All business owners occasionally receive dozens of spam messages about “improving their online reputation.” But does everyone realize that this tempting offer isn’t actually as harmless as it might seem at first glance?
Many people assume that these reviews are mostly generated by bot farms, but that belief is false. Let’s look at an example of what one such spam offer promises.

It might seem like this typical conversation could have ended there, but the following message caught our attention.

The domain names he listed belong to large companies with billions in revenue. We immediately wondered how he could do this, but we needed to verify it.

The scammer immediately agreed to provide a “test review.” This is standard practice for them to build trust, so to speak. Now we have a chance to verify whether he actually controls this email address—which was most likely obtained through criminal means—or if this is just a common scam.

A few minutes later, an email did indeed arrive in our inbox.

After analyzing the message headers, we saw that the IP address from which the message was sent is located in India, even though the company itself is based in the U.S.
Using the first and last name, we were able to find the person who presumably messaged us on LinkedIn. The location listed in the profile did not match the IP address’s geographic location; however, this alone is not proof that the account had been compromised. Additionally, this IP address was listed in the SpamHaus database.
At this stage, we notified the company of the potential incident. The review seller, in turn, received the following response from us.

He ignored it and blocked us.
Some time later, we received a reply:

The next day, the email account owner stated that he had not given consent to use his address and had no connection to the sent email
Conclusion
This case demonstrates that offers to sell “verified” reviews may be part of schemes based on the unauthorized use of other people’s corporate email addresses.
Therefore, we recommend that you do not use services that sell reviews. If a seller demonstrates access to a corporate email address, you should save the correspondence and technical data, and then notify the domain owner or the information security department of the relevant company.