Fraudsters Exploiting the Notre Dame Tragedy

Fraudsters Exploiting the Notre Dame Tragedy
6 minute read

Last edit: Wednesday, April 17 at 4:45 PM ET

The Notre Dame Cathedral in Paris caught fire Monday evening, burning for nine hours before being completely extinguished by 9 a.m. Tuesday morning. This immense tragedy—shared online and in real time across social networks and traditional media outlets—has quickly accounted for millions of new tweets, posts, and shared photos in response. Common themes include people sharing fond personal memories of the cathedral, confirmation of safety from locals and government officials, and charitable outreach from people across the world looking to donate to recovery funds.

Unfortunately, hidden among those posting out of genuine sympathy are bad actors looking to personally profit from charitable outreach efforts. Whether through spreading misinformation about the disaster, creating fake donation pages, or launching new phishing campaigns, these bad actors target emotionally charged social-media users eager to help, hoping to amplify fraudulent efforts through the viral nature of social media and its potential to reach a broader audience via posts that share false information or solicit payment under the guise of relief-related donations. Given the fire’s proximity to the Easter holiday, the circumstances of this event comprise the perfect storm of potential for fraudsters seeking fast, lucrative returns.

What ZeroFox is seeing

Preying on the sympathy of those wanting to help victims is nothing new, but the technical underpinnings of the internet and its social media platforms allow hackers and spammers to scale their efforts at an unprecedented rate. ZeroFox platform specialists are monitoring our platform for fraudulent activity related to Notre Dame, using insights gained from our past experience in dealing with threat actors motivated by similar events to scam or hack unwitting donors and investors through email and social media campaigns.

These threat actors seek to profit from events of this nature in a variety of ways, including:

  • Enticing targets to click on spam links—seemingly related to charity—that generate advertising revenue
  • Enticing targets to donate money through fraudulent pages, some of which may be imitating charity organizations or websites
  • Enticing targets to click on fraudulent charity-related links that download malware
  • Enticing targets to invest in scams that promise future high stock-payouts related to rebuilding, also known as stock fraud

Threat actors may use a variety of tactics and techniques such as:

  • Using bots on Twitter to spread donation links leading to spam or malware sites
  • Impersonating websites and social media accounts of legitimate charity organizations
  • Sending fraudulent charity emails with bad links or attachments
  • Registering domains related to the disaster
  • Creating fake donation campaigns on crowdfunding sites
  • Using fraud messaging that includes vague victim stories, pressure to act quickly, or promises of high payouts for a company involved in clean-up

ZeroFox is actively monitoring for potential malicious activity on social media related to this tragedy. Below are the methods that bad actors are currently using to take advantage of this terrible event. Know the warning signs to protect yourself from these attacks:

Fraudulent Crowdfunding Sites

One of the major ways bad actors look to capitalize on tragedies like this one is through crowdfunding sites. Playing on the goodwill of charitable givers, cyberattackers create fake donation sites that look almost indistinguishable from true charities. People looking to donate quickly may easily mistake a fraudulent donation page for the real page - losing their money and putting money in the hands of bad actors, not those in need.

One example the ZeroFox Alpha Team found was on where an anonymous user created this crowdfunding campaign supporting “Friends of Notre-Dame De Paris Inc.” Based on the information provided (and lack of details) in the post, any supporter should be hesitant to donate to this particular fundraising effort.

If you are looking for a legitimate place to donate to the Notre Dame Cathedral, there are several real fundraising efforts taking place. You can donate directly to the Notre Dame Cathedral through their website here.

Hashtag Hijacking

Social media users looking to take advantage of viral events will include trending hashtags in their posts - despite the irrelevance of the content they are sharing to the viral event. In the case of the Notre Dame disaster, we have seen multiple instances of posters using the hashtag #NotreDameCathedralFire looking to capitalize on the tragedy.

Above is an example of one such post, looking to sell “services” using the Notre Dame fire hashtag. Be careful of any seller using hijacked hashtags as they are typically associated with scams and malicious links.

Fraudulent Domains

Another method bad actors use to capitalize on disaster relief activity is through malicious or impersonating domains. The ZeroFox Alpha Team has identified potentially malicious domains related to the Notre Dame fire, some of which are live and some of which remain inactive.

One such example is shown below, displayed as an alert in the ZeroFox Platform.

This domain was registered on April 16, the day after the Notre Dame fire, and is actively soliciting funding and redirecting to a crowdsourcing page. There is not much information about the organizer that helps verify where funds may be going, which could imply the cause is not legitimate.

This domain also has a Mail Exchange (MX) record, which means it could be used to reach out to people via email. This tactic is often used for phishing and malware distribution as well.

What ZeroFox is doing

ZeroFox is actively monitoring social and digital channels for signs of misinformation, scams and fraudulent crowdsourcing sites. We will continue to update this blog as we find more information. In addition, we are working with the social media networks and fundraising sites to not only identify threats but remove fraudulent posts, comments, accounts and sites.

What you can do

Looking to get involved to help restore the Notre Dame Cathedral? Join ZeroFox in donating to legitimate causes aimed at rebuilding this historic monument. When it comes to avoiding scams related to this disaster, ZeroFox recommends:

  • Review suggestions from crowdfunding sites on how to identify legitimate campaigns
  • Be cautious of unfamiliar individuals or organizations soliciting donations or investments through social media, email, or phone
  • Conduct thorough research on charity organizations and use a website that rates organizations, such as Charity Navigator ( or CharityWatch (
  • Be cautious of requests for donations or investments in cash, by gift card, or by wiring money, which are frequent methods of payment for scams
  • Report potential scams to crowdfunding sites, and reach out for a potential refund in the case of a suspected scam

Continue to check back on this page as ZeroFox will be updating with new scams and potential threats related to this disaster as they emerge. In the meantime, stay safe on social and share legitimate ways to help with this tragedy.

See ZeroFox in action