account
   Log in directly through the official provider website, not through a link in the email.
4. Compare the information with your records
   Check whether the domain is actually due for renewal and who normally handles your billing.
5. Ask before paying
   If Pathfind Media manages your website, hosting, or domain, forward the email to us before taking action.

‍

What should you do if you receive one of these emails?

If you receive a suspicious domain renewal or hosting payment email:

• Do not click any links
• Do not make payment
• Do not enter login or banking details
• Forward the email to your IT, website, or hosting contact
• Delete the email once confirmed as fraudulent

If you are a Pathfind Media client and you are unsure whether an email is legitimate, please send it to us first. We would rather check it for you than risk you falling victim to a scam.

‍

Final reminder

Domain expiry emails can be legitimate, but phishing emails are becoming increasingly convincing. Always verify before you click, log in, or pay.

When in doubt, rather ask.

Pathfind Media clients are welcome to forward suspicious Xneelo, domain, hosting, or renewal emails to our team for confirmation before taking any action.