Wait… Ticketmaster hacked me? Poor, poor Francisco.
That was my first thought when I saw an email claiming to be from info@ticketmaster.com telling me that something was wrong. For a split second, I almost believed it. But here’s the thing—it wasn’t from Ticketmaster at all.
In fact, the email didn’t even come from Ticketmaster’s servers. Nope, this little scam originated from a server in Russia. So how did some random person on the other side of the world manage to send an email that looked exactly like it came from Ticketmaster? And, more importantly, how can you stop scammers from doing the same thing with your domain?
Let’s dive into the world of email spoofing, DMARC, and why you don’t want your business impersonated by scammers.
How Did a Scammer Pretend to Be Ticketmaster?
When you send an email, the “From” address is just text. Email servers rely on special authentication records (like SPF and DKIM) to verify that a message actually came from the domain it claims to be from.
However, if someone sets up their own email server (which is surprisingly easy), they can make an email look like it comes from any address they want, including info@ticketmaster.com.
Normally, receiving email servers are supposed to check if the email came from an authorized source. If not, they should reject it.
But that doesn’t always happen. Why? Because many companies haven’t fully configured their email security settings, leaving gaps that scammers love to exploit.
Why Didn’t Ticketmaster’s Security Stop This?
Ticketmaster does have DMARC (a security protocol that tells email servers how to handle fake emails). So why did this scam still land in my inbox?
Because Ticketmaster’s DMARC policy is set to “None.”
That means instead of blocking fake emails, their system is just watching what happens. Essentially, they’re in “testing mode,” monitoring spoofed emails but not rejecting them yet.
In an ideal world, their DMARC setting would be at “Reject.” That would mean any scam email pretending to be from Ticketmaster would never even reach my inbox, it would get blocked before it could do any damage.
Hopefully, they’ll switch to Reject soon. Otherwise, I might wake up one day with an email offering me VIP tickets to Jedward’s comeback tour (and let’s be honest, that would be devastating).
Why Should YOU Care?
Alright, so Ticketmaster hasn’t locked down their email security yet, how does that affect you?
Here’s the reality: If a huge company like Ticketmaster hasn’t fully set this up yet, have you?
A lot of business owners think, “I’m not big enough for scammers to target me.” But in reality, most scams target small businesses, because they’re the ones with weaker security.
The Risks of Not Having DMARC Set Up:
- A scammer could send emails from your domain.
Imagine a client receiving an email from you, but it’s actually a scam. Maybe it’s pretending to be a government agency, or worse, your own company asking for payments to a different bank account. - Customers could fall for fake deals in your name.
What if a scammer used your domain to send out fake “special offers” to your customer base, tricking them into sending money? That could seriously damage your reputation. - It could make your business look hacked, even if it isn’t.
If people start receiving spam from your email address, they’ll assume you got hacked, and you’ll lose their trust.
What You Need to Do Right Now
If your domain doesn’t have DMARC properly set up, scammers can impersonate you. Here’s what you need to do:
✅ Talk to your IT team about setting up SPF, DKIM, and DMARC correctly.
✅ Monitor first, don’t jump straight to “Reject.”
If you find a DMARC record online and just copy-paste it, you might block legitimate emails from your own company by accident. DMARC needs monitoring to ensure it’s set up properly.
✅ Gradually move from “None” to “Reject.”
The goal is to eventually reject all spoofed emails, but only after making sure your legitimate emails aren’t getting caught in the crossfire.
✅ Don’t assume your business is “too small” to be targeted.
Scammers don’t care how big your company is, if they can send fake emails from your domain, they will.
Conclusion
Ticketmaster’s mistake is a lesson for all of us. If you don’t have proper email security in place, someone else can send emails as you, and that’s a huge risk.
So unless you want customers thinking you’re promoting fake deals, scam bank details, or (even worse) tickets to a Jedward reunion concert, it’s time to get your DMARC settings in order.
If you’re not sure where to start, talk to your IT provider today.
Your business, and your inbox, will thank you.
