Some buyers of the Essential PH-1, including user Cygnosity on Reddit, are receiving emails that seem to be from Essential, asking for picture ID, but are in fact part of a phishing scam. These messages ask customers for an alternative email address and a phone number, along with a picture of a photo ID of some sort, like a driver’s license, state ID, or a passport. The emails state that the billing address for the order needs to match the address on the ID. Multiple sources are confirming that these messages are not from Essential and because some of the original messages CC’d many people at once as a method of mass sending, some people are receiving other customers’ personal information.
The phishing scam is only hitting those who submitted orders to Essential, which could mean that Essential’s order database has been compromised, or somebody within Essential is sending these messages from within the company. There are thus far no reports of anybody who did not order an Essential phone getting such a message. Some suspect that the person behind the scam owns one of the email accounts listed in the CC field of some or all of the messages, but many users who received a message from the initial batch are saying that nobody was CC’d on the first message, which could mean that it is indeed an Essential employee or hacker in the firm’s systems doing this, or it could mean that somebody got the initial message and decided to launch their own phishing scam. In any case, Essential has disabled the email addresses sending the messages, removing the ability to reply to them, and has also deleted assets that were in the messages such as images.
Some consumers are saying that the initial message may have legitimately originated from Essential, asking for additional information to verify that no fraudulent payments were being made to pay for Essential phones. Such unorthodox methods of verification could easily come across as suspicious even if they’re legitimate, but it is also being argued that the messages were not authentic in some form, even if they came from Essential’s mail server. The company has yet to comment on the ordeal in any official capacity.