It began with what seemed like a harmless request. A friend needed a favor, asking for votes to co-host a podcast event alongside Spotify and Google. The initial message came off as personal, maybe even a bit urgent.
The text read, “I have a small favor to ask of you. I’m a candidate to co-host a large-scale podcast event with Spotify and Google. I would really appreciate it if you could vote for me. Thank you!” I almost clicked, but then I noticed the link. That detail—it could have saved many from falling into a trap. A follow-up message ramped up the pressure further: “Vote for me. Voting ends today. Thank you.”
The last note stated, “Thank you. If you vote, please send us a screenshot.” At that moment, it shifted from asking for a favor to feeling suspicious. So, what’s really going on here?
Understanding the Spotify Voting Scam
This scam involves messages claiming that someone needs your vote to co-host a podcast with Spotify and Google. The links appear credible at first glance. However, when examined closely, a red flag appears.
The URL looks something like this: Spotifyprime-hub.ct.ws. Notice anything? It’s not Spotify.com. Reputable companies don’t run events on random, obscure domains like ct.ws. Scammers often exploit cheap lookalike domains that can be easily overlooked if you skim.
A Glimpse at the Fake Voting Page
The scam site looks polished, deceptively sophisticated. It even claims affiliation with Google. You’re presented with three choices:
- Continue on Instagram
- Continue by email
- Continue with X
At this point, you should stop. This isn’t about voting but rather about harvesting your login details.
Why This Scam Exists
If you take a moment, a few clear warning signs jump out.
1. Web Address
The domain is incorrect. It’s neither Spotify.com nor Google.com, but a random third-party link. This should raise red flags.
2. Urgency
Expressions like “Voting ends today” and “It will mean a lot” are designed to elicit an emotional response. The aim is to make you rush, preventing careful scrutiny.
3. Login Prompt
A legitimate voting page wouldn’t ask for Instagram, email, or X login credentials. Sites that request your sign-in on unrelated platforms are generally up to no good—they’re fishing for your credentials.
The Consequences for Victims
One victim shared their experience: “Last week, I got a DM from a friend. I voted for him, but it didn’t work. Soon after, my account was hacked, and I was locked out before I could reset my password. I’m still locked out, and it’s spreading. Another friend who received the same message is also shut out. They’re now being blackmailed to regain access, and today, they tried getting into my bank account.”
This situation spreads rapidly—one account breach can lead to many others.
Post-Login Actions of Scammers
To put it simply, once you enter your username and password, the scammer can log into your account almost instantly. They change your password and recovery email, then send out similar “Vote for me” messages to your contacts.
If you’ve reused passwords, your email and banking accounts become accessible as well. It’s a common account takeover phishing scam.
The Screenshot Request
This part is quite clever. After you “vote,” they’ll ask for proof via a screenshot. Why? First, it ensures you’re logged in. Second, the screenshot will display your username, email, and other personal details. Lastly, it distracts you, making it harder to realize something’s wrong. However, the main damage is done when you enter your credentials.
According to a Spotify spokesperson, “We’re aware of phishing messages claiming to be associated with Spotify or other brands. These messages are not from us, nor do they relate to any official Spotify event. We advise individuals to stay alert and avoid clicking suspicious links.”
Protecting Yourself from Spotify Voting Scams
Now, let’s discuss some preventive measures.
1. Check the Full URL
Don’t just glance at the brand name in the message. If the domain isn’t the official one, don’t click it.
2. Take Your Time in Urgent Situations
Scammers thrive on pressure. A true friend won’t rush you.
3. Enable Two-Factor Authentication (2FA)
Whenever possible, utilize app-based 2FA for an extra layer of security.
4. Use Quality Antivirus Software
Strong antivirus can block known phishing sites and alert you to suspicious links.
5. Don’t Reuse Passwords
Consider using a password manager to generate unique passwords for each account.
6. Confirm with the Sender
If you receive something odd from a friend, message or call them directly to confirm.
7. Regularly Check Login Activity
Most platforms let you view your active sessions. If you notice any unfamiliar logins, log out immediately.
If You’ve Already Clicked
- If you haven’t clicked, delete the message and warn your friend.
- If you did click and entered your details, take action right away.
- Change your password immediately.
- Enable two-factor authentication.
- Review your login activity.
- Change passwords for other accounts using the same password.
Time is crucial here—don’t delay.
Key Takeaways
Random domains like ct.ws won’t actually host voting events for Spotify or Google Podcasts. This scam is all about stealing credentials and taking over accounts. It may appear convincing and personal, making it effective. Next time you’re asked for a quick vote, pause and scrutinize the link. A little caution could save you a lot of trouble.
Even if the message is from someone you trust, do you still check the link before clicking? Feel free to reach out via email.
