Spam ALERT: “Investment Update – Important” email is SPAM

Source: Nucleation Capital March 12, 2026 · 8 min read

Originally published by Nucleation Capital. Preserved here for reference — view the original ↗.

ALERT: DO NOT CLICK THE MASKED LINK in the message. If you have received a suspicious email with a link that is not what it appears — DO NOT CLICK on the linked attachment.

MAY 12, 2026: We first posted this notice on 3/12/26 to alert people that Nucleation experienced a hacking event and how to proceed if they clicked on a message like the one shown on the right. Since then, we've seen a half-dozen other similar spam messages coming from others. All seem highly plausible to have come from the Sender. ALL of them contain a MASKED link that looks like a PDF or known link but which triggers the virus infection. DO NOT CLICK IT!**

We took precautions to notify everyone that we could reach about the chance that they might have received a spam message. Many more people were notified than who actually received the spam. If you have clicked the link, you likely were infected. Please continue reading below to learn how to protect yourself, your email and those who are connected to you. If you received the message and deleted it, you are also safe. If you have received a similar message from someone else, you can also use the guidance below to protect yourself and prevent further spread of this spam virus.

###

A. Background: Spammers are using AI to outsmart us!

Today’s phishing attacks are much harder to distinguish, unlike in the “Nigerian Prince” days. Attackers are making their deceptions much more realistic and surgical, using Large Language Models (LLMs) to scan victim social media and LinkedIn presence, to draft emails that will more closely mimic the hacked person’s likely messages. They may even have detailed references of current activities, so don’t feel too bad if you were confused and clicked this message. This research takes them a while, so you have time to take actions to protect yourself and your contacts from further damage.

B. If you’ve clicked the link, then you are likely to have been “infected,” but that may not result in the hack going to your contacts for a few days to a week.

The way to deal with this involves doing the following things:

Change all your key passwords asap. This is the most important “kill switch." Focus on banks, investment and commerce sites, business sites, etc.

Implement two-factor authentication as much as possible.

Log out of all open sessions, whether email, online websites, or specific app sessions where you’ve entered your credentials, including from phones, iPads, and laptops, etc. A hacker can try to steal those active credentials or tokens to get access to that app, email or platform, which can enable them to bypass even needing your password or two-factor authentication right away. When possible, use the setting that says “Sign out of all other web sessions.” Alternatively, you might see a “Manage devices” or “Remote Log Out” button. Use those to kill sessions that the hacker might want to use to exploit access or may already be actively using, like an online banking app. You kick them out when you log out of open sessions. Make a habit of always logging out of any app that has a credit card or bank access associated with it.

Check your email logs. This is how you can see what the hacker who got access to your email has sent out. When we did this, we found four offending emails that had been sent out to people with the same Subject title and multiple email addressees. You can find these messages in the administraion logs when they don't show up in your ordinary outbox, so you will at least know all of the email addresses that the phishing attack from your email went to. (Detailed instructions on how to check email logs for several types of email is below.)

Check your email filters and forwarding “ghost rules" to see if they have been compromised. This hacker set up an Email Forwarding Rule that put any message that came to us with the Subject “Investment Update” into the Trash, rather than the Inbox. This was an effort to try to prevent us from getting messages and knowing this hacking had happened. There were a couple of emails asking us about the message in the Trash. We found them and were able to delete that rule and respond to those contacts. Be aware, a Spammer can also have your messages forwarded to themselves, so that they can invade your privacy. Be sure to disable all unknown forwarding instructions or filters that "Delete emails," "Skip the Inbox," or Forward messages to another email.

Check & Revoke Third-Party Access, especially if there are Apps with access to your accounts that you don’t recognize. If you find something not familiar, remove that access, to prevent the spammer from being able to continue sending as you, even after you change your password.

You might opt to switch to Passkey technology, set up through your Security settings. SMS codes are no longer the safest bet since hackers can now do a “SIM swap” on your phone number. A passkey that uses Face ID, fingerprint or a physical USB key (Yubikey) to log in may be significantly safer. (This last advice item is from Gemini.)

C. If you clicked on the attachment, here's how to do Damage Control.

Warn those you can in advance. For us this ws difficult, time-consuming and definitely not fun—given how many people we have connected with. If you are reading this, don't guess: start by checking your email logs and downloading the emails that the spammer reached. Send all recipients a follow-up message warning them not to click the link on the fraudulent email that you can see in your logs. This can provide a warning that can help to prevent the spread of this virus. If your hacked message went to "high risk” individuals, especially the elderly, bankers, doctors, family members, etc. help them secure their systems, since many will not know what to do once they click and are vulnerable to being hacked. Feel free to share this post with them. The M.O. of this hacker is to send out what looks like a very reasonable message that asks readers to click on what seems like a safe PDF but is really an infected link. Let them know that they should not click on any attachement or link. If they know in advance to watch out for a message that seems odd and to check with you if they get it, when they do, they will definitely thank you for that warning.

Prepare who and how you will contact folks. If and when a hacked message gets sent to your contacts, being prepared to send out an alert ASAP can save precious time when this event happens. That can prevent the attacker from having an advantage prior to when people begin to take actions to change passwords and close apps. It will also help you to already know how to check your email logs, so you can quickly discern exactly which contacts were affected, so you don't have to email broader than those who were affected and thus limit your outreach.

Ask people to check for blockers put on their email. Once the link is clicked, it is possible that the hacker will access the victim's email and implement a blocker that prevents you from alerting them. This can cause further delays as you try to help them deal with this hack. It could also interfere with your future ability to communicate with the people in your network. Please do check if your email account has had any new *“blocked email domains*” added.

Get help with cyber-security in advance of having your email compromised. An experienced IT security team can help you fortify your cyber defenses and prevent your email from being used improperly and spreading this virus to those you are connected to. Options include local IT professionals and IR firms with emergency response capabilities like:

Mandiant — acquired by Google, does incident response and crisis management.

CrowdStrike — 24/7 breach and incident response.

Palo Alto Networks Unit 42 — incident response and threat-led investigation for active breaches.

Arctic Wolf Incident Response — emergency IR and restoration support.

D. Ejecting a Hacker and Cleaning up your Email Settings

Each email system is a little different, so if you are not familiar with how to implement these protections, you are better off checking with your email provider, go-to expert or AI assistant of choice to find out how to access your settings, change passwords and security settings, check email logs and review blockers and filters. However, here are the instructions I received from Gemini for finding our Email Logs:

Here are Gemini's directions for protecting yourself from a hacker when using Google's email:

Updated 5/21/26*

← All news More on Economics Original ↗