SSL Certificate lock next to website address

Believe it or not, lawyers get taken too (not your humble correspondent!) – all the way from elaborate scammers who try to bilk them out of hundreds of thousands, down to actual companies who use dubious techniques many of us consider to be shady – like this SSL certificate renewal pitch.

SSL Guru Voicemail

Enter SSL Guru. The story starts with this 39-second voicemail from someone identifying himself as “Eddie” from “SSL Guru,” a company I had never heard of prior to today:

Normally, we ignore spam calls and solicitations which are intended to look like invoices for services rendered – we get too many of them to worry about. But today, some guys caught me when I had a bit of free time thanks to a trial settling at the last minute. So I asked my staff to chase this down the rabbit hole to see where it went. Plus, we had already ignored one call from these guys – on Friday, someone calling himself Michael Hill spoke to Paulina, my admin assistant, with the same “renewal” sales pitch.

It turns out that SSL Guru is actually a real company which (as their name implies) issues website SSL certificates. But given that Graham.Law has never had a business relationship with them, I was curious if they were scammers, or merely approaching the line of ethical propriety, or were they themselves the victim of a third party scammer using their name to extract money from unsuspecting businesses.

False Claim to Have Issued our SSL Certificate

Here is a full transcript of the voicemail, complete with my comments.

“Hi, my name is Eddie. I’m calling from SSL Guru regarding the renewal of the SSL certificate we’ve been issuing since 2020.”

As indicated, Graham.Law has never had an SSL certificate issued by SSL Guru, so this part is plain false. And who pays for those things any longer? Our web host provides free SSL certificates from Let’s Encrypt, a reputable organization which issues 300 million certificates, suggesting that more than a few web hosts use them.

Nonetheless, I decided to do some basic due diligence to verify that our SSL certificate was really issued by Let’s Encrypt, and not these other guys. Here’s a screenshot of our SSL certificate for this site, www.graham.law:

Screenshot of Graham.Law's SSL Certificate

How to Check Your Own SSL Certificate

And I just checked the SSL certificates from our other two websites, Colorado Family Law Guide and Military Divorce Guide. Both have similar SSL certificates issued by Let’s Encrypt. If someone does call you trying to charge you hundreds to renew an SSL certificate you can get for free, here’s how to check any website certificate in Google Chrome:

  • Click on the lock next to the website address.
  • Click on “Connection is secure.”
  • Click on “Certificate is valid”, and look at the popup message – it should look similar to ours above.

So right off the bat, I’m getting more than a bit suspicious. What kind of company tries to charge to “renew” a service already being provided for free by a different company?

SSL Certificate is Expiring

“The certificate that we’ve been issuing is coming up for expiration”

They really do want to stress their claim that they’ve been issuing the certificate, so they repeated it. So this too is worth repeating: SSL Guru has never issued an SSL certificate to Graham.Law.

But the part about the certificate expiring soon is true – look at the screenshot above, and you’ll see that the certificate is issued for three month periods of time. But the SSL certificates automatically renew – the customer doesn’t have to do anything to renew the Let’s Encrypt SSL!

So how do they know our SSL certificate is expiring? Lucky guess, I assume, because all certificates eventually expire. Because if they actually verified our SSL certificate was expiring, they would immediately have noticed that they have nothing to do with it. And I have to presume that SSL Guru would not do something so fraudulent as trying to “renew” an SSL certificate with actual knowledge that they never issued it to begin with!

I asked Paulina to call them back to elicit more details. She spoke not to “Eddie”, but someone identifying himself as “Michael Hill” (the guy from Friday’s call). He repeated the claim that our SSL certificate was expiring, and Paulina responded that when she looked it up, the certificate was valid from August 26 through November 24.

Then the guy claimed that “they have a temporary safety measure”, but the “only way to be secure” would be to pay them $299 to “renew” our self-renewing SSL certificate.

This is BS – our 90-day SSL certificate was not the result of that company extending any “safety” measure to us. Let’s Encrypt issues SSL certificates for 90 days at a time. And the SSL certificates renew automatically! For free! Why pay SSL Guru $299 when a website owner can just sit back and watch the SSL certificate renew itself automatically, as it has done for years?

Visa Card on File has Expired

“and it looks like the Visa we have on file ending in 8614 is no longer valid, so we were just reaching out to get that updated.”

Graham.Law has no card with that number, so the fact that it’s invalid is hardly a shock.

Call Back for Payment

“Feel free to give me a call back on my direct line at 626-684-4456. That’s 626-684-4456. Thanks.”

That’s the end of the call. As indicated, last Friday my assistant also received a call from Michael Hill at telephone number 626-317-0194. But when she called this number which “Eddie” provided in the voicemail, it was answered by “Michael Hill” – maybe one and the same person, or maybe it’s a 2-person shop where both guys answer both lines?

At any rate, Paulina from my office repeatedly asked him about our account. He hedged and delayed, and apologized for “technical difficulties” taking five minutes to “find: us in their system. And when he tried to get her to pay the $299 to him on the phone, she said she needed approval. And the call ended.

Paulina was now starting to enjoy this sleuthing, so she called back the other number from Friday’s call (626-317-0194), and the same “Michael Hill” answered again. When she asked for clarification of our business relationship with them, instead of simply explaining it as a normal company should, he got frustrated – perhaps because the alternative would be to admit that Graham.Law was not actually in their system, so there was nothing to renew?

Note that I did learn today that my prior firm, Black & Graham, had apparently fallen for this pitch, and paid SSL Guru $199 a few years back (not me – it was after we went our separate ways, so I no longer handled expenses). So it’s possible that SSL Guru somehow linked Graham.Law to B&G, but given that we have a different business name, different telephone number, and a different website domain, that’s a bit of a stretch.

And if this were an innocent mistake, why would they not simply apologize and indicate that the certificate was for a different company? Perhaps this is their business model and they (incorrectly) perceived us as a target of opportunity? SSL Guru’s Better Business Bureau complaints show this is not the first time they have tried to solicit new business by implying a preexisting business relationship where none existed.

So What About the Phone Numbers?

Note that there are three different phone numbers at issue, all apparently connected to SSL Guru:

  • (626) 684-4456, the number from the voicemail above. Upon searching the web for that number, it turns out that Eddie has been busy – the first search result in Google contains complaints from people who received similar “SSL renewal” calls from “Eddie” at SSL Guru, going all the way back to 2017.
  • (626) 317-0194, the number which “Michael Hill from SSL Guru” called from on Friday. And as with the other number, Google’s very first search result for this number was a warning from Counseling Wise back in 2020 that their clients had been contacted from this number with an SSL scam.
  • (626) 377-9979. This is their main line, per their website, but they don’t apparently use this number in their solicitation calls.

The Next Step – the “Invoice”

When she declined to pay SSL Guru over the phone, Paulina asked “Michael Hill” to send us an invoice, saying her boss would never let her pay a bill without something in writing. The invoice they sent is curious (among other things, it was sent from a “noreply” email address, preventing their supposed customers from responding with queries – who does that?)

Excerpt from SSL Certificate Invoice from SSL Guru

Per this excerpt from their invoice, they are purporting to provide services for “grahamlaw.com”, a domain we never mentioned for the simple fact that Graham.Law has never owned it. And I’m just a simple country lawyer – it took me under a minute to do a Whois search to verify the name of the company which does own the domain. There is no reason for SSL Guru to associate that domain with our firm, other than the similarity in name.

Are we really going to trust anything related to website security to a company trying to charge $299 to “renew” an SSL certificate they never issued, for a domain we don’t even own?

Misleading Invoices Violate Federal Law

As indicated, this is far from the first time a company has reached out to Graham.Law in an attempt to solicit business by implying a preexisting business relationship. The scourge is great enough that the feds have actually passed a law, 39 U.S. Code § 3001(d)(1), which prohibits sending through the U.S. mail any solicitation for business which “is in the form of, and reasonably could be interpreted or construed as, a bill, invoice, or statement of account due.”

One of my favorite legal commentators, Popehat, had an extreme experience years ago with a scam photocopier invoice. And he was either bored or tenacious enough to expose the scam, and the perps ended up behind bars, thanks in part to him.

I’m not prepared to call SSL Guru scam artists. But consider what they did do:

  • Reach out repeatedly to a company they have not done business with.
  • Duck and weave when asked to clarify our business relationship with them.
  • Falsely imply that the free 90-day SSL certificate from Let’s Encrypt was actually their own stopgap “safety” measure to protect our site.
  • Try to charge $299 to protect a website we don’t even own.
  • And they have dozens of complaints on the BBB and other websites for allegedly using misleading sales pitches disguised as SSL “renewals.”

The takeaway? Even if we were actually in the market for an SSL certificate, these tactics are not the way to win business from Graham.Law. And as I did with scam lawyer vanity awards, once in a while I’m fired enough to actually spread the word.

Award-Winning and Ethical Colorado Family Law Firm

Graham.Law Team

U.S. News & World Report calls Graham.Law one of the Best Law Firms in America, and our managing partner is a Colorado Super Lawyer. Our family law attorneys have years of experience helping clients navigate the Colorado legal system. We know Colorado divorce & family law inside and out, from complex multi-million dollar property or child custody cases to basic child support modifications.

For more information about our top-rated El Paso County family law firm, contact us by filling out our contact form, calling us at (719) 630-1123 to set up a free consult, or click on:

Colorado Family Law. Period.