STOP. SENDING. SURVEYS. FROM.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe When I'm in a "good mood", I answer these surveys in the most negative way possible. In the comment field I write something like:
Loved your service/product all until you sent me this survey. That you need to beg for feedback like this shows me you completely lack any kind of confidence in what you provided me. I've taken notice and will look for alternatives as soon as possible.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Sadly it's no better within companies when communicating with employees. What 3rd party is HR using _this_ month without giving everyone a heads-up?
-
I get a few of these emails every year and occasionally investigate. A few of them WERE phishing attempts, sent to emails that had featured in major leaks.
The phishing emails and legitimate emails were indistinguishable. By using third party services on third party domains, you look like a scammer.
@babe Is the survey thing a UK thing because I don't recall a lot of those emails in the context of German/Austrian companies
It does sound super phishy tho *badumtss* -
@serebit It seems like a really common practice. I get a few every year from different companies and it's always the same thing - no link to the company they claim to be acting on behalf of.
One or two I've received *were* phishing attempts.
-
@littlemike And from an email you can recognise as belonging to the company!
@babe It's infuriating because it makes all my infosec instincts twitch.
-
@babe It's infuriating because it makes all my infosec instincts twitch.
@littlemike I am screaming internally every time
-
FILL OUT THIS SURVEY FOR A FINANCIAL REWARD! is even worse. You're offering remuneration to customers for the watering down of their good security practices.
@babe Seems like a good thing to be compensated for the time and effort to complete a survey. I usually decline the survey if there's no compensation.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe@glitterkitten.co.uk Those really aggravate me.
It's one thing if someone on social media announces a survey via their normal social media channels, but emails coming out of nowhere? Yeah, that's bad.
And some of them being legitimate(to the extent this sort of thing can be legitimate)... yeah, worse. Just makes this sort of thing look plausible.
If I can't get to it via a normal login to the company/service website, it might as well not exist for me. -
@babe Seems like a good thing to be compensated for the time and effort to complete a survey. I usually decline the survey if there's no compensation.
@fathermcgruder@jorts.horse @babe@glitterkitten.co.uk The problem comes when it encourages people to click links to random websites without a clear connection to the entity the email claims to be running the survey.
When a financial reward is a plausible outcome of clicking a link in an email, it's going to be a lot easier to convince people to click on a phishing link.
That said, paid surveys are nice but no matter how plausible a given email seems, don't click anything. Reach out to their customer service to verify if you really want to, just don't click the link without checking(and don't trust the CS contacts in the email, go to their website) -
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe you wanna know who's really guilty of this? US Government Agencies. Like seriously c'mon guys!
-
R relay@relay.mycrowd.ca shared this topic
-
@littlemike I am screaming internally every time
@babe I totally agree. I didn't even bother clicking on the link to leave a review. Hell I didn't even go to the site manually and leave a review because I was so mad lol
-
I get a few of these emails every year and occasionally investigate. A few of them WERE phishing attempts, sent to emails that had featured in major leaks.
The phishing emails and legitimate emails were indistinguishable. By using third party services on third party domains, you look like a scammer.
@babe every now and then some bright spark in the office will give our entire address book to some third party for some purpose, and not tell me. I've purged maybe a dozen of these so far, ranging from salary sacrifice deals to changes in our payslip provider. All legit, but looking dodgy as fuck.
I think they're all (mainly HR, Finance, Marketing) well trained enough now to send a warning email to let me know in advance, but I'm not certain. -
I get a few of these emails every year and occasionally investigate. A few of them WERE phishing attempts, sent to emails that had featured in major leaks.
The phishing emails and legitimate emails were indistinguishable. By using third party services on third party domains, you look like a scammer.
@babe DNS *is* a form of authentication, whether we like it or not. "verizon.com" or whatever tells me that Verizon is somewhere in the chain of trust there. third parties that run from their own domains are asking us to just trust them, and with 836 partners having access to your data it's almost impossible to tell who is legit otherwise.
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe this was a big problem with a recent Discord survey. There was absolutely no indication that this is really Discord collecting feedback other than "the design looks like Discord, trust us bro"
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe
Preaching to the choir sure feels good sometimes
-
@babe this was a big problem with a recent Discord survey. There was absolutely no indication that this is really Discord collecting feedback other than "the design looks like Discord, trust us bro"
@babe worst part about this is that many third party survey services allow the users to use a custom domain, so for any company with IT/ops that know what they're doing it would be easy to set it up on a subdomain of their primary one
-
-
STOP. SENDING. SURVEYS. FROM. THIRD. PARTY. SERVICES.
It looks sus as ducks having something from randomsurvey.co.uk come through on behalf of YourCompany with every domain/link in the email having no obvious link to it. Rarely is there a single link to the company domain, with everything pointing to the that of the commissioned survey provider.
To me it sets off every damn alarm bell for a phishing attempt. Expecting customers to use it encourages unsafe practices.
@babe Not just surveys – every mail from a large company nowadays seems is coming through one of approximately 3 mass mailers that a bunch of scammers also use. And there's no point in checking the links, because they've all been rewritten to go through a link tracker.
-
@babe DNS *is* a form of authentication, whether we like it or not. "verizon.com" or whatever tells me that Verizon is somewhere in the chain of trust there. third parties that run from their own domains are asking us to just trust them, and with 836 partners having access to your data it's almost impossible to tell who is legit otherwise.
@horsedreamer @babe but without a system like DNSSEC (which is still woefully underimplemented), DNS is trivial to spoof. Unicode domain name abuse is also rife, sadly. DNS really shouldn’t be used as a means of verification when there’s no cryptographic trust mechanism in place.
-
@babe this was a big problem with a recent Discord survey. There was absolutely no indication that this is really Discord collecting feedback other than "the design looks like Discord, trust us bro"
@0 The one that triggered this was Uber.
There is nothing in the email that even point's to Uber's domain, just 'we're doing this on behalf of Uber, we promise. We'll give you money if you click our link and tell us things'. It's completely indistinguishable from a phishing attempt
