FedEx may have the worst and least secure digital platform for a major company. Some examples I’ve noticed:
1. I moved into a 10-unit apartment building and wanted to set up FedEx Delivery Manager. I just put in my new address, no verification whatsoever, and I was immediately given access to the previous tenant’s delivery instructions which included the buildings private garage code. Any thief could have done the same.
2. When I moved out of that building I wanted to add my new address to delivery manager … but I couldn’t. The site errored every time. The reason? Some forums revealed the correct hypothesis that if you have special characters in your password then some parts of the site are permanently broken for you. Including the change password flow. So I had to have my wife make a new account with a worse password.
Truly amateur stuff for an otherwise very impressive company.
Is it impressive though? They have about a 50% success rate delivering things to me across multiple addresses and I know other people who have had similar long term issues.
At one of my addresses FedEx will happily sell anyone overnight shipping and then just keep the parcel at the depot for a week until they have a driver who can actually make the trip. I have had like 6 very urgent packages delayed like this. Once my wife ordered something perishable and they pulled this then told her she had to drive into town and pick it up at the airport.
I've also been nearly run off the road by FedEx drivers on the highway before. One guy was so angry that I was only going 10 over that he tailgated me within a foot and then punish passed me.
They're also the only service that still corrects my other address to the wrong address. I tried for a whole month to get ahold of anyone there who even knows what address correction is and then just stopped using them for anything important.
They doubled down on "digital" during the pandemic and fired a bunch of CSRs and stuff. It doesn't look like it's working out very well for them.
I'm in the same camp. The single time they actually delivered it to me without saying I wasn't home they had actually delivered it one street over.
I spent 72 hours waiting (3x24 periods they told me to wait and call back tomorrow while they "investigated") for a $1300 package. Initially they said it must have been stolen and its my loss, to which I said "no I was home and near the front door all day, you didn't deliver it". Pretty absurd they can't just look where he was when it was "delivered" and deal with it. Or maybe they can and they just don't bother.
Eventually the person actually called me using my number on the box and said it was delivered there.
Still no recourse from FedEx, whom I have not informed I got the package in the end.
Yeah, in my experience FedEx drivers absolutely LOVE saying they “attempted delivery of my package, but nobody was home,” so I have to go get it from the depot. But I 100% was home, working from home all day, and they 100% never came.
No. They’re 100% useless in my experience, and literally never manage to deliver to me - everything ends up returned to sender. No other courier has this problem.
As for the SMSs - in Portugal, and I’d guess Australia too, they contract all of their local operations out to some random group of muppets who can’t organise their way out of a paper bag - the SMSs they send me come from a mobile number, are handwritten (they seem to literally have someone whose job it is to write messages, on a phone, and send them), as are the emails. When it comes to delivery, i’m inevitably the last delivery of the day as I live way out in the boonies, and they just go “it’s 5pm I’m going home”, and it goes back to the depot. They drive it back and forth for a week before declaring the parcel undeliverable.
These days, if I see someone has shipped something with FedEx, despite my instructions not to, I immediately request a refund, as I know it won’t arrive.
They definitely are not impressive. I always avoid them if I am given a choice, because for the last 20 years they have always been sub-par. UPS isn't perfect, but they consistently do better than FedEx. Sadly these days it's pretty uncommon for vendors to give you the choice of who they use to ship the package, so I can't always avoid them.
They certainly can be quite impressive, I recently had something delivered from China I bought through Alibaba to South Africa, shipping cost less than 5USD and it arrived in about 13 days, 1 day less than the maximum estimate.
In my case I got an email about customs and tax payment which was needed, but the link was clearly to fedex.com.
in my country fedex isn't popular, but I had one international package delivered by them and I was very positively surprised because they paid duties for me to speed up process and invoiced me that costs.
That’s a bit better than my experience with DHL :) they’ve delivered packages to random people multiple times across the UK, France, Switzerland and South Africa. Important documents they’ve handed over to strangers, like my passport, for example…
"50% success rate delivering packages" is a totally different level of risk from "automated system gives your garage access code to anyone who claims to live there"
i mean in the first case what's at risk is the five-dollar trinket you bought off amazon
I ordered a computer from Southern California, they shipped it to Texas, Florida, Maine, and then back to Northern California. My last two orders were just stolen from someone at FedEx. They got the shipment, but it never left the facility after that. Customer service is an offshore apology machine that can't help with anything. I used to prefer fedex, but the standard of service is so subpar I go out of my way to avoid them.
I assume you know that you can open a claim? They'll either find your package really fast, or will have to pay its full value. Often the vendor has to initiate the claim. If the vendor doesn't want to open a claim, refund. If the vendor doesn't want to refund, chargeback.
Much worse than that. I wanted to get some free shipping supplies from FedEx, so I had to sign up for a shipping account. Account could not be created due to password issues on the website, forgot how I got around it but maybe had to use the mobile app which used a different flow.
After getting the account, immediately I get shipping bills for international shipping in the thousands of dollars, both sender and recipient have nothing to do with me. Credit card on file was auto-charged. Removed credit card, started getting thick FedEx bills in physical mail.
It turns out FedEx allows billing to be charged to any account as long as you have their nine-digit account number, so of course scammers do this all the time just generating random numbers. FedEx didn't give a shit, denied my reporting of fraud, allowed more scam shipping even after I reported. Finally I had to initiate chargeback via the credit card issuer and only then did they close the account. But I still get marketing emails that I can no longer turn off. Absolutely not a company anyone should use.
They ask for an ID whenever you use an account number. I have to FedEx stuff to my home address for work. The guy at the counter is always perplexed when I tell him the destination address is the same one as the one on my ID.
I'd put Spectrum up against them. A few years back, an incoming neighbor typoed their address in a new account setup request to my address and Spectrum very helpfully inferred that the previous resident would want their account terminated and they turned off my service. Apparently, you can DOS any person on the planet you want from the entire Internet by simply knowing their address.
I once moved into a duplex and Spectrum's precursor told me I already had service. After 8 hours on the phone I talked to someone in customer service who told me "I know the problem you have, I know how to fix it. I can 100% fix it. You are welcome to stay on the phone, but it will take more than 6 hours for me to create an account for you". So in the end it took days to open a new account.
When I moved they someone opened a second account in my name and kept billing me for the original account.
I bought an OP-1 from teenage engineering years ago and fedex delivered it inside of the mailbox. USPS removed the fedex package from the mailbox and impounded it at our local USPS post office without ever notifying me. After 1-2 months of waiting/assuming the package had been stolen, I call the USPS office and asked if they somehow had the package in their custody/possession and, lo-and-behold, they did (in the "undeliverable mail room") and started lecturing me about how it was illegal for fedex to deliver a package into the mailbox, which is usps/government property etc. etc.
I called Fedex to try to rectify this and, as far as I remember, they either never answered the phone or told me they had no way of contacting the delivery driver (??).
I've always avoided fedex (and UPS, for that matter, since they destroyed two antique lamps that I ordered through ebay) since then.
The mailbox? On your property? that you paid for an installed (or bought off the previous owner), is government/usps property and they'll steal a parcel that someone else has delivered to it?
Re password reset workflow issues: I had an account at a bank where password reset always failed. I had to go through a VERY convoluted process with customer website support to get it fixed. It turned out that the problem was that my registered email address was just two characters (my initials) to the left of the "@", e.g., ab@mydomain.com. They allowed me to enter and use it throughout the system without any error flagging whatsoever, but it completely broke the password system. They claim to have raised it as a bug, but never fixed in 3 years+ (moving away from them now).
I specifically got a custom domain and email address for any non-personal/"professional" comms, which is essentially just me@<custom-domain-featuring-my-name>.com.
At least with non-ASCII characters in passwords, while I think it is stupid to not handle those properly, I can at least see some sort of an excuse there, no matter how weak it is. All it takes to mess this up is not thinking about handling those scenarios, so I can definitely see "this issue was created due to us not thinking about this possibility or not willing to deal with handling it."
But what's even the reason to not allow sub-3-character local portions of emails? How does one even mess those up, aside from intentionally setting some triggers for less than 3 characters in local portions of email addresses?
After 50 years of software crud, eventually a civilisation ending bug occurs and it can't be fixed (like how Telstra couldn't fix their phone system because the phone system was down). That's why we are all alone in the universe. Enjoy life while civilisation still works!
UPS is up there, too. I still get text messages about an old address on an account I can't log into for...reasons. (Special characters sound plausible! And of course the password reset flow doesn't work.)
UPS is better in my experience with them always requiring a code sent to me via USPS to verify access to UPS My Choice, except for when I signed up with a new construction address - It also seems to only show me packages with my last name on it, packages with just a company name did not show up.
I can’t believe it’s 2024 and we are still seeing bugs with handling “special” characters. Unicode has been here for how long? Robust string handling is supported in every language. There is no such thing as a special character. My name should be able to contain Chinese characters. My password should be able to contain emojis. What is this Stone Age shit still running on companies’ backends?
PayPal used to do the same thing, but even worse they weren't consistent about it. The page to create your password truncated it, but the login page did not. I found out the hard way when I couldn't log in because of that stupid behavior.
Thankfully they fixed it at some point, but it's absolutely mind blowing to me that anyone thought it was acceptable in the first place.
Heh, that's the same company that sends physical mail to me every time I make a trade because they believe that email sent to my personal domain is "undeliverable" and automatically opt me out of e-statements no matter how many times I opt-back in. They have to be losing money on me by paying for so much postage at this point.
(And no, nothing is wrong with my email, it's hosted by a professional email host with the proper MX records and literally only Schwab claims to have this problem with me).
I remember comparing notes with fellow employees at a previous job, and depending on when you'd started working, the system had different password rules for you (users who'd been created earlier had a smaller set of allowed characters, etc.). Pretty sure it worked out to some Oracle nonsense.
Years ago I found a glaring security hole in schwab where when imputing a security question answer, if you got it wrong you could just hit the back button and try again.
to their credit, they took me seriously and I believe they fixed it reasonably promptly.
My favorite was when they put my well-marked mail-order medicine right at the exit of the roof gutter pipe, instead of the front door. Sometimes it feels like the workers want to purposely cause chaos.
Maybe, but UPS is close to it. They for example are sending out emails that request users to log into their account to "avoid losing their profile". If this is not ripe for phishing then I don't know what will be.
I wonder if that's why I can't change my password with petco - every time I shop there they tell me I have rewards but I can't load them because the site errors out when I try to reset my password.
I used to be able to load the rewards to my account without logging in at all, just clicked the link in my email, but I guess they fixed that and then I realized I didn't know my password.
They're an amateur company. They claimed three times to have tried to deliver a package to me last year even though they never even came down my street one time.
The package got returned to the sender who wouldn't respond. When I quibbled with my credit card company (Cash App) they said the package had been delivered to the sender, so it was technically "delivered" and I was not eligible for a refund. When I persisted they permanently terminated my account with them so I can never have another Cash App account, thanks to FedEx.
Up until a few years (well, it feels like it) ago wells Fargo had a case insensitive password for accounts. I didn't believe it since my password was upper and lower case and special characters but I tried one day and sure enough got right in.
I've had FedEx hand packages to other couriers who promptly lost them never to be seen again. When I contact them they said this counts as delivering the package.
I no longer use FedEx for any shipment that I need to have arrive.
Of the carriers, FedEx is the worst for me (North Carolina, USA). DHL is the fastest and most reliable. UPS and USPS tie for second place, slightly below. (People I talk to in person hate USPS, but I've had consistently good experiences with them for both sending, and receiving). Then FedEx several rungs below; Out for delivery, then rescheduled every time.
A while ago my wife applied for a home equity loan. At some point I got a call from someone claiming to be from the bank she had applied through (I forget which one), calling to make sure I approved the loan since the home is in both our names. He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue. I told him I wouldn't do that, and was there a number on the bank's website I could call in order to get back to him, in order to verify that he actually worked for the bank. The guy started acting really annoyed, and said he didn't think there was any number on the bank's website that could reach him, and that if I didn't give him my full social security number he would be forced to reject the loan application. I told him I didn't feel comfortable giving that information to someone who had phoned me, and if there was no way for me to call him back through an official bank phone number then the call was over. He hung up angrily.
Turns out he actually was from the bank and he did cancel the loan application.
A bank called me to ask me security questions. I said that I would call back using the number on the bank's website. They said (and the bank confirmed when I did call the number) that there is no way to be transferred to the security question people when I call the bank - the only way is for them to call me. I explained that that was poor security practice. They said that I should just look at the caller ID to see that it was the bank calling. It was useless trying to tell them about caller ID spoofing.
It’s a real mystery why, as soon as I heard about a bank founded by people who sounded like they had heard about the internet (Monzo, in the UK), I switched away from my venerable bank (NatWest) that, at the time still had security practices unsuited for the 18th century.
Appropriately enough, the last thing they did was to insist —demand, really— that, in 2018, I fax them my demand. It just so happens that this could have been relatively safe because, after asking everyone I knew for a week (including some venerable hackers), the only way that I found to send a fax was to ask the local branch of the same bank.
Asking them to authorize the transfer wasn’t possible (by showing them all relevant documentation). Asking them to let me send a fax, using their machine, to a sister branch to tell them to authorize a transfer without anyone verifying my ID, was fine.
And then if your identifiers somehow get in the hands of bad actors and the bank gets fooled by them to open a bank account in your name, you are the one on the hook. It's utter insanity!
PSA: If you are of a certain age, the last four digits might be roughly all of the useful entropy in your SSN. Be careful with them. Before 2011, the first three digits indicated the office that issued the number and the middle two (the "group number") were used in a publicly-known sequence. The Social Security Administration helpfully published periodic lists of the highest group number reached by each office. This makes it extremely easy to predict the first five numbers for people who were registered at birth, which became quite common in 1986 when tax laws changed to require children's SSNs to claim the associated tax credit.
Tangentially related - wouldn't that mean that if you are an immigrant, then you are at least theoretically somewhat safe from that enumeration type of an attack?
Because if I got my SSN in my late teens, then my date of birth shouldn't mean much at all to anyone trying to use that method you describe, right?
This is just an extremely incompetent and rude loan officer. Generally the loan officers are motivated to close the deal and write you a check because they get commission from that. They are nice to their customers because pissing off customers won't get them that sweet commission. The loan officer I last talked to managed to close more than $1B of mortgages in a year and he's the nicest guy on the phone. In your case, they could for example let you email them using their official bank email address, or use the bank's own web app or messaging system.
Similar story, I transferred a decent amount of money from one bank account to another (different bank). I thought nothing of it, but I got a call randomly from what appeared to be the receiving bank's 'fraud' phone number (based on Google). I picked up, and the person on the end had an extremely thick accent similar to scam callers. He started asking me if I had made a transaction recently (I said yes), then asked me to confirm this transaction if I would provide additional information about myself, including home address and social... I refused, and was told if I didn't my bank account would get locked!
Sure enough... I had to go down to the local branch to get my account unlocked, as well as prove the amount of money I was transferring was... available in the other account? Absolutely ridiculous. I don't even know what sort of fraud they were trying to prevent, as this wasn't a new bank account and I'd made transfers between them before.
I feel for legit employees with strong accents. In an era of getting 5-10 calls a day from OS scammers, I had a call from a woman with an accent about an invoice. I was curt and ended the call quickly. Turned out that her wording was just ambiguous and she was trying to pay my invoice to her employer's company.
Terms of service from my bank say you're not allowed to give your PIN or secrets like one-time passwords (called "TAN" here) to third parties, not even the bank employees themselves.
But when I contacted them about a phishing practice, it was A-OK because it was a "legitimate" website that phished your credentials to view the last 180 days of transaction histories, compute a credit score, and then withdraw the money. They would "look into the situation and see if a better solution could be found" with this german company...
I don't understand how anyone is okay with this but klara or klarna or something is a pretty popular payment provider in germany as far as I know, but so my experience is now that banks like to change their security-relevant terms one-sided. But it's your fault if you give out secrets to the wrong person of course, not like the bank was going to care if your social security number had gone to a scammer for example
I've implemented the bank account checking flow for a German client in a purely B2B setting, and this is essentially based on the PSD2 directive, which requires all/some/most (not entirely sure) banks to provide exactly this functionality (google keywords "PSD2" and "XS2A"). The bank's T&C should reflect this ... somewhere.
The main protection to you not getting scammed out of money this way is in the kind of TAN used for this process. It should/must only allow read access to your account, and at least one of my banks very clearly shows this in the 2fa approval app. Technically, checking your account history and then deducting money will (hopefully) have been two different processes.
The moral/ethical implications of requesting (up to) 365 days of full bank transaction details and being allowed to store this information is a whole different animal, tough, and I'm glad I haven't had to do this myself yet.
Any bank where this is the standard operating procedure for interacting with loan applications is not a bank that I'd want to do business with. Perhaps this was just one loan officer's way of doing things, and not the way of the business, but that's just not okay to me.
Any time anyone asks me for any part of my social over the phone, I ask for some other method of verification. Most folks have other ways of doing stuff. It's ridiculous that what should purely be an ID number is so powerful, but I can't change that fact, just how I interact with folks with regards to it.
This method of data exfiltration is in Kevin Mitnick's book! He needed a daily pin that banks used to validate intra-bank communications. He called a bank, said that he needed to fax over loan forms from another branch for signing later that day (or something like that). He then asked the bank that he called for the daily PIN. They refused because he called them. He pointed out that he was sending sensitive data to them so they needed to provide the pin... and they did.
One of my startup jobs paid us through ADP. While our ADP account was being set up, my boss told us to be on the lookout for an email from them. So one day, I'm in the middle of programming something, and I check my email. Lo and behold, there is an email from ADP... or is it? It is about fifty words long and contains five grammatical errors. It's asking me to fill out the attached PDF and email it back. The PDF is asking for my full name, address, phone number, SSN, and so on. I figure this may be some kind of phishing attempt, so I ignore it and get back to my work. If it's real, I'll hear about it again, right? Well, two weeks later, my boss tells me amazedly, "Hey, Bill from ADP is still waiting for your information! Why didn't you reply to him?!?!" I laughed and told him why.
As a bonus, when I was finally put into the system, they managed to get my zip code, phone number, and SSN wrong. At ADP, quality is job zero.
> He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue.
I'm super paranoid about even the last four. The first five digits of an SSN were algorithmic for most of US history, and still mostly are but a tiny bit more random entropy, and can be narrowed down with mostly only the city in which you were born and what year. You can often use basic k-means clustering to find it even without that information. More often than not entire families share the first five (or close to it) and you only need to phish one family member to k-means cluster the five digits for the rest.
The last four are more often than not the most significant digits in terms of identification and entropy. Masking the rest is almost silly for most Americans. Our masking schemes have actually made phishing easier because people feel safer sharing just the last four, when for most those are the only four that matter.
SSN was never intended to be a secret so its design is horrifyingly bad for something that has come to be a huge secret in banking and healthcare and so many other industries. Recent SSN changes have made it a little better for anyone born after roughly 2010, increasing somewhat the entropy in the first five, but the rest of us have problems that we can't solve easily and banks should be ashamed they helped lead us to these problems.
I'd have read him the riot act on the phone. My bank has big warning banners on virtually every page of the site warning me to be careful of scammers. Someone calling me on the phone and asking for my TIN? Yeah, I don't think so.
Had a very similar experience with a bank few years ago. I filed an official complaint because it was not possible to verify the caller was authentic.
Can you guess what happened next? Yep... The complaints team cold called me and requested PII to confirm they were talking to the right person. I refused and the call ended.
Later got a letter saying it wasn't possible to followup on my issue and they didn't see any issues with what I had raised. I tried... :/
Reminds me of the repeated calls my parents received to refinance their mortgage under some government program. It took them months to realize it was legit.
Shout out to my car insurance, Amica. They called me because they needed some account information updated/clarified. Before we started doing anything I told them "Hey, not to be rude but could I call you with the number on your website? I'm paranoid about scamming and that's safer" They said "Absolutely, that actually makes a lot of sense". So, I called back and we got everything done.
The issue, I think, is the larger the company is the more incentivized it is to hide away access to it's internal employees. If you can call a department directly you can start phishing between multiple employees pretty quickly. Locking that down and putting a horrible automated system in place makes that harder to do.
A few months ago I got an email from the IT center of the company I work for that was dodgier than any phishing email I have ever received:
- Coming from a domain that looks nothing like the official domain of the company, rather some generic @itservice.com or something.
- Subject: "URGENT: your account is expiring soon".
- Multiple links provided in the email body, all illegible and multiple lines long, none of them from a domain that I can immediately link to the company.
- No alternative way of resolving the issue is provided other than clicking on one of those links (no "go to your account settings", "contact your line manager" or so).
Our IT did the exact same thing with expiring m365 passwords. They weren’t using the corp domain, typos all over and the URL was obscured using a bizarre link shortener.
The same guys also force us to change our passwords every 6 months and block the last twenty. Passwords we have to enter in systems that can’t pull directly from password managers and thus have to type 10-20 per day. Guess the average strength of an employee password!
I think IT incompetence should lead to audit fails or even better delisting from exchanges.
I've noticed that Microsoft themselves aren't helping this right now. M365 seems to default to using random-tenant-guid.onmicrosoft.com for a lot of these transactional emails like password changes even though the official account.microsoft.com is fully multi-tenant aware and most Microsoft guidance tells you to always go directly to account.microsoft.com. These transactional email mistakes seem like another case of Microsoft accidentally exposing problems in their org chart to external customers. I imagine it has something to do with the wild rewrites from old Azure AD to new "exciting brand" Entra ID and other such shenanigans combined with Microsoft's willingness to bend over backwards to bad IT administrators and letting them set bad defaults (such as "just us the .onmicrosoft.com GUID instead of a real domain"), because companies love to pay them good money for the "control" to do stupid things in Group Policies and corporate configuration.
Combined with the fact that the largest single source of spam I'm seeing right now is also coming from random tenant GUIDs .onmicrosoft.com (is Azure really missing that much SMTP security for random M365 tenants?) and this sort of corporate anti-training users to follow bad transactional email links, it certainly feels like we are in a perfect storm of M365 phishing.
The lack of use of a non-corp domain, the typos and the use of shortened links does sound like a form of incompetence, probably at the management layer.
However, the password rotation requirement was until relatively recently something that many IT auditors would actually recommend, even though it leads directly to bad user password choices. In fact I wouldn't be at surprised to learn that was still the case in a lot of places.
I forget who puts that stuff out NIST/STIG(?) but IIRC in the recent few years they determined that rotating passwords like that was basically security theater and wasn't worth the damage to the staffs productivity
> The same guys also force us to change our passwords every 6 months
While I know this may be fruitless, it might be worthwhile to point out to them that the official guidance from NIST and similar organizations is now not to do this.
The IT department where I work required yearly password changes up until I brought this change to their attention, at which point they changed to simply recommending a password change if you have reason to believe it might have been compromised.
Same problem here. My solution: Get a mouse with internal memory for macros, such as Natec Genesis GX78 (old, no longer available, but this is an example). Program your new password on one of the unused mouse buttons or in a different profile. Use the mouse to type the password.
> I think IT incompetence should lead to audit fails or even better delisting from exchanges.
Fear of policy is why you get things like "force us to change our passwords every 6 months and block the last twenty". Getting a central arbiter of IT competence is a hard problem.
I had a similar experience at an old company that used M365. YMMV but with Bitwarden I generate passphrases like Pregnant-Guppy-Skateboard9 and it made it tons easier for me to type 20x a day than &7UoTod#$7OOD
> Guess the average strength of an employee password!
It is interesting how sometimes creating "more secure" measures results on less security. Our IT department decided that using 2fa for vpn is not enough, we should also extra 2fa for connecting to the webmail even through intranet or vpn. Guess who stopped using the vpn.
Meanwhile, one can set up and use our email through any email client app on desktop or mobile without any 2fa at any step. Go figure.
Banks do this as well. I made a purchase, and within minutes got a very scammy looking e-mail from them - low quality gifs, asking me to click on links to a random non-bank website(something like purchase-verification-users.net/235532/confirm.html, and the site wasn’t coming up on any searches). At the same time I get a call from a random number asking me to go over some purchases - I looked up the number, and it’s none of the ones listed for my bank.
So I hang up and call my bank directly. I spend 10 minutes going through the phone maze to talk to someone. Finally I get to them, and they confirm that is a number that they use to contact people. How come when you list numbers on your website you don’t list this one? Well, they said they often call from numbers they haven’t listed online. How about that e-mail, do you send those? Well, we sometimes contact people by e-mail, if it says it’s from us in the from: line you can click on it. Did you guys send that one? I don’t have that information; don’t click on it if the from: line isn’t us, but if it is, go ahead.
Did you click on the "Report Phishing attempt" button installed by your IT center in your mail client?
Sorry for the probable sarcasm. In a company that size, if the IT center does not provide a means to report phishing attempts then there are more serious problems than a dodgy email campaign.
FWIW, I did exactly that a few times where I was 90% certain the e-mail is legit, but it still looked like a phishing attempt. The IT department needs to learn to do better, this is inexcusable, especially in a corporation with otherwise restrictive policies that waste ridiculous amounts of money and effort (think: Windows Defender real-time "protection" on developer machines, with no way to exclude your repos).
This is even worse in companies that have security offices actively sending out phishing emails worded as internal emails from your company that shame you if you click any of the links in them.
I am usually a bit pessimistic about it though. If their SOP doesn’t account for “looks like phishing but is from internal sender” then chances are that nobody connects the dots and informs that sender.
The intelligence of a small and motivated IT team seems difficult to scale.
My company's security training tells me to carefully verify any URLs in received emails, but then they have some security software that rewrites all the URLs in incoming emails - presumably as a way of screening them themselves.
This might be a reasonable trade-off for centralising monitoring, but it significantly hampers the ability to judge the legitimacy of emails myself. At least update your training!
Our last round of security training was roundly mocked by our software division, especially around the subject of one of the rules emphasized over and over being to "never click URLs in emails" and the sign-in process for the website alongside the distribution of lessons was done exclusively through magic links... in emails.
Our CEO is actually a developer himself on our core product (and a bit of a paranoid fella on the cybersecurity front to boot) and he was absolutely furious about this vendor being chosen...
My company does that too, it's really annoying. They also sometimes send out mass emails for things like surveys but link to some third party service. I've even seen them put, in the email, things like "the link goes to a trusted third party and is perfectly safe". Why should I trust that if I'm already suspicious of the emails legitimately?
M365 has an option to rewrite URLs in incoming emails. It's horrible, at least for people that can actually read URLs. Every link turns into a 300 character mess that I have no idea if its valid or not. The only way to tell is to click it. Maddening!
On our company (hosting & PaaS), I was contacted on our internal messenger by a person I've never seen before, asking me to "please" run some commands as root and send back the results. After the initial shock (and due infosec diligence) I found out it was just "the new guy", needing to collect info about our systems for equipment inventory purposes. Since they didn't have access to our networked management tool yet, and didn't know the finer points about how running `curl ... | sh` randomly is not a good idea, they thought it would be ok to get that information piecemeal directly from people.
When I worked at Sun Microsystems, they had a clever launcher shell script dealie for things like StarOffice documents that did usage tracking, portability fixes (usually setting obscure environment vars), and of course downloading and opening the actual document. Then they started sending those shell scripts as email attachments. One day they sent out an email telling people to not open executable email attachments: the full memo was a SO document wrapped in one of these scripts.
To their credit, after the inevitable replies to that email they never used that wrapper again (they moved the launchers to the centralized NFS install where they always should have been)
Yeah I got a text from one of these a couple years ago. Something like. “You have an overdue doctor bill of $183.56, please kindly pay immediately at this link: http://my-doctorpay.net/defintelylegit123. Thx!” Didn’t even include the name of the doctor or office, but after calling the only doctors office I had used recently it was apparently legit. I let them know whatever company handles their billing is completely incompetent.
Lets not forget all the typosquatting looking domains Microsoft uses. It almost seems like they bought them up to protect users, forgot why they did that and said "hey we have all these domains, lets use those?"
I’m supposed to pay my semi-annual property taxes (on the order of ~thousands of USD) on a site that ends in .org instead of .gov, and nobody apparently sees anything weird or wrong with it.
Our government uses equivalent of www.mydatabox.cz (real one is mojedatovaschranka.cz).
Literally a domain that looks like from teaching material for phishing, no databox.gov.cz or something like that.
The domain is for an official legal documentation communication with government and has same legal weight as letter that was person delivered and recipient was checked against ID.
Worse every doctor/lab sends their own separate bill with their own separate account numbers and URLs. You could probably make a ton of money just a bill to every address in your city, so long as the amount is around $50 many will not question it anymore as they get so many of those things.
Regarding the external domain thing, I can say that dealing with domains in a big company gets about as bureaucratic and terrible as just about everything else; I experienced this myself - at a youngish company when I needed a new sub-domain off the big official domain, it was just talk to $dude on the DNS team and he’ll help you out. And he did. A few years later once things had “grown up” a bit, I needed to update a record and I asked the same guy. He told me I needed to fill out a 25 question form and they’d review it. I about half copy and pasted it from another team member’s project and they accepted it.
Obviously it doesn’t excuse the practice, but I can see why people use alternative domains to get things done. The above anecdote was also purely within the company; I’m sure that if you add in a partner/managed service, it only amplifies the complexity.
I report those as phishing in order to get the feedback to the IT team who sent them from their colleagues in infosec. (I often have had IT and infosec reporting to me, which makes this even more effective of a feedback mechanism. :) )
If I saw one of those in a 100k employee company I'd first just assume it's a phish-test email and that anyone who clicks on any URL in it is going to get put in the list for remedial training.
There are, of course, a whole plethora of services that a CTO-type person can hire to phish test your employees. Some of them even have several hundred real domain names with live MX on them that you can add into your office365/gsuite mail flow permit-list controls, as an admin, to ensure that the phish test arrives correctly in peoples' inboxes.
Similar unforced error: I got emails from healthcare.gov for required actions on the site's marketplace. But the links used the lnks.gd shortener, hiding what domain you were actually going to end up at! They're encouraging people to blindly click on links with no idea where it takes them!
What's worse, you can't even go to the lnks.gd root to check where a shortened link is going. And the "shortened" link was actually longer, with all the payload crap they rolled in. They could have just used the normal url plus small internal identifier of which email it was if they needed to track it, and it would have been shorter.
There was no reason to use a shortener, let alone such a shady one!
Yeah, was working for a (then) 15k employee company and got an email "You have expenses due". Blank content, PDF attachment. I hadn't initiated any payments (but it later turned out the bank had just charged the annual tax on my corporate card account)
Ignored it.
Later got my manager asking as the expense team had been chasing down managers of people with overdue reports.
The company I work for has a service that sends phishing test emails to everyone that you are supposed to report. I take great joy in reporting every legitimate email that is at all sketchy just for the inevitable email back from the security team informing me that they reviewed my report and it was indeed a legitimate email.
ich arbeite als (externe) CyberCyberCyber Nase in einer Organisation irgendwo in der Sparkassengruppe. Ich kann dir versichern, dass niemand, der auch nur im entferntesten was mit InfoSec in der Bank zu tun hat, von dieser Marketing Idee erfahren hat.
"I work as an (external) CyberCyberCyber nose in an organization somewhere in the Sparkassen-group. I can assure you that no one who is involved even the slightest with infosec at the bank, has heard anything about this marketing idea."
There's an EU law demanding such documents to be delivered on a "durable medium". Some banks and financial institutions may have a strange approach to those, even though email attachments seem to be enough for others.
> Terms and Conditions, Price and Service List, Conditions.
> Dear customer,
> our price and service list, our terms and conditions, as well as further conditions which will come into effect on May 1, 2024, can be found on the USB stick.
Some German banks created paid storage service with multiple plans available. They are required to deliver documents to their customers but managements have massive brainfuck about the requirement and the most absurd solutions and ideas are being sold to them.
When I bought a car once, I received an email a few months later saying I hadn't proven I had obtained insurance on it, and the bank wanted me to visit a domain that wasn't theirs to provide proof.
The email I got looked like a badly-scanned letterhead and was very, very fishy.
After I received a few of them, I finally contacted the bank and it was legit.
I tried telling the office person (not just a clerk at the counter, someone with their own desk) about the situation and they couldn't understand why it was bad.
I soon paid off that loan and got away from that bank.
Happened to me with my mortgage. Got this very weirdly phrased letter about how my homeowner insurance info needed to be updated/confirmed and that I had to go to <random website> to clear it out.
I called my insurance broker and yes indeed it was legit. I also tried to explain to them how this letter was a few steps removed from a Nigerian prince scam based on all the red flags, but i don't think it made a big difference.
The national insurance providers are often pretty slow or shady when it comes to claims, but I've never had a bad experience with Allstate or State Farm when it comes to their cybersecurity and domain experience. Allstate's frontends (web and app) sometimes feel more clunky but their APIs feel good enough and sites seem to follow good design practices.
Wow, I thought this was a great post, and I'm just dumbfounded about how egregiously bad that first SMS was - FedEx might as well tell the recipient they want to customs duties wired to a Nigerian prince.
But I also disagree with the general push of Troy Hunt's recommendations. That is, we should just take the base assumption that humans, generally, can't distinguish between real and phishing inbound messages. That's only going to become more true with AI. Relying on those distinguishing characteristics in the first case is an absolute fatal flaw.
Instead (and, in fairness, Troy Hunt did do this) you should never depend on an outbound link or phone number in a message you received. You should log in to whatever service you think sent it based on looking up the address or phone number yourself. This "hang up, look up, call back" advice should be an absolute mantra. I think responsible organizations should just start by saying they will never put links or phone numbers in text/emails/calls, and their notification messages should say something like "Log in to your dashboard to see details."
1. The entire article is about a (surprisingly) legit FedEx SMS looking totally spammy. My point is that we should take "looking totally scammy" completely out of our vocabulary, and pointing out similarities or differences in scam vs real notifications only furthers the notion that they're distinguishable in the first place. Again, to emphasize, I still think this overall was a great article highlighting the ineptitude of FedEx sending such egregiously bad notifications in the first place
2. Hunt says exactly this in the article "But if I were to take a guess, they've merely blocked the tip of the iceberg. This is why in addition to technical controls, we reply [sic] on human controls which means helping people identify the patterns of a scam: requests for money, a sense of urgency, grammar and casing that's a bit off, add [sic] looking URLs." My point is we should stop "helping people identify patterns of a scam". We should instead just teach people to treat all incoming notifications as suspect and to never follow a link/phone number from an incoming message.
It can't become any more true than it already is. Humans already fail to identify phishing 95% of the time. And a human can already create an exact duplicate e-mail, website, text, etc as a real one. There's no need for AI.
This is more restriction than necessary, and unkind to users who may be technically unsophisticated, distracted, sick that day, or just kinda dumb.
Include a link, make it a part of the core domain, short, and prominent: https://example.com/contact. If the user isn't logged in, lead with a login flow explaining "If you received a message from us, login for details", and include a contact form, phone number, and if there's a chat with customer support, that too.
These are all things a phish can spoof to some degree, but that's not a good reason to force the user to figure out how to resolve whatever problem you're bringing to their attention.
> This is more restriction than necessary, and unkind to users who may be technically unsophisticated, distracted, sick that day, or just kinda dumb.
Couldn't disagree more. By sending outbound links in notifications we're only perpetuating the idea that it's OK to click those in the first place. It's hardly any more difficult to just open your browser yourself. I also don't like the idea that we're not willing to accept the absolute mildest of inconveniences, when on the flip side we have loads of stories of people's lives being completely ruined when their life savings are stolen by scammers. It'd be like telling people not to lock their doors because that adds 5 seconds to the time it takes to enter your house.
I know this comes down to institutional incompetency, but at some point there was a singular human person putting the template content the SMS message in question was generated from into some computer system somewhere and I genuinely wonder what was going on in their head that made them string the words together in this way. You'd have to give it a true, earnest shot to make it worse.
"The words" are probably nested templates so that at the level of input it's hard to really understand what the completed end result looks like. Also, there's many well-intentioned people in tech doing stuff that's just a tiny bit too complex for them to execute by themselves without a buddy or a reviewer. There are also whole teams and departments at big enterprises where someone might not be doing it alone, and they might also not be completely incompetent, making them the star engineer on the team, while everyone else wisely keeps their mouths shut since they surely don't have anything to contribute to the process. All the really good people that worked there, were snatched up by some fancy, greenfield project, on another floor, or got a position on some elite "refactoring team", surely not wasting their time on updating templates.
Could easily be one person writing the message. Another who demanded partial edits in a Jira ticket. But then the data types didn't match up with what the writer requested and then the dev didn't want to deal with it and just shipped it.
Or it could be that the message is made with a bunch of disjointed and constructed if statements and only the final output is piped to the customer. I have seen some very terrible log messages like that as nobody is looking at the entire message, just the little bit in the conditional they are editing at that point.
As an anecdote, I once worked on code that generated these very detailed error messages about why something went wrong. I discovered most never made it to the customer as someone later down the line reassigned a variable rather than +=. Piles of support tickets could have been avoided.
Some say scammers are very smart, and that they deliberately use every trick in the book to tap into our psychological weaknesses and make us act irrationally. But I have the feeling that, 90% of the time, scammers are just told to write an "official-sounding" message – which is the same thing that the hypothetical human who wrote this template was trying to do: that's why the result is so similar. No doubt the use of the word "urgent", or capitalizing the words "Duty" and "Taxes", come from this attempt at making the message sound more formal and official, from someone who is definitely not a skilled writer.
Yep. It's a bit like the theory that scammers mention they're from Nigeria because they're ingeniously weeding out all the people who've heard of the scam before, and not because they need an excuse for people to send money to Nigeria (and with their culture and education level the ALLCAPS and religious references look very official and honest indeed), and if the cost of that is that 99.99% of their emails don't get delivered due to automatic filters protecting even the most gullible of recipients, well that's probably not something they've given much thought to.
> I know this comes down to institutional incompetency
"Incompetency" is an interesting word.
The old maxim about incompetence versus malice suggests a binary
choice.
I prefer the more nuanced take that there is a spectrum of positions
between the two, and other dimensions that describe a cluster of
intents, both conscious and unconscious.
Take the UK Post Office scandal where we see incompetence layered on
top of malice, layered on top on incompetence. In some organisations
obviously deliberately harmful positions are written into "policy".
Often this comes under "PR" [fn:1]. More and more "AI" will be used to
disguise malintent and deflect scrutiny.
In the final episode of the ITV dramatisation [0], Alan Bates (played
by Toby Jones) delivers an absolutely shocking, knock down line. When
talking about incompetence and evil he says: "They're the same thing"
At some point there is no difference between incompetence and
evil. For a deeper psychological discussion of that listen here [1].
[fn:1] Edward Bernays seminal definition of public relations outlines
a creed of deception, manipulation and disinformation which is
antithetical to security [2].
This fits nicely with my experience of FedEx. They sent me a bill 7 months after I had received the package. A few days later I get a reminder that doesn't include the necessary information for payment, which seems rather lazy and stupid since an unpaid bill might well have been lost. It refers me to www.fedex.com where I'm told to create an account. I do that only to find it doesn't know anything about my bill. By chance I do find the original bill shortly afterwards. Turns out this bill sent 7 months late had very small text saying "to be paid immediately", the first time I see that on a bill (it's usually 30 days in my country). Of course they sent me a second reminder 10 days after I paid.
If you ever drive on a toll road in Texas (there are a lot of them and more every year) there are no toll booths that allow you to pay then and there but you'll get a bill in the mail 6-12 months later informing you that this is your fifth and final warning and you owe $4 for the toll and $80 in late fees. I guarantee you the people behind this have friends or family in the Texas legislature supporting them.
I've had this, but the first thing I heard was that my customs charge was sent to collections. Cue lots of scary messaging about debt collection, none of which said anything other than this was for a FedEx parcel of some kind
Readit News
1. I moved into a 10-unit apartment building and wanted to set up FedEx Delivery Manager. I just put in my new address, no verification whatsoever, and I was immediately given access to the previous tenant’s delivery instructions which included the buildings private garage code. Any thief could have done the same.
2. When I moved out of that building I wanted to add my new address to delivery manager … but I couldn’t. The site errored every time. The reason? Some forums revealed the correct hypothesis that if you have special characters in your password then some parts of the site are permanently broken for you. Including the change password flow. So I had to have my wife make a new account with a worse password.
Truly amateur stuff for an otherwise very impressive company.
I've also been nearly run off the road by FedEx drivers on the highway before. One guy was so angry that I was only going 10 over that he tailgated me within a foot and then punish passed me.
They're also the only service that still corrects my other address to the wrong address. I tried for a whole month to get ahold of anyone there who even knows what address correction is and then just stopped using them for anything important.
They doubled down on "digital" during the pandemic and fired a bunch of CSRs and stuff. It doesn't look like it's working out very well for them.
I spent 72 hours waiting (3x24 periods they told me to wait and call back tomorrow while they "investigated") for a $1300 package. Initially they said it must have been stolen and its my loss, to which I said "no I was home and near the front door all day, you didn't deliver it". Pretty absurd they can't just look where he was when it was "delivered" and deal with it. Or maybe they can and they just don't bother.
Eventually the person actually called me using my number on the box and said it was delivered there.
Still no recourse from FedEx, whom I have not informed I got the package in the end.
As for the SMSs - in Portugal, and I’d guess Australia too, they contract all of their local operations out to some random group of muppets who can’t organise their way out of a paper bag - the SMSs they send me come from a mobile number, are handwritten (they seem to literally have someone whose job it is to write messages, on a phone, and send them), as are the emails. When it comes to delivery, i’m inevitably the last delivery of the day as I live way out in the boonies, and they just go “it’s 5pm I’m going home”, and it goes back to the depot. They drive it back and forth for a week before declaring the parcel undeliverable.
These days, if I see someone has shipped something with FedEx, despite my instructions not to, I immediately request a refund, as I know it won’t arrive.
The whole thing beggars belief.
In my case I got an email about customs and tax payment which was needed, but the link was clearly to fedex.com.
They're telling both that my package will be delivered this afternoon, and that it's in a distribution center 3000 miles away.
i mean in the first case what's at risk is the five-dollar trinket you bought off amazon
Deleted Comment
After getting the account, immediately I get shipping bills for international shipping in the thousands of dollars, both sender and recipient have nothing to do with me. Credit card on file was auto-charged. Removed credit card, started getting thick FedEx bills in physical mail.
It turns out FedEx allows billing to be charged to any account as long as you have their nine-digit account number, so of course scammers do this all the time just generating random numbers. FedEx didn't give a shit, denied my reporting of fraud, allowed more scam shipping even after I reported. Finally I had to initiate chargeback via the credit card issuer and only then did they close the account. But I still get marketing emails that I can no longer turn off. Absolutely not a company anyone should use.
When I moved they someone opened a second account in my name and kept billing me for the original account.
I called Fedex to try to rectify this and, as far as I remember, they either never answered the phone or told me they had no way of contacting the delivery driver (??).
I've always avoided fedex (and UPS, for that matter, since they destroyed two antique lamps that I ordered through ebay) since then.
That's insane lmao
I specifically got a custom domain and email address for any non-personal/"professional" comms, which is essentially just me@<custom-domain-featuring-my-name>.com.
At least with non-ASCII characters in passwords, while I think it is stupid to not handle those properly, I can at least see some sort of an excuse there, no matter how weak it is. All it takes to mess this up is not thinking about handling those scenarios, so I can definitely see "this issue was created due to us not thinking about this possibility or not willing to deal with handling it."
But what's even the reason to not allow sub-3-character local portions of emails? How does one even mess those up, aside from intentionally setting some triggers for less than 3 characters in local portions of email addresses?
Wonder if they share a vendor.
Thankfully they fixed it at some point, but it's absolutely mind blowing to me that anyone thought it was acceptable in the first place.
(And no, nothing is wrong with my email, it's hosted by a professional email host with the proper MX records and literally only Schwab claims to have this problem with me).
I remember comparing notes with fellow employees at a previous job, and depending on when you'd started working, the system had different password rules for you (users who'd been created earlier had a smaller set of allowed characters, etc.). Pretty sure it worked out to some Oracle nonsense.
to their credit, they took me seriously and I believe they fixed it reasonably promptly.
At least they don't automatically lowercase and truncate your password behind the scenes like AMEX. Lol.
I used to be able to load the rewards to my account without logging in at all, just clicked the link in my email, but I guess they fixed that and then I realized I didn't know my password.
The package got returned to the sender who wouldn't respond. When I quibbled with my credit card company (Cash App) they said the package had been delivered to the sender, so it was technically "delivered" and I was not eligible for a refund. When I persisted they permanently terminated my account with them so I can never have another Cash App account, thanks to FedEx.
I no longer use FedEx for any shipment that I need to have arrive.
Turns out he actually was from the bank and he did cancel the loan application.
Appropriately enough, the last thing they did was to insist —demand, really— that, in 2018, I fax them my demand. It just so happens that this could have been relatively safe because, after asking everyone I knew for a week (including some venerable hackers), the only way that I found to send a fax was to ask the local branch of the same bank.
Asking them to authorize the transfer wasn’t possible (by showing them all relevant documentation). Asking them to let me send a fax, using their machine, to a sister branch to tell them to authorize a transfer without anyone verifying my ID, was fine.
Because if I got my SSN in my late teens, then my date of birth shouldn't mean much at all to anyone trying to use that method you describe, right?
It’s not impossible but, wow, that’s grinding it out day after day.
Sure enough... I had to go down to the local branch to get my account unlocked, as well as prove the amount of money I was transferring was... available in the other account? Absolutely ridiculous. I don't even know what sort of fraud they were trying to prevent, as this wasn't a new bank account and I'd made transfers between them before.
But when I contacted them about a phishing practice, it was A-OK because it was a "legitimate" website that phished your credentials to view the last 180 days of transaction histories, compute a credit score, and then withdraw the money. They would "look into the situation and see if a better solution could be found" with this german company...
I don't understand how anyone is okay with this but klara or klarna or something is a pretty popular payment provider in germany as far as I know, but so my experience is now that banks like to change their security-relevant terms one-sided. But it's your fault if you give out secrets to the wrong person of course, not like the bank was going to care if your social security number had gone to a scammer for example
The main protection to you not getting scammed out of money this way is in the kind of TAN used for this process. It should/must only allow read access to your account, and at least one of my banks very clearly shows this in the 2fa approval app. Technically, checking your account history and then deducting money will (hopefully) have been two different processes.
The moral/ethical implications of requesting (up to) 365 days of full bank transaction details and being allowed to store this information is a whole different animal, tough, and I'm glad I haven't had to do this myself yet.
Any time anyone asks me for any part of my social over the phone, I ask for some other method of verification. Most folks have other ways of doing stuff. It's ridiculous that what should purely be an ID number is so powerful, but I can't change that fact, just how I interact with folks with regards to it.
As a bonus, when I was finally put into the system, they managed to get my zip code, phone number, and SSN wrong. At ADP, quality is job zero.
I'm super paranoid about even the last four. The first five digits of an SSN were algorithmic for most of US history, and still mostly are but a tiny bit more random entropy, and can be narrowed down with mostly only the city in which you were born and what year. You can often use basic k-means clustering to find it even without that information. More often than not entire families share the first five (or close to it) and you only need to phish one family member to k-means cluster the five digits for the rest.
The last four are more often than not the most significant digits in terms of identification and entropy. Masking the rest is almost silly for most Americans. Our masking schemes have actually made phishing easier because people feel safer sharing just the last four, when for most those are the only four that matter.
SSN was never intended to be a secret so its design is horrifyingly bad for something that has come to be a huge secret in banking and healthcare and so many other industries. Recent SSN changes have made it a little better for anyone born after roughly 2010, increasing somewhat the entropy in the first five, but the rest of us have problems that we can't solve easily and banks should be ashamed they helped lead us to these problems.
No point. If he is a scammer he has a thick skin. If he is working for the bank this is either a training or a policy issue.
Just refuse politely and report to the bank. (preferably to some security channel if there is one.)
Can you guess what happened next? Yep... The complaints team cold called me and requested PII to confirm they were talking to the right person. I refused and the call ended.
Later got a letter saying it wasn't possible to followup on my issue and they didn't see any issues with what I had raised. I tried... :/
The issue, I think, is the larger the company is the more incentivized it is to hide away access to it's internal employees. If you can call a department directly you can start phishing between multiple employees pretty quickly. Locking that down and putting a horrible automated system in place makes that harder to do.
Plot twist! Didn't see that coming.
Seems bizarre to me that this would happen, but reading sibling comments just keeps having me shake my head in dismay.
- Coming from a domain that looks nothing like the official domain of the company, rather some generic @itservice.com or something. - Subject: "URGENT: your account is expiring soon". - Multiple links provided in the email body, all illegible and multiple lines long, none of them from a domain that I can immediately link to the company. - No alternative way of resolving the issue is provided other than clicking on one of those links (no "go to your account settings", "contact your line manager" or so).
And still, it turns out it was real.
~100k employees company btw
The same guys also force us to change our passwords every 6 months and block the last twenty. Passwords we have to enter in systems that can’t pull directly from password managers and thus have to type 10-20 per day. Guess the average strength of an employee password!
I think IT incompetence should lead to audit fails or even better delisting from exchanges.
Combined with the fact that the largest single source of spam I'm seeing right now is also coming from random tenant GUIDs .onmicrosoft.com (is Azure really missing that much SMTP security for random M365 tenants?) and this sort of corporate anti-training users to follow bad transactional email links, it certainly feels like we are in a perfect storm of M365 phishing.
However, the password rotation requirement was until relatively recently something that many IT auditors would actually recommend, even though it leads directly to bad user password choices. In fact I wouldn't be at surprised to learn that was still the case in a lot of places.
Then I became CTO and retired the policy to align to modern NIST recommendations, so that "18" is in there forever :)
It's good we have 26 letters, that comfortably leaves you a margin of 6 combinations :-)
While I know this may be fruitless, it might be worthwhile to point out to them that the official guidance from NIST and similar organizations is now not to do this.
The IT department where I work required yearly password changes up until I brought this change to their attention, at which point they changed to simply recommending a password change if you have reason to believe it might have been compromised.
Same problem here. My solution: Get a mouse with internal memory for macros, such as Natec Genesis GX78 (old, no longer available, but this is an example). Program your new password on one of the unused mouse buttons or in a different profile. Use the mouse to type the password.
Fear of policy is why you get things like "force us to change our passwords every 6 months and block the last twenty". Getting a central arbiter of IT competence is a hard problem.
It is interesting how sometimes creating "more secure" measures results on less security. Our IT department decided that using 2fa for vpn is not enough, we should also extra 2fa for connecting to the webmail even through intranet or vpn. Guess who stopped using the vpn.
Meanwhile, one can set up and use our email through any email client app on desktop or mobile without any 2fa at any step. Go figure.
So I hang up and call my bank directly. I spend 10 minutes going through the phone maze to talk to someone. Finally I get to them, and they confirm that is a number that they use to contact people. How come when you list numbers on your website you don’t list this one? Well, they said they often call from numbers they haven’t listed online. How about that e-mail, do you send those? Well, we sometimes contact people by e-mail, if it says it’s from us in the from: line you can click on it. Did you guys send that one? I don’t have that information; don’t click on it if the from: line isn’t us, but if it is, go ahead.
Worth noting - do not trust the incoming callerid number. This is trivial to fake.
Sorry for the probable sarcasm. In a company that size, if the IT center does not provide a means to report phishing attempts then there are more serious problems than a dodgy email campaign.
email is well and truly dead.
I am usually a bit pessimistic about it though. If their SOP doesn’t account for “looks like phishing but is from internal sender” then chances are that nobody connects the dots and informs that sender.
The intelligence of a small and motivated IT team seems difficult to scale.
This might be a reasonable trade-off for centralising monitoring, but it significantly hampers the ability to judge the legitimacy of emails myself. At least update your training!
Our CEO is actually a developer himself on our core product (and a bit of a paranoid fella on the cybersecurity front to boot) and he was absolutely furious about this vendor being chosen...
It happens.
To their credit, after the inevitable replies to that email they never used that wrapper again (they moved the launchers to the centralized NFS install where they always should have been)
It’s insane.
Literally a domain that looks like from teaching material for phishing, no databox.gov.cz or something like that.
The domain is for an official legal documentation communication with government and has same legal weight as letter that was person delivered and recipient was checked against ID.
Obviously it doesn’t excuse the practice, but I can see why people use alternative domains to get things done. The above anecdote was also purely within the company; I’m sure that if you add in a partner/managed service, it only amplifies the complexity.
There are, of course, a whole plethora of services that a CTO-type person can hire to phish test your employees. Some of them even have several hundred real domain names with live MX on them that you can add into your office365/gsuite mail flow permit-list controls, as an admin, to ensure that the phish test arrives correctly in peoples' inboxes.
What's worse, you can't even go to the lnks.gd root to check where a shortened link is going. And the "shortened" link was actually longer, with all the payload crap they rolled in. They could have just used the normal url plus small internal identifier of which email it was if they needed to track it, and it would have been shorter.
There was no reason to use a shortener, let alone such a shady one!
Ignored it.
Later got my manager asking as the expense team had been chasing down managers of people with overdue reports.
You can't make this up.
ich arbeite als (externe) CyberCyberCyber Nase in einer Organisation irgendwo in der Sparkassengruppe. Ich kann dir versichern, dass niemand, der auch nur im entferntesten was mit InfoSec in der Bank zu tun hat, von dieser Marketing Idee erfahren hat.
"I work as an (external) CyberCyberCyber nose in an organization somewhere in the Sparkassen-group. I can assure you that no one who is involved even the slightest with infosec at the bank, has heard anything about this marketing idea."
What the hell.
https://t3n.de/news/sparkasse-digital-strategie-cds-per-post...
Since no-one has a CD drive in their computer anymore, the security risk is negligible
> Terms and Conditions, Price and Service List, Conditions.
> Dear customer,
> our price and service list, our terms and conditions, as well as further conditions which will come into effect on May 1, 2024, can be found on the USB stick.
> With kind regards,
> The Sparkasse Bremen AG
Dead Comment
Just be sure to use the included NOTVIRUS.EXE viewer for best experience.
The email I got looked like a badly-scanned letterhead and was very, very fishy.
After I received a few of them, I finally contacted the bank and it was legit.
I tried telling the office person (not just a clerk at the counter, someone with their own desk) about the situation and they couldn't understand why it was bad.
I soon paid off that loan and got away from that bank.
I called my insurance broker and yes indeed it was legit. I also tried to explain to them how this letter was a few steps removed from a Nigerian prince scam based on all the red flags, but i don't think it made a big difference.
But I also disagree with the general push of Troy Hunt's recommendations. That is, we should just take the base assumption that humans, generally, can't distinguish between real and phishing inbound messages. That's only going to become more true with AI. Relying on those distinguishing characteristics in the first case is an absolute fatal flaw.
Instead (and, in fairness, Troy Hunt did do this) you should never depend on an outbound link or phone number in a message you received. You should log in to whatever service you think sent it based on looking up the address or phone number yourself. This "hang up, look up, call back" advice should be an absolute mantra. I think responsible organizations should just start by saying they will never put links or phone numbers in text/emails/calls, and their notification messages should say something like "Log in to your dashboard to see details."
> but I'm a smart human so I don't fall for this (that's a joke, read why humans are bad at URLs).
It's clear that he thinks relying on heuristics to distinguish scammy URLs is not a scalable long term approach.
1. The entire article is about a (surprisingly) legit FedEx SMS looking totally spammy. My point is that we should take "looking totally scammy" completely out of our vocabulary, and pointing out similarities or differences in scam vs real notifications only furthers the notion that they're distinguishable in the first place. Again, to emphasize, I still think this overall was a great article highlighting the ineptitude of FedEx sending such egregiously bad notifications in the first place
2. Hunt says exactly this in the article "But if I were to take a guess, they've merely blocked the tip of the iceberg. This is why in addition to technical controls, we reply [sic] on human controls which means helping people identify the patterns of a scam: requests for money, a sense of urgency, grammar and casing that's a bit off, add [sic] looking URLs." My point is we should stop "helping people identify patterns of a scam". We should instead just teach people to treat all incoming notifications as suspect and to never follow a link/phone number from an incoming message.
It can't become any more true than it already is. Humans already fail to identify phishing 95% of the time. And a human can already create an exact duplicate e-mail, website, text, etc as a real one. There's no need for AI.
Include a link, make it a part of the core domain, short, and prominent: https://example.com/contact. If the user isn't logged in, lead with a login flow explaining "If you received a message from us, login for details", and include a contact form, phone number, and if there's a chat with customer support, that too.
These are all things a phish can spoof to some degree, but that's not a good reason to force the user to figure out how to resolve whatever problem you're bringing to their attention.
Couldn't disagree more. By sending outbound links in notifications we're only perpetuating the idea that it's OK to click those in the first place. It's hardly any more difficult to just open your browser yourself. I also don't like the idea that we're not willing to accept the absolute mildest of inconveniences, when on the flip side we have loads of stories of people's lives being completely ruined when their life savings are stolen by scammers. It'd be like telling people not to lock their doors because that adds 5 seconds to the time it takes to enter your house.
Could easily be one person writing the message. Another who demanded partial edits in a Jira ticket. But then the data types didn't match up with what the writer requested and then the dev didn't want to deal with it and just shipped it.
Or it could be that the message is made with a bunch of disjointed and constructed if statements and only the final output is piped to the customer. I have seen some very terrible log messages like that as nobody is looking at the entire message, just the little bit in the conditional they are editing at that point.
As an anecdote, I once worked on code that generated these very detailed error messages about why something went wrong. I discovered most never made it to the customer as someone later down the line reassigned a variable rather than +=. Piles of support tickets could have been avoided.
"Incompetency" is an interesting word.
The old maxim about incompetence versus malice suggests a binary choice.
I prefer the more nuanced take that there is a spectrum of positions between the two, and other dimensions that describe a cluster of intents, both conscious and unconscious.
Take the UK Post Office scandal where we see incompetence layered on top of malice, layered on top on incompetence. In some organisations obviously deliberately harmful positions are written into "policy". Often this comes under "PR" [fn:1]. More and more "AI" will be used to disguise malintent and deflect scrutiny.
In the final episode of the ITV dramatisation [0], Alan Bates (played by Toby Jones) delivers an absolutely shocking, knock down line. When talking about incompetence and evil he says: "They're the same thing" At some point there is no difference between incompetence and evil. For a deeper psychological discussion of that listen here [1].
[0] https://en.wikipedia.org/wiki/Mr_Bates_vs_The_Post_Office
[1] https://cybershow.uk/episodes.php?id=23 (from 39:20)
[fn:1] Edward Bernays seminal definition of public relations outlines a creed of deception, manipulation and disinformation which is antithetical to security [2].
[2] https://en.wikipedia.org/wiki/Public_Relations_(book)
If you ever drive on a toll road in Texas (there are a lot of them and more every year) there are no toll booths that allow you to pay then and there but you'll get a bill in the mail 6-12 months later informing you that this is your fifth and final warning and you owe $4 for the toll and $80 in late fees. I guarantee you the people behind this have friends or family in the Texas legislature supporting them.