A co-worker received a text which is, unfortunately, becoming more common. The text pretends to come from a doctor and states a weight-loss medication prescription has been approved.

“Good morning. This is Dr. Santos. I pre-approved your GLP1 prescription. You may start treatment as of 09/04. {followed by a link}”

Signs it’s a scam

1. The message claims to be from “Dr. Santos,” a doctor the recipient does not know.
2. The text references a GLP-1 prescription. GLP-1 drugs (like Ozempic, Wegovy, and Mounjaro) are legitimate prescription medications for diabetes and weight loss, but they should only be prescribed by a health professional after an in-person consultation. No real provider would cold-text a random person about starting such treatment.
3. The sender’s number appears to be in Texas while our co-worker lives in California. That is one long-distance prescription.
4. The linked website does not match any real medical or pharmacy provider and is not a site known for drug fulfillment.

what’s more, when we visited the page with a US IP address, we received a Browser Guard warning:

The site tried to redirect me to a known Phishing domain while sending some information in the URL which might be used to identify which of the targets clicked the link.

The use of a dedicated tracker subdomain (track.savezmeet[.]com) matches common phishing infrastructure, where user data is collected as soon as the victim clicks and before further redirection occurs.

URL parameters are routinely used in phishing to uniquely identify visitors and record who clicked which phishing SMS. In this case we suspect:

• {var1} may refer to the vector or campaign type (“txt1” = SMS/text campaign).
• {var2} is empty, possibly reserved for an additional variable (such as a tracking code or message ID)
• {var3} is a 10-digit number meeting the format of a US phone number, which may be mapped to the target.

So we visited the URL after replacing the receiving phone number with the sender’s, and lo and behold, we got what we expected.

According to our telemetry, we first saw the track.savezmeet[.]com with this format on August 2. Malwarebytes has blocked MyStartHealth.com since March 2025.

What you will get if you decide to buy there is probably not recommended. The website explicitly uses compounded GLP-1 products (not FDA approved), with the disclaimer buried in legalese and clear acknowledgment that these are not branded or FDA-validated versions of Ozempic, Wegovy or any other GLP-1s.

And it’s not just an issue in the US, the EU recently sent out a warning about a sharp rise in illegal medicine sold in the EU.

“In recent months there has been a sharp rise in the number of illegal medicines marketed as GLP-1 receptor agonists such as semaglutide, liraglutide and tirzepatide for weight loss and diabetes. These products, often sold via fraudulent websites and promoted on social media, are not authorised and do not meet necessary standards of quality, safety and efficacy.”

So, besides social media, we can add cold texts as a means of promoting these products in the US.

Avoiding weight-loss scams

Before buying weight-loss products, there are a few pointers you can use:

• Never follow unsolicited links in social media posts, text messages, or emails.
• Don’t let anybody rush you into buying anything.
• Read the fine print. Often this will tell you that you are signing up for a monthly subscription model instead of a one-time payment.
• Research the name of the product the scammers are selling. In many cases you will find the name associated with scams.
• If you have bought one of these products, keep an eye on your financial accounts, because some scammers might use your card for other transactions.
• If you’re not sure if a text message is trustworthy, submit it to Malwarebytes Scam Guard and we will tell you if it’s likely genuine or a scam.
• Use an active security solution that blocks malicious domains.

Indicators of compromise (IOCs)

Phone number: +1(682) 416-2557

Domains:

andkovz[.]com

savezmeet[.]com

mystarthealth[.]com

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!