Cybersecurity Reach Foundation
Back to Investigations
/Phishing / Financial Fraud

Fake Meetup Messages Are Stealing Bank Details From Event Organizers

Meetup organizers are receiving messages through Meetup itself, sent from real Meetup accounts, claiming their event has been restricted. The link inside looks like meetup.com but leads to a page that steals bank and card details.

What Is Happening

Meetup group organizers are being sent direct messages through Meetup's own messaging system. The messages claim that their event has been restricted and needs to be verified within 24 hours, and include a link to "restore full access."

The link is a trap. It does not go to Meetup. It leads to a page that asks for your bank and payment card details.

The most dangerous part: the notification email you receive really does come from Meetup. It passes every email security check. There is no way to tell from the email itself that anything is wrong.

The Message

Here is the exact message being sent, received on April 22, 2026. It arrived as a standard Meetup message notification from info@meetup.com:

Your event is temporarily inaccessible as your account still needs to be verified to complete the setup. During this time, certain features may be limited while the configuration process is being finalized. To proceed and restore full access, please use the link below:

https://meetup.com@tinyurl.com/meetup-user

After the verification is successfully completed, your account will be fully activated, all restrictions will be lifted, and your event will automatically return to public visibility without any further action required.

Sent by Ruth via Meetup messaging, April 22, 2026 at 4:05 PM

Meetup does not ask you to verify your account this way. Meetup does not ask for your bank details.

Why This Is So Convincing

Most phishing emails can be identified because they come from suspicious addresses or fail email security checks.

This one is different. We analysed the email headers and found:

  • DKIM pass: the email was cryptographically signed by meetup.com's mail servers
  • SPF pass: it was sent from an IP address that meetup.com has authorised
  • DMARC pass: meetup.com's own anti-fraud policy confirmed the email as legitimate

The reason is straightforward: the attacker created a Meetup account and sent you a real Meetup message. Meetup's notification system then delivered it to your inbox exactly as it would any other message. The email is genuinely from Meetup. The fraud happens at the link inside.

No spam filter will catch this. No email security tool will flag it. The warning signs are in the message content and the link, not the sender.

Why the Link Looks Like Meetup.com

The link in the message is:

https://meetup.com@tinyurl.com/meetup-user

At a glance it looks like a meetup.com address. It is not.

The @ symbol in a web address has a special meaning: anything before it is treated as a username, not a website. Your browser completely ignores the meetup.com part and connects to tinyurl.com instead, which then redirects you to the attacker's page.

This trick works because most people read a link left to right and stop when they see a name they recognise.

What Happens If You Click

The link passes through TinyURL and lands on a page at event.accepntshop.click, a domain that was registered the same day these messages were sent.

Step 1: Fake security check

You first see what looks like a Cloudflare security screen:

Screenshot of the phishing page showing a fake "Performing security check" interstitial with a pink shield icon and a progress bar
Screenshot of the phishing page showing a fake "Performing security check" interstitial with a pink shield icon and a progress bar

This is not a real security check. It is a delay screen that runs in the background to confirm a real person is visiting.

Step 2: Bank and card details form

After "passing" the check, you see this:

Account Verification

Your account is temporarily restricted. You need to verify your identity to remove all the restrictions. You need to confirm your bank details within 24 hours. Once the verification is completed all the restrictions will be removed and your account will be activated.

How will you verify: Visa · Mastercard · Amex · Discover · Maestro · PayPal · Apple Pay · Google Pay

🔒 All operations comply with PCI DSS

The PCI DSS badge and card logos are fake. Any details you enter here go directly to the attacker.

Who Is Being Targeted

This message is written for Meetup organizers specifically. The threat of an event going offline and taking your members with it is the exact fear designed to make you act without thinking.

The 24-hour deadline and the official-sounding language are both intentional pressure tactics.

What To Do

If you received this message:

  • Do not click the link
  • Report the message to Meetup: open the conversation, tap the three dots, and select "Report"
  • You can also report the sending account at help.meetup.com

If you already entered your details:

  • Call your bank immediately and report the card as compromised
  • Log into PayPal directly (not via any link) and change your password
  • Change your Meetup password

How to check a TinyURL link before clicking: Add preview. to the front (preview.tinyurl.com/meetup-user) to see where it leads without visiting the page.

Report It

Published April 22, 2026. The Cybersecurity Reach Foundation does not link to suspected malicious domains directly.

Stay Protected

Use our free tools to protect yourself from the threats discussed in this investigation.

Explore Our ToolsSupport Our Work
← Back to All Investigations