You posted a video. It got some traction. A week later, an email lands in your inbox: "Hi [Your Name], I'm the creator partnerships manager at NordVPN. We love your content and would like to offer a sponsored integration for your next video. Our budget for this campaign is $2,000..."
It feels real. It has your name. The offer is in the right ballpark. The email signature looks professional.
It's probably a scam.
Fake brand deal emails are one of the fastest-growing attacks against creators. They work because they exploit the exact moment creators are most vulnerable to wishful thinking: being offered the deal they've been hoping for. Here's how to verify any brand deal email in under 60 seconds โ before you click a single link.
The 60-Second Verification Checklist
Run through these in order. Most fakes fail within the first two checks.
๐ Domain Verification (Do This First)
1
Check the actual sender email address โ not the display name
Display names are completely fake-able. Anyone can make an email show as "NordVPN Partnerships" in your inbox. The domain after the @ is what matters. Click the sender name to reveal the full email address.
2
Look up the brand's real email domain
Go to the brand's official website (type it yourself, don't search). Look for their contact or careers page to see what email domain they actually use. Then compare that to the sender domain in the email.
3
Verify the domain exactly โ watch for tricks
Scammers use near-miss domains: nordvpn-partnerships.com, skillshare.co (vs skillshare.com), nike-creators.net. They look real at a glance. Read every character of the domain carefully.
๐ฉ Red Flag Scan
!
Urgency or deadline pressure
"This offer expires in 48 hours" / "We need your response by tomorrow" โ real brand deals don't work like this. Legitimate partnership teams have campaign timelines in weeks, not hours.
!
Requests to click a link or download an attachment first
Legitimate brands don't send contracts before you've agreed to terms. If the first action they want you to take is "click here to view the brief" or "download the contract PDF," that's a red flag.
!
Unusually high rates for your audience size
If you have 20K subscribers and they're offering $10,000 for one post, something is wrong. Real brands use rate cards. If the number seems too good, it probably is.
!
Asks for personal information before a deal is agreed
Requests for SSN, bank details, or full address in an initial outreach email are not normal. Legitimate brands collect payment details only after a deal is fully contracted.
?
Generic praise with no specifics about your content
"We love your amazing content" without mentioning a specific video, format, or reason they reached out. Real partnerships teams have done research. Bulk outreach bots haven't.
?
Gmail, Outlook, or other free email providers
Brand partnership teams at real companies use company emails. nordvpnpartnerships@gmail.com is not a real NordVPN contact. (Note: some small brands and individual agents do use Gmail โ this alone isn't disqualifying, but combined with other flags, it matters.)
โ
Signs It's Probably Legitimate
โ
Sender domain matches the brand's official website domain exactly
contact@nordvpn.com, partnerships@squarespace.com โ exact match to what's on their site.
โ
References specific content of yours they want to sponsor
Mentions a specific video title, your posting format, or why your audience is relevant to their product.
โ
Uses a standard agency or brand email format
Many brands use agencies like GRIN, AspireIQ, or Creator.co for outreach โ you can verify these agencies are real and the brand is listed on their platform.
โ
The person is findable on LinkedIn with their brand listed
Search the sender's name + brand. If they're a real partnerships manager, there's usually a LinkedIn presence. Not always, but it's a strong signal.
โ
They don't need anything from you except a reply and your media kit
Initial outreach should result in a conversation, not immediate contract signing or link clicking.
Common Impersonation Patterns to Know
Scammers impersonate the brands creators most want to work with. Here are the exact domain patterns used in active campaigns:
NordVPN
Fake domains seen
@nordvpn-partnerships.com
@nord-creators.net
@nordvpnteam.com
Skillshare
Real domain
@skillshare.com
Fake domains seen
@skillshare.co
@skillshare-creators.com
@skillshare.net
Squarespace
Real domain
@squarespace.com
Fake domains seen
@squarespace-partnerships.com
@squarespace.io
Nike / Sportswear
Fake domains seen
@nike-influencer.com
@nikebranddeals.com
@nikemarketing.net
The pattern is consistent: take the real brand name and append -partnerships, -creators, -influencer, or swap the TLD (.co, .net, .io instead of .com).
Real vs. Fake: Side by Side
| Signal |
โ
Real Deal |
๐ฉ Fake Deal |
| Sender domain |
Matches official brand domain |
Near-miss or unrelated domain |
| First ask |
Wants to start a conversation |
Wants you to click a link or download |
| Contract timing |
After rate/scope agreed |
Immediately, unsolicited attachment |
| Content knowledge |
References your actual work |
Generic: "we love your content" |
| Urgency |
Campaign timeline in weeks |
"Must respond in 24-48 hours" |
| Rate offered |
Proportional to your audience |
Unusually high for your reach |
| Personal info request |
Only after deal is signed |
In initial or second email |
What Happens If You Click
The attack can take a few forms depending on the scammer's goal:
Credential harvest: The link goes to a fake "creator portal" where you log in with your Google, YouTube, or Instagram credentials. The fake site captures your password and sends it to the attacker. You get redirected to a real-looking "thank you" page and don't realize anything happened.
Session token theft: More sophisticated attacks deploy JavaScript that runs in your browser and extracts your active session cookies. This bypasses 2FA entirely โ the attacker now has a cookie that makes them appear as you, with no password needed. This is how YouTube channel takeovers happen seemingly "out of nowhere."
Malware delivery: The contract PDF contains an embedded macro or exploit. Opening it runs code on your device. The attacker may gain persistent access, install a keylogger, or directly extract saved passwords from your browser.
None of these attacks require you to enter a single credential. Just clicking the link or opening the file can be enough.
If You Already Clicked
๐ด Immediate Response Checklist
1
Revoke all active sessions on affected platforms
Go to Google Account โ Security โ Your Devices, and to YouTube/Instagram settings โ Active Sessions. Sign out all sessions you don't recognize.
2
Change your password immediately
From a different device if possible. Use a strong, unique password you haven't used before.
3
Check connected third-party apps
Remove any apps you don't recognize from Google account permissions and Instagram connected apps.
4
Scan your device for malware
If you downloaded and opened an attachment, run a full scan with Malwarebytes or your preferred security tool.
5
Enable stronger 2FA immediately
Switch to an authenticator app (not SMS) on every platform. This prevents the attacker from using your credentials even if they have your password.
Not sure about an email in your inbox?
Paste it into CreatorShield's free scanner. AI threat analysis in seconds โ no signup required.
Scan It Free โ