STOP. SENDING. SURVEYS. FROM.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Every cloud platform makes me rage for this. yourorganization.whoeverythisis.com being the pattern everyone should just trust and use SSO with?
Or Microsoft which thinks a single Teams workflow should have a user connect to teams.microsoft.com, my.sharepoint.com, planner.cloud.microsoft, and login.microsoftonline.com and hope users will still notice a lookalike phishing domain.
-
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
@babe but… that would be RUDE!?
-
FILL OUT THIS SURVEY FOR A FINANCIAL REWARD! is even worse. You're offering remuneration to customers for the watering down of their good security practices.
@babe Thank you for "remuneration." I hear people say "renumeration" all the time and it drives me nuts. Like, well known people, commentators and such, who should know better.
-
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
@babe i bought a car and the dealership pre-scheduled maintenance appointments for me, without telling me about this at all. They sent a link to my phone from an unfamiliar 5 digit number, not affiliated with the dealership or manufacturer. i fully ignored it thinking it was a scam text. In Ohio, registration is public record so scammers love to buy the reg records so they know your exact car down to the full VIN
-
@babe Thank you for "remuneration." I hear people say "renumeration" all the time and it drives me nuts. Like, well known people, commentators and such, who should know better.
@Nonya_Bidniss One of the common cornerstones of an autodidact's education is being a wordsy bitch. I'd kick myself if I got it wrong!
-
@babe Thank you for "remuneration." I hear people say "renumeration" all the time and it drives me nuts. Like, well known people, commentators and such, who should know better.
@Nonya_Bidniss@infosec.exchange at a previous job, we had a database table called
renumeration, it confused everyone
it didn't even track salaries! (I think it tracked money we owed to clients)
@babe@glitterkitten.co.uk -
@lesbianhacker @babe Training worked then.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe My own company sends out internal emails that are more like phish than any real one. Sender: not in our global address book. Subject line: You are overdue for training. Body: Click on this PDF file for details.
I sent it to our security folks (it's a big company), and they said, "If it isn't marked "External" it's safe. Uh, where were you in 2010 when our email servers were being run by the Chinese MSS?
-
There is another element to this that companies don't seem to consider:
If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?
I've tried to get this through to companies like, for instance, my bank, with little success.
Before I finally managed to "opt out" of the last of their marketing / promotional email, I would get two kinds of messages from them:
1) Regular reminders of secure practice, and how you can't trust who an email comes from, and you should therefore never, ever click a link in an email claiming to be from them.
2) Constant spam for their products and services, all replete with links to follow to get them. These mails all came through outside agencies, from Mailchimp or similar, and with all the links going through a click tracker in some random advertising company's domain.
I couldn't even get their two departments to talk to each other about this.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe disagree. I would rather pay a payments company than your own website I can't audit and I'd rather do surveys at a known survey site than through your domain.
Trust within a domain matters.
#sysadmin #cybersecurity -
R relay@relay.infosec.exchange shared this topic
