Tracey Smith AquAid Card Receipt – Word doc malware — 116 Comments

    • Thanks. Just had this email, and like your advice says, if I am not expecting it I don’t open it! Then googled the company and hey presto I was right. These people must get a lot of hits as they are getting more sophisticated, and this is the most convincing email I have had for this type of scam.

  1. Many thanks for your information, I just had that email on my iPhone? I clicked the link??? Is this bad help!!! I thought it was a genuine message plus I was half asleep oops !!! Thank you

  2. I have just received this email and was curious as the email looked so real and the company exists but I knew for a fact that I hadn’t signed up for the water and donations. So thought I would check it out on line as a fraud and scam. So thank you for your website making it clear that they are indeed what I thought they are. 🙂

    • Normally when macros are disabled and protected view is turned on, you should see a blank page with a yellow warning bar at top of page
      If you see the warning bar then you are safe and no macro would have run and would not have infected you

        • Sometimes, if word is set to high security you won’t see the border. All you will see is a blank page because macros are disabled by default ” without notifications” and you can’t turn them back on without going into word settings

  3. Thanks for the info.

    I have just received this and upon checking I was sure we didn’t make any payment to this company. Since the email looked genuine, I replied to the same email and asked them to tell us more about the alleged payment we made. I haven’t heard anything as yet. Is my computer infected now? Am I in risk? What should I do?

  4. I have just received this and upon checking I was sure we didn’t make any payment to this company. Since the email looked genuine, I replied to the same email and asked them to tell us more about the alleged payment we made. I haven’t heard anything as yet. Is my computer infected now? Am I in risk? What should I do?

  5. Just got this email and rather stupidly opened it. Fortunately WORD was set to prevent macros and I didn’t click Enable Editing or Enable Content. I’ve passed the email to BitDefender (my antivirus provider) for their view/comments and I’ll happily pass on whatever they say; if and when they come back to me.

  6. Thanks for this timely informative artivle. I have forwarded a highlighted extract of it to all staff along with the link to this article. At least one of our 55 staff opened the document. I am hoping to reduce that number over the coming year but it is very hard. Articles like your help thanks.

    A Tired SysAdmin

  7. I agree with Jonathan, this one does look more professional than others, but as neither I nor my company have made any payment to this company I was immediately suspicious, and thought I would check it out further.

    Thanks for the info.

  8. I just received one of these emails today. i was concerned someone had made a payment using my card and was going to cal the number supplied but decided to do an internet search for the company first. I found reference to it but got an error message say server refused connection. Then i saw the name Tracey Smith in a link to here. So glad i did a check first. The example given above is word for word of what was sent to me. Even the phone numbers.#

    Thanks and keep up the good fight.

  9. I have opened this and macros were enabled so I could well be infected. I have been dealing with a Tracey Smith and clicked without thinking – I delete probably 50 similar emails every day…..

    Anyway I am running Microsoft Security Essentials and Malware Bytes full scans. What else can I do?

    Thanks for any help.

  10. Many thanks for your timely warning.
    I am somewhat of a sexagenarian dunce when it comes to anything to do with computers, but my first thought when receiving an “unsolicited” email + attachment is to be ultra suspicious and look at the size of what was attached.
    In this case – for a supposed invoice – it was gynormous, and I would think far too big for what it purported to be, so – as I’m quite sure that I made no such payment to any company/ charity (legit or otherwise) with that name – I deleted it.
    Sometimes a little caution and common sense is the most effective defence.

  11. Many thanks for the timely advice. As Jonathan says, this one looks a lot more professional so I went online to check the company and that’s really when the alarm bells started ringing – and it led me to you, so thank you again. Please keep up the very important work!!

  12. Received one of these earlier. Fortunately my other job is in IT Security so was suspicious. Replied to the email before searching on this site, Great work guys!

  13. Just received this email. I have a friend called Tracey Smith…however I tried calling the number and I just got a funny tone. I then googled Tracey Smith and Aquaid and came to this website. Mail has now been marked as SPAM!! Thanks and it looked so genuine!!!

  14. AquAid here – we are very, very sorry about the trouble this has caused. Our servers were have been hacked and the problem should now be resolved, but I am fully aware that doesn’t help all the people who have already received emails infected with a virus.

    Apologies again.

    Peter Hansen
    Group Manager

    • It is very unlikely that your email server was actually hacked. The bot net sending these pick a likely looking email template ( normally a copy of an email that was “borrowed” from an innocent victim’s already compromised computer) & send it from thousands of compromised websites and domestic computers.

      In every other case we have seen, with these mass spam runs, there was no actual hack or compromise of the victim company’s email server, although everybody quickly jumped to that conclusion,

    • Hi Peter, I have just received the email (16.40hrs 19th Dec) so I suspect they still have the access to your servers (not that I am in any slightest bit au fait with computer systems) just thought you might need to know.

      Thanks to this website email has been deleted ‘before’ opening it, so thank you all!!!

      Best wishes.

  15. I opened this through Microsoft 365 mail client, our company’s email client. It came up blank, no yellow screen. How would I know if I have been infected and is it safe to do online banking on this computer now. Computer appears to be working properly.

  16. I was almost fooled. I opened the attachment but did not enable macro. I found the macro in the word doc is password protected so can’t read it. Luckily I am using a Mac so I am safe. Thanks for the notes..

    • I am usually so careful but this one got me. I could not delete from trash on my mac as the file was still running and couldn’t be deleted. Downloaded trashit – which successfully emptied trash. Am I safe to dome online banking now or is there something else I should do?

  17. Very relieved to find your website when I googled Tracey Smith. Thank you for all the sound advice. I am on AOL, and have got into the habit of checking the source text before opening any unfamiliar email. Did so today, and found acres of very iffy looking code staring at me out of Notepad! You have confirmed what I suspected, and the email and its unwanted Christmas present have been hurled into limbo.
    I do take your point about outdated software – how do I stand with MS Publisher 2003? My DTP is only with this and Corel Wordperfect X6, plus assorted Text and rtf files. The only doc files I handle are those coming in from friends. I can’t afford a new version of Publisher. Would appreciate any advice.
    Pam Crane.

    • All older versions of Office software including publisher carry an increased risk. However publisher is less risky because you rarely if ever receive a publisher file by email and we don’t often see malware spammed out using publisher, because it hasn’t been a very popular or well used program due to its more specialised nature.

      it is the word docs coming from friends that carry the greatest risk, make sure you use the trust centre settings to disable macros . There are no default warning bars in office 2003 programs

  18. i just had this – and we are in the same line of business – and i thought – oh the competition have emailed this to us!
    i went to open it and thankfully miss-clicked and then decided to google it !

  19. Just to report that I received this email this morning. I got suspicious when the Word document showed a blank page in protected view, then decided to remove the attachment from the email. I am hoping that now that I have removed the attachment and deleted the email I have escaped. Thank you for publishing this alert.

  20. I just received this email. Its so easy to open things like this at this time of year, luckily I googled so was able to push it straight to spam and delete without opening the attachment.

    Thank you for the info!!

  21. Also had an e-mail from Tracey Smith of Aquaid today. Googled the telephone number and it looked a legit company. Then Googled Aquaid which, unless it’s part of the scam, carried a notice at the top that the e-mails from Tracey Smith were nothing to do with the company. Aquaid seems a genuine company.

    The Aquaid web-site has since been taken down.

    Thanks for the alert.

    • It does not affect or infect an IPhone Android, Mac or Blackberry, only windows. You might receive the email on an iPhone or other mobile phone and open the word document on an Iphone. BUT the macro cannot run on the iPhone version of Microsoft word and cannot download or run the windows specific malware that the macro tries to do

  22. I had it and stupidly opened it whereupon it downloaded the attachment which was a blank page. I deleted it and have run a full McAfee scan but nothing came up. I have changed fb and email passwords and I don’t do internet banking on my computer. I have windows 7 and word 2007. In macro settings ‘disable all macros with notification’ is highlighted. Hopefully, I’m safe. Tricia

  23. I trashed this one last week and they tried again today.tried phoning the now famous Tracey but permanently engaged. We Pay for AVG filters so it should have been picked up .?
    Be vigilant, they (who are they?) are getting craftier, government need to step up against this organised crime.
    Thanks to your blog ,fourth down on google,not fooled this time!, keep up the good work.
    Merry Christmas.

  24. I know it says it does not work on an iPhone but I opened this it was blank, but I am so worried they will be able to access my bank account, how sure can we be that it will not work on an iPhone, however old the iPhone may be.

    • There is no risk on an IPhone. Yes, you can see a blank word doc on an IPhone but an Iphone cannot run windows .exe files.
      The malicious word doc has an embedded macro that tries to download a .exe file from a remote site. Iphones cannot run the .exe so there is no risk

  25. Thanks, found your post from a web search for the phone numbers used, saved me time checking any further.
    I didn’t want to touch the doc in any way so knowing the mail is generic helped.

  26. Thanks for this information.

    I received the Tracey Smith email today – exactly as described above. It was sent to enquiry@ my web site, which my spam filter automatically throws into a junk mail folder – always a red flag.

    I didn’t open it, but searched for “Aquaid scam” and this page was the top Google result.

    Again, thank you.

    One more for the good guys.

    Merry Christmas.

    • PS sincere thanks for the nice voicemails – I can’t ring all back as I have had over 8700 calls since the spam email hence I left a brief message but please do have a nice Christmas and thank you for your understanding. I can only agree you follow all steps listed above as there seems some very tech savvy people commenting – thanks for your understanding.

  27. Received this one yesterday. It looked so genuine. Clicked on attachment when normally I avoid like the plague. I got the Yellow triangle warning about opening untrusted attachments with the option to ‘Preview File’ Luckily my sense prevailed and I closed it deleting e-mail and found this forum explaining the scam. I have Office 2013 and under the Outlook Options>Trust centre>settings there is no mention of Protected View! I have macros disabled. Is ‘protected view’ described differently in Office 2013.

    • I registered with Genes Reunited some years ago and probably used the e-mail address that was used for the spam, although I honestly can’t remember now. However, It did come on an e-mail address that I rarely use these days so it is quite possible.

  28. Thanks – just got this email to our generic info@ work address, which sometimes people do send invoices/receipts to, so I’m glad I checked.

    Will delete the email but how can we ‘report’ these to stop them happening?

    • Unfortunately , you cannot report to anyone that will stop it happening. They are being sent by a bot net of infected computers world wide, that are under the control of criminal gangs that are frequently based in Russia or other Eastern European countries where law enforcement is less strict than US & Europe.
      You can report to where the intelligence from a large number of reports might help to eventually track down the botnet “owners” and put them at least temporarily out of business.

  29. Received it just a few minutes ago and I googled Aquaid and Tracey Smith – which brought me straight here.
    Excellent job, thanks for the warnings. I’m going to have a look at the rest of your site.

    • As far as we can tell, all copies of the malware that the macro downloads have been windows only versions of Dridex
      The macro can possibly run on a mac, but cannot or will not download the malware. Even if the malware is somehow downloaded to a Mac, it does not know what to do with windows.exe files so won’t run them

  30. Received today via Outlook app on Android phone. I generally never open such e-mails, but as I was concerned about debit card fraud I stupidly opened it. Relieved to hear it does not affect phones – I presume the bit about MS exe files not working on iphones applies to all smart phones?

  31. Oh no. I just got totally taken in by this – it looked completely genuine and I even double checked the details against the website.
    The attachment was blank. Can they now hack me? Very worried since I run a business from home. Feel very stupid right now.
    I work on a Mac…

    • If you look in the black box in the main post, you will see that a Mac cannot be infected by this
      The macro can possibly run on a mac, but cannot or will not download the malware. Even if the malware is somehow downloaded to a Mac, it does not know what to do with windows.exe files so won’t run them

  32. Hi, I received this email today and have stupidly replied asking if it was sent by mistake, before actually investigating. I have not clicked on the link but was wondering if I’ve compromised anything by replying?
    Thanks, Michael.

  33. I just received the same e-mail. I was suspicious and Googled Tracy Smith Aquaid, ending up here. Thanks for your vigilance as you have potentially saved me a lot of grief!

  34. I have just received and tried to open several times.

    This is because I do deal with AquaAid – I am the bookkeeper of one of their clients!!!!

    I would have thought they’d be nice enough to let us know of this scam, since all they had to do is let us know in 2014.

    I’m sure I have attempted to open it a couple of times and was getting some terror alert, not sure if my F-Secure has managed to stop it. I’m running all the scans and cleanup I can think of – it did not even detect any virus nor malware nor anything else.

    Statistics (but no date) says ‘blocked from starting’ – status is ‘your computer is protected’

    Does anyone know if there is anything else I should do?

  35. I clicked to open this without even thinking – what a turkey

    I don’t have Word but use OpenOffice Write.

    It stopped before opening and said the file might contain malicious macros, so I closed Write using Task Manager

    Do you think it will have done any damage?

    AVG doesn’t seem to have found anything

  36. I got that email today, clicked on the view online mode in outlook and got a blank page which got me suspicious. Have ran every scan i can and got nothing. Do you think this means I am still infected? Btw, microsoft office is all up to date and has disable macros automatically set too.

  37. Was checking my emails and foolishly opened the attachment even though it appeared in my junk mail! I even enabled macros ! usually so careful . I,m a new new mac user , will i be ok

  38. Hi, I got totally sucked in by this e-mail. I stupidly viewed the document online from my account. I did not open it in Microsoft Word on the computer, just viewed it in the Word online document preview that can be opened via the e-mail account. Do you know if the Macros will have run if it was viewed via the online version of Word? I cannot seem to find clear clarification online.

  39. Hi could somebody please reply to this as I am very worried and don’t understand some of the technical stuff, I just received this email and clicked on the ‘protected view’ and just a blank page came up, does this mean I will be infected? Any help would be brilliant as im panicking a bit because I bank online etc thankyou

  40. Dear All, I am worried sick, I tried to open the attachment and then tried to cancel. I saw a yellow ‘badge’ at the top of the blank word doc and immediately closed the document. I don’t understand a lot of the jargon and was just in such a hurry to close it that I didn’t really read everything properly and now I don’t know if I have compromised my computer. I have run a Norton Antivirus full scan, this came up with 45 tracking cookies which seems to be a usual thing it finds and resolves.

    Please help, thank you

      • Thanks for your replies , am still a little unsure. I remember a yellow shield but not a whole “bar” (could there be one without the other)? Also would the Norton pick it up, and show if compromised. Thanks again, Sarah.

  41. Thankyou for your help! I have done a full scan of mcafee and it was clear so would it have found it if there was something?
    what would be the signs if I had the virus?

    • You are correct, it cannot infect an Ipad, IPhone, Mac, Android or windows phone
      The macros in the malicious doc can potentially run on any device that Microsoft office or Open office or several other office programs that are capable of running macros works on BUT the downloaded malware is windows specific ( at this time) so even if it is downloaded, it cannot harm or run on anything except a windows computer

  42. Received the Tracey Smith Aqua aid card receipt e mail today. Picked up by my antivirus and I m using a mac anyway but still doing the rounds -just thought I would update.

  43. Hi all,

    We have a disclaimer on our website as we of course have suffered with this virus which wasn’t sent via our servers.

    We have I.T. specialists worldwide involved as we are an ethical charity funding company I think all would agreed its a nasty trick that has helped no- one.

    Please visit to read the disclaimer and thanks very much to this site for being such a resource for all concerned parties.

    AquAid Manager

  44. Hi, got one earlier asking me to open the attached Word attachment but it was (supposedly) an Excel s/sheet. The fact that it was supposed to be from Tracey Smith and the email address was “” rang a few warning bells.

Leave a Reply

Your email address will not be published. Required fields are marked *