1. I moved into a 10-unit apartment building and wanted to set up FedEx Delivery Manager. I just put in my new address, no verification whatsoever, and I was immediately given access to the previous tenant’s delivery instructions which included the buildings private garage code. Any thief could have done the same.
2. When I moved out of that building I wanted to add my new address to delivery manager … but I couldn’t. The site errored every time. The reason? Some forums revealed the correct hypothesis that if you have special characters in your password then some parts of the site are permanently broken for you. Including the change password flow. So I had to have my wife make a new account with a worse password.
Truly amateur stuff for an otherwise very impressive company.
I've also been nearly run off the road by FedEx drivers on the highway before. One guy was so angry that I was only going 10 over that he tailgated me within a foot and then punish passed me.
They're also the only service that still corrects my other address to the wrong address. I tried for a whole month to get ahold of anyone there who even knows what address correction is and then just stopped using them for anything important.
They doubled down on "digital" during the pandemic and fired a bunch of CSRs and stuff. It doesn't look like it's working out very well for them.
I spent 72 hours waiting (3x24 periods they told me to wait and call back tomorrow while they "investigated") for a $1300 package. Initially they said it must have been stolen and its my loss, to which I said "no I was home and near the front door all day, you didn't deliver it". Pretty absurd they can't just look where he was when it was "delivered" and deal with it. Or maybe they can and they just don't bother.
Eventually the person actually called me using my number on the box and said it was delivered there.
Still no recourse from FedEx, whom I have not informed I got the package in the end.
As for the SMSs - in Portugal, and I’d guess Australia too, they contract all of their local operations out to some random group of muppets who can’t organise their way out of a paper bag - the SMSs they send me come from a mobile number, are handwritten (they seem to literally have someone whose job it is to write messages, on a phone, and send them), as are the emails. When it comes to delivery, i’m inevitably the last delivery of the day as I live way out in the boonies, and they just go “it’s 5pm I’m going home”, and it goes back to the depot. They drive it back and forth for a week before declaring the parcel undeliverable.
These days, if I see someone has shipped something with FedEx, despite my instructions not to, I immediately request a refund, as I know it won’t arrive.
The whole thing beggars belief.
In my case I got an email about customs and tax payment which was needed, but the link was clearly to fedex.com.
They're telling both that my package will be delivered this afternoon, and that it's in a distribution center 3000 miles away.
i mean in the first case what's at risk is the five-dollar trinket you bought off amazon
After getting the account, immediately I get shipping bills for international shipping in the thousands of dollars, both sender and recipient have nothing to do with me. Credit card on file was auto-charged. Removed credit card, started getting thick FedEx bills in physical mail.
It turns out FedEx allows billing to be charged to any account as long as you have their nine-digit account number, so of course scammers do this all the time just generating random numbers. FedEx didn't give a shit, denied my reporting of fraud, allowed more scam shipping even after I reported. Finally I had to initiate chargeback via the credit card issuer and only then did they close the account. But I still get marketing emails that I can no longer turn off. Absolutely not a company anyone should use.
When I moved they someone opened a second account in my name and kept billing me for the original account.
I called Fedex to try to rectify this and, as far as I remember, they either never answered the phone or told me they had no way of contacting the delivery driver (??).
I've always avoided fedex (and UPS, for that matter, since they destroyed two antique lamps that I ordered through ebay) since then.
That's insane lmao
I specifically got a custom domain and email address for any non-personal/"professional" comms, which is essentially just me@<custom-domain-featuring-my-name>.com.
At least with non-ASCII characters in passwords, while I think it is stupid to not handle those properly, I can at least see some sort of an excuse there, no matter how weak it is. All it takes to mess this up is not thinking about handling those scenarios, so I can definitely see "this issue was created due to us not thinking about this possibility or not willing to deal with handling it."
But what's even the reason to not allow sub-3-character local portions of emails? How does one even mess those up, aside from intentionally setting some triggers for less than 3 characters in local portions of email addresses?
Wonder if they share a vendor.
Thankfully they fixed it at some point, but it's absolutely mind blowing to me that anyone thought it was acceptable in the first place.
(And no, nothing is wrong with my email, it's hosted by a professional email host with the proper MX records and literally only Schwab claims to have this problem with me).
I remember comparing notes with fellow employees at a previous job, and depending on when you'd started working, the system had different password rules for you (users who'd been created earlier had a smaller set of allowed characters, etc.). Pretty sure it worked out to some Oracle nonsense.
to their credit, they took me seriously and I believe they fixed it reasonably promptly.
At least they don't automatically lowercase and truncate your password behind the scenes like AMEX. Lol.
I used to be able to load the rewards to my account without logging in at all, just clicked the link in my email, but I guess they fixed that and then I realized I didn't know my password.
The package got returned to the sender who wouldn't respond. When I quibbled with my credit card company (Cash App) they said the package had been delivered to the sender, so it was technically "delivered" and I was not eligible for a refund. When I persisted they permanently terminated my account with them so I can never have another Cash App account, thanks to FedEx.
I no longer use FedEx for any shipment that I need to have arrive.
Turns out he actually was from the bank and he did cancel the loan application.
Appropriately enough, the last thing they did was to insist —demand, really— that, in 2018, I fax them my demand. It just so happens that this could have been relatively safe because, after asking everyone I knew for a week (including some venerable hackers), the only way that I found to send a fax was to ask the local branch of the same bank.
Asking them to authorize the transfer wasn’t possible (by showing them all relevant documentation). Asking them to let me send a fax, using their machine, to a sister branch to tell them to authorize a transfer without anyone verifying my ID, was fine.
Because if I got my SSN in my late teens, then my date of birth shouldn't mean much at all to anyone trying to use that method you describe, right?
It’s not impossible but, wow, that’s grinding it out day after day.
Sure enough... I had to go down to the local branch to get my account unlocked, as well as prove the amount of money I was transferring was... available in the other account? Absolutely ridiculous. I don't even know what sort of fraud they were trying to prevent, as this wasn't a new bank account and I'd made transfers between them before.
But when I contacted them about a phishing practice, it was A-OK because it was a "legitimate" website that phished your credentials to view the last 180 days of transaction histories, compute a credit score, and then withdraw the money. They would "look into the situation and see if a better solution could be found" with this german company...
I don't understand how anyone is okay with this but klara or klarna or something is a pretty popular payment provider in germany as far as I know, but so my experience is now that banks like to change their security-relevant terms one-sided. But it's your fault if you give out secrets to the wrong person of course, not like the bank was going to care if your social security number had gone to a scammer for example
The main protection to you not getting scammed out of money this way is in the kind of TAN used for this process. It should/must only allow read access to your account, and at least one of my banks very clearly shows this in the 2fa approval app. Technically, checking your account history and then deducting money will (hopefully) have been two different processes.
The moral/ethical implications of requesting (up to) 365 days of full bank transaction details and being allowed to store this information is a whole different animal, tough, and I'm glad I haven't had to do this myself yet.
Any time anyone asks me for any part of my social over the phone, I ask for some other method of verification. Most folks have other ways of doing stuff. It's ridiculous that what should purely be an ID number is so powerful, but I can't change that fact, just how I interact with folks with regards to it.
As a bonus, when I was finally put into the system, they managed to get my zip code, phone number, and SSN wrong. At ADP, quality is job zero.
I'm super paranoid about even the last four. The first five digits of an SSN were algorithmic for most of US history, and still mostly are but a tiny bit more random entropy, and can be narrowed down with mostly only the city in which you were born and what year. You can often use basic k-means clustering to find it even without that information. More often than not entire families share the first five (or close to it) and you only need to phish one family member to k-means cluster the five digits for the rest.
The last four are more often than not the most significant digits in terms of identification and entropy. Masking the rest is almost silly for most Americans. Our masking schemes have actually made phishing easier because people feel safer sharing just the last four, when for most those are the only four that matter.
SSN was never intended to be a secret so its design is horrifyingly bad for something that has come to be a huge secret in banking and healthcare and so many other industries. Recent SSN changes have made it a little better for anyone born after roughly 2010, increasing somewhat the entropy in the first five, but the rest of us have problems that we can't solve easily and banks should be ashamed they helped lead us to these problems.
No point. If he is a scammer he has a thick skin. If he is working for the bank this is either a training or a policy issue.
Just refuse politely and report to the bank. (preferably to some security channel if there is one.)
Can you guess what happened next? Yep... The complaints team cold called me and requested PII to confirm they were talking to the right person. I refused and the call ended.
Later got a letter saying it wasn't possible to followup on my issue and they didn't see any issues with what I had raised. I tried... :/
The issue, I think, is the larger the company is the more incentivized it is to hide away access to it's internal employees. If you can call a department directly you can start phishing between multiple employees pretty quickly. Locking that down and putting a horrible automated system in place makes that harder to do.
Plot twist! Didn't see that coming.
Seems bizarre to me that this would happen, but reading sibling comments just keeps having me shake my head in dismay.
- Coming from a domain that looks nothing like the official domain of the company, rather some generic @itservice.com or something. - Subject: "URGENT: your account is expiring soon". - Multiple links provided in the email body, all illegible and multiple lines long, none of them from a domain that I can immediately link to the company. - No alternative way of resolving the issue is provided other than clicking on one of those links (no "go to your account settings", "contact your line manager" or so).
And still, it turns out it was real.
~100k employees company btw
The same guys also force us to change our passwords every 6 months and block the last twenty. Passwords we have to enter in systems that can’t pull directly from password managers and thus have to type 10-20 per day. Guess the average strength of an employee password!
I think IT incompetence should lead to audit fails or even better delisting from exchanges.
Combined with the fact that the largest single source of spam I'm seeing right now is also coming from random tenant GUIDs .onmicrosoft.com (is Azure really missing that much SMTP security for random M365 tenants?) and this sort of corporate anti-training users to follow bad transactional email links, it certainly feels like we are in a perfect storm of M365 phishing.
However, the password rotation requirement was until relatively recently something that many IT auditors would actually recommend, even though it leads directly to bad user password choices. In fact I wouldn't be at surprised to learn that was still the case in a lot of places.
Then I became CTO and retired the policy to align to modern NIST recommendations, so that "18" is in there forever :)
It's good we have 26 letters, that comfortably leaves you a margin of 6 combinations :-)
While I know this may be fruitless, it might be worthwhile to point out to them that the official guidance from NIST and similar organizations is now not to do this.
The IT department where I work required yearly password changes up until I brought this change to their attention, at which point they changed to simply recommending a password change if you have reason to believe it might have been compromised.
Same problem here. My solution: Get a mouse with internal memory for macros, such as Natec Genesis GX78 (old, no longer available, but this is an example). Program your new password on one of the unused mouse buttons or in a different profile. Use the mouse to type the password.
Fear of policy is why you get things like "force us to change our passwords every 6 months and block the last twenty". Getting a central arbiter of IT competence is a hard problem.
It is interesting how sometimes creating "more secure" measures results on less security. Our IT department decided that using 2fa for vpn is not enough, we should also extra 2fa for connecting to the webmail even through intranet or vpn. Guess who stopped using the vpn.
Meanwhile, one can set up and use our email through any email client app on desktop or mobile without any 2fa at any step. Go figure.
So I hang up and call my bank directly. I spend 10 minutes going through the phone maze to talk to someone. Finally I get to them, and they confirm that is a number that they use to contact people. How come when you list numbers on your website you don’t list this one? Well, they said they often call from numbers they haven’t listed online. How about that e-mail, do you send those? Well, we sometimes contact people by e-mail, if it says it’s from us in the from: line you can click on it. Did you guys send that one? I don’t have that information; don’t click on it if the from: line isn’t us, but if it is, go ahead.
Worth noting - do not trust the incoming callerid number. This is trivial to fake.
Sorry for the probable sarcasm. In a company that size, if the IT center does not provide a means to report phishing attempts then there are more serious problems than a dodgy email campaign.
email is well and truly dead.
I am usually a bit pessimistic about it though. If their SOP doesn’t account for “looks like phishing but is from internal sender” then chances are that nobody connects the dots and informs that sender.
The intelligence of a small and motivated IT team seems difficult to scale.
This might be a reasonable trade-off for centralising monitoring, but it significantly hampers the ability to judge the legitimacy of emails myself. At least update your training!
Our CEO is actually a developer himself on our core product (and a bit of a paranoid fella on the cybersecurity front to boot) and he was absolutely furious about this vendor being chosen...
It happens.
To their credit, after the inevitable replies to that email they never used that wrapper again (they moved the launchers to the centralized NFS install where they always should have been)
It’s insane.
Literally a domain that looks like from teaching material for phishing, no databox.gov.cz or something like that.
The domain is for an official legal documentation communication with government and has same legal weight as letter that was person delivered and recipient was checked against ID.
Obviously it doesn’t excuse the practice, but I can see why people use alternative domains to get things done. The above anecdote was also purely within the company; I’m sure that if you add in a partner/managed service, it only amplifies the complexity.
There are, of course, a whole plethora of services that a CTO-type person can hire to phish test your employees. Some of them even have several hundred real domain names with live MX on them that you can add into your office365/gsuite mail flow permit-list controls, as an admin, to ensure that the phish test arrives correctly in peoples' inboxes.
What's worse, you can't even go to the lnks.gd root to check where a shortened link is going. And the "shortened" link was actually longer, with all the payload crap they rolled in. They could have just used the normal url plus small internal identifier of which email it was if they needed to track it, and it would have been shorter.
There was no reason to use a shortener, let alone such a shady one!
Ignored it.
Later got my manager asking as the expense team had been chasing down managers of people with overdue reports.
You can't make this up.
ich arbeite als (externe) CyberCyberCyber Nase in einer Organisation irgendwo in der Sparkassengruppe. Ich kann dir versichern, dass niemand, der auch nur im entferntesten was mit InfoSec in der Bank zu tun hat, von dieser Marketing Idee erfahren hat.
"I work as an (external) CyberCyberCyber nose in an organization somewhere in the Sparkassen-group. I can assure you that no one who is involved even the slightest with infosec at the bank, has heard anything about this marketing idea."
What the hell.
https://t3n.de/news/sparkasse-digital-strategie-cds-per-post...
Since no-one has a CD drive in their computer anymore, the security risk is negligible
> Terms and Conditions, Price and Service List, Conditions.
> Dear customer,
> our price and service list, our terms and conditions, as well as further conditions which will come into effect on May 1, 2024, can be found on the USB stick.
> With kind regards,
> The Sparkasse Bremen AG
Just be sure to use the included NOTVIRUS.EXE viewer for best experience.
The email I got looked like a badly-scanned letterhead and was very, very fishy.
After I received a few of them, I finally contacted the bank and it was legit.
I tried telling the office person (not just a clerk at the counter, someone with their own desk) about the situation and they couldn't understand why it was bad.
I soon paid off that loan and got away from that bank.
I called my insurance broker and yes indeed it was legit. I also tried to explain to them how this letter was a few steps removed from a Nigerian prince scam based on all the red flags, but i don't think it made a big difference.
But I also disagree with the general push of Troy Hunt's recommendations. That is, we should just take the base assumption that humans, generally, can't distinguish between real and phishing inbound messages. That's only going to become more true with AI. Relying on those distinguishing characteristics in the first case is an absolute fatal flaw.
Instead (and, in fairness, Troy Hunt did do this) you should never depend on an outbound link or phone number in a message you received. You should log in to whatever service you think sent it based on looking up the address or phone number yourself. This "hang up, look up, call back" advice should be an absolute mantra. I think responsible organizations should just start by saying they will never put links or phone numbers in text/emails/calls, and their notification messages should say something like "Log in to your dashboard to see details."
> but I'm a smart human so I don't fall for this (that's a joke, read why humans are bad at URLs).
It's clear that he thinks relying on heuristics to distinguish scammy URLs is not a scalable long term approach.
It can't become any more true than it already is. Humans already fail to identify phishing 95% of the time. And a human can already create an exact duplicate e-mail, website, text, etc as a real one. There's no need for AI.
Include a link, make it a part of the core domain, short, and prominent: https://example.com/contact. If the user isn't logged in, lead with a login flow explaining "If you received a message from us, login for details", and include a contact form, phone number, and if there's a chat with customer support, that too.
These are all things a phish can spoof to some degree, but that's not a good reason to force the user to figure out how to resolve whatever problem you're bringing to their attention.
Could easily be one person writing the message. Another who demanded partial edits in a Jira ticket. But then the data types didn't match up with what the writer requested and then the dev didn't want to deal with it and just shipped it.
Or it could be that the message is made with a bunch of disjointed and constructed if statements and only the final output is piped to the customer. I have seen some very terrible log messages like that as nobody is looking at the entire message, just the little bit in the conditional they are editing at that point.
As an anecdote, I once worked on code that generated these very detailed error messages about why something went wrong. I discovered most never made it to the customer as someone later down the line reassigned a variable rather than +=. Piles of support tickets could have been avoided.
"Incompetency" is an interesting word.
The old maxim about incompetence versus malice suggests a binary choice.
I prefer the more nuanced take that there is a spectrum of positions between the two, and other dimensions that describe a cluster of intents, both conscious and unconscious.
Take the UK Post Office scandal where we see incompetence layered on top of malice, layered on top on incompetence. In some organisations obviously deliberately harmful positions are written into "policy". Often this comes under "PR" [fn:1]. More and more "AI" will be used to disguise malintent and deflect scrutiny.
In the final episode of the ITV dramatisation [0], Alan Bates (played by Toby Jones) delivers an absolutely shocking, knock down line. When talking about incompetence and evil he says: "They're the same thing" At some point there is no difference between incompetence and evil. For a deeper psychological discussion of that listen here [1].
[0] https://en.wikipedia.org/wiki/Mr_Bates_vs_The_Post_Office
[1] https://cybershow.uk/episodes.php?id=23 (from 39:20)
[fn:1] Edward Bernays seminal definition of public relations outlines a creed of deception, manipulation and disinformation which is antithetical to security [2].
If you ever drive on a toll road in Texas (there are a lot of them and more every year) there are no toll booths that allow you to pay then and there but you'll get a bill in the mail 6-12 months later informing you that this is your fifth and final warning and you owe $4 for the toll and $80 in late fees. I guarantee you the people behind this have friends or family in the Texas legislature supporting them.
Edit: "sender" here refers to the sender of the electronic notification.
For every utterance of "reasonable" in law you can be sure over $1B of laywer fees have been (or will be) spent.
Then I later got a physical letter in the mail about the same, and then I called the bank. Apparently I had some account there holding some pension stuff from a previous employer. Shrugs.
FedEx needs to do a better job with these notifications. At the very least they need to hire a copywriter.
They are, since non compliance will either result in destruction of the package or sending it back (differs a bit per country and type of goods).
It's a bit sad there are no easy ways to prepay taxes and it's hit or miss if you get checked. I'm glad the EU figured it out and have almost no weird surprises any more, except from the Uniteds (states and kingdom).
At the end of the day, they don't care if we get phished or scammed; it is all of customs confusion. Next time process your customs form, you will realise how much money you will save, and the form only has less than 8 fields, the Union Customs Code is easy to read.
For this reason, whenever possible, I choose delivery through the post office.
At one point, I ordered something, and the next day, someone contacted me through WhatsApp, claiming to be from the courier (with the company logo as a profile picture). They said my package was rerouted, and I had to click a link to fill out some form. Typical scam message, with typo and urgency. I can track the status of my order in the app, and it says it's in transit somewhere. So, their explanation matches.
You might think, "Well, that's obviously a scam. They would not contact you through personal WhatsApp!" But sometimes couriers DO contact you to ask for your precise location or notify you, "Hey, I left your package with your neighbor. Here's the photo."
I'm just wondering how the scammer got this info that Mr X is expecting Product Y from Shop Z. I almost fell for it (I was in the middle of something and got distracted), and I can only imagine the unlucky victims.
It happened 2-3 times during that period and then gone. Did someone find out and fix it? How did they find out? Because I'm guessing there are lots of hands involved in the delivery pipeline.
All of the significant authentication schemes are built to validate the customer, and none validate the vendor.
When your bank or mobile provider gives you a call : how do you know it's them? They start asking you for personal data right away, but you have no idea who you are sharing information with.
We need "mutual authentication" including better identity, trust, challenge-response and more. Customers should be able to validate who they are talking to before even sharing their own credentials.
For SMS and voice calls, it would help if they could implement call authentication so can trust the number. Phones should show the user if the number is validated. It would also be good to add trusted CallerID names; Google does with some numbers.
To sign in, you are sent a 'challenge', and must sign it and return it. The challenge includes a "Relaying Party Identifier" (RPID) which is basically the domain of the site requesting authentication.
That way, if a phishing domain prompts you for auth, they can not proxy your response because the RPID you signed will not match the authentic domain, and therefore be invalid.
The bank's name is CaixaBank. I was wrong and the message was legit. My first thought was it was a scam :)
"FreeMsg: BMO Fraud Ctr: 18774352371 Case 19684358 Did you attempt $4.00 at NYTIMES with card x1234? Reply YES or NO"
The 1234 did match the last 4 digits of my card - not the first four, a common trick - but the rest of the message is, as Troy says, Dodgy AF.
They then followed up with a similar email, prompting me to click on a link that began like this: https://ecs01-us.ficoccs-prod.net/2088/en-US/tran_Not_Author...
That's certainly not a BMO domain. Wtf, bank?
So, called them and confirmed the messages were legit, unlike that charge.
And as an aside, this is far from the first time I've had a card compromised while never using it at a physical vendor, and only a handful of large online ones. Once I actually started getting fraud transactions on a card I had never used. I'm guessing access to credit card info is far too broadly available within the bank.
I moved to Schwab a while ago, so I'm not sure what I would've done to change the password. Schwab is much better, by the way. BMO is a joke. I never thought I would say this, but I miss Bank of the West.
They had one incompetent employee contact me to assure me that the communication was legitimate (not the complaint), then escalated to another employee who understood the complaint and promised to escalate… 6 months later I get an email assuring me that the communication was legitimate and closing the ticket.
The outside security vendors also run phishing security campaigns that they send out from their own domain, and that have "phishing" URLs that point to the same domain we do the training on.
I got reported as being phished for following a link that goes to the SAME domain as our required security training. Our security compliance team got my point when I reported every required training reminder as coming from a known phishing domain.
Even worse, is where attempts to query that security is actively punished.
This is typical now. Listen here (at 42:20) with an example regarding the UK NHS whose incompetence plays directly into the hands of cybercriminals.
[0] https://cybershow.uk/episodes.php?id=24 (time:42:20)
like this case: https://news.ycombinator.com/item?id=37250024
A funny thing I discovered in this process is that "delivery instructions" are shared for all packages to a given address regardless of the associated name, and never flushed unless you go in and do it manually on their website. I found the name and contact information for the prior tenant of my unit on the FedEx site with no other info besides 1 tracking number to the address (it also let me change the delivery instructions with said info). Potentially they were still calling that person when they tried to deliver initially, though I have other reasons to doubt they actually came to the door that day.
This is something everyone that owns any property and is a resident of the county must fill out: About half a million accounts will be created in two weeks. Making sure that all of this comes from the county's domain? Too difficult for them. And all for a website on the other side that doesn't look much better than the old one.
https://www.bleepingcomputer.com/news/security/uk-gov-keeps-...
Of course, the scammers already have the scam systems in place, so they can win the bid on price :D
I know this sounds ridiculous, but I doubt anything will make better sense than this :P
1 time I was right it is a scam, 2 times it was wrong.
Booking.com should make a proper report payment circumvent button and kick out all hotels who do it.
Seriously just use your main domain for URLs. For me at least that clears up 99% of this.
I dont want to memorise a list of valid mystery domains for each shipper. Is that really too much to ask?
If they use their main domain, their normal corporate email will get blocked by anti-spam filters.
So everyone uses a different, unrelated domain for bulk mails.
Nearly 100% of the time, I am expecting a notification from Canada Post or Amazon (FedEx less frequently, but still).
Even outside of that, you can often predict when people are expecting a package. Christmas. After various sales weeks.
If calls are routed over internet then it becomes more viable but obviously there is still a large coordination problem and misalignment of incentives.
But I can't remember what the memorable term was.
Are you sure about this? Canada Post's webpage (https://www.canadapost-postescanada.ca/cpc/en/support/articl...) says:
>> We apply a handling fee of CAN$9.95 per dutiable or taxable mail item.
Turns out it was part of some kind of "test" of the company to raise awareness for phishing, and I failed the test since I submitted the form.
It is probably time to look for a new insurance provider but I was thinking of calling back the insurance agent and telling her I was planning to run for state senate on a platform of reforming the insurance laws and legislating that you can get 20 years in prison for sending a letter that says "THIS IS NOT A BILL" and that insurance paperwork has to be written in English excerpting any words that are shared with Latin or French. (Which I'm sure the French would approve of)
It asked me to pay duty/taxes for my $799 Prusa 3D print order that arrived just last week.
So now I know Troy Hunt also bought a Mk4 assemble-yourself kit from Prusa.
Enjoy, Troy! Mine took 8 hours to build and it works like a charm! Fantastic little machine.
These emails are the _exact same form_ that a phishing email would take.
Eventually they decide we should replace all our cards. 5 minutes later we get an SMS asking us to call an unknown number to set our PIN code for the new card. It contained at least 5 warning signs as in the author's article.
We call them back asking them what that SMS is about and the only explanation is "That is the good kind of SMS, you can trust it"
(Eventually we did get all stolen money back, but it took a while. We never got a plausible explanation of what may have happened and what we could do to prevent it in the future)
I called my provider. Turns out the actual insurance is handled by a sub-provider that works for a different (major) insurance... WTF
"Track Package" sure, keep me on the website.
But if you present me with a tracking number that you are making a link yourself, just send me to the shipper company. Bonus points when they then make it really hard to find the actual link I want on that random website they send me too. I already bought from you and will soon have your product in my hands, do I really need to be kept on a branded site that offers no extra value?
Emails seem to be the worst for this.
I feel like these companies are setting up people to be phished, when the idea that you can only track Fedex on Fedex.com is no longer true.
> ACTION REQUIRED - New certificate authority for slack-edge.com
Capitalised letters telling you MUST do sth (check; plus "as soon as possible" in the body). Bad/incosistent email layout (check). Unknown urls (slack-edge.com, slackhq.com) that resemble the services's standard url slack.com (check). A bunch of links obfuscated behind "slackhq" redirects, check. Even a link that reads "slack.com" and points to that slackhq redirect thing. The majority thought it was scam, of course. I only suspected it may not have been scam because a scammer would have done a better job explaining what one had to actually do (and in the end there was nothing we needed to do anyway).
So, the scammers just use the same system so the phone messages you get from them sound like the same voice you hear if you actually call the IRS
For just a little extra money they could pay someone to exclusively record IRS messages and the voice would never be the same as the scammers (at least, until someone replicates the real voice with AI but that's an issue for another day)
Every time someone supposedly bought their timeshare there would be a bank fee or tax they would have to wire money for. The guy who lost $1.8MM wired money 90+ times.
These are lawyers and doctors, educated people getting ripped off.
Over the years they've changed domains several times, had a breach, reset passwords multiple times, and now do part of their login via a random third party site (but to make it worse they push you to sign you up to a second form of account which logs in separately!)
It's gotten to the point now where it sometimes actually is impossible to speak to a human being in customer service - the thick layers of chat bots, deliberately gated 'contact us' pages and "why not use our app" nags.. ..if you're savvy enough to know already that only a human can resolve your particular query, getting hold of one can become a time consuming and sometimes traumatic experience. (only slightly tongue-in-cheek, I do actually believe this affects mental health)
If anyone has honest anecdotes around this I'd love to hear from you (maybe privately is best if its detailed accounts)
They tell you to look up the package tracking number on the PostNL (the national universal delivery company) where you can pay for it. All you get over SMS is a heads-up to check and the ID to enter (you need to combine it with your zipcode).
Be careful! Never click on links received in messages from strangers. Learn more at www.....
The other day an email from the oldest and biggest bank of India landed in my inbox
Truncated Subject line on mobile said "Cash Withdrawls made ..."
My heart skipped a beat because I did no such thing with my account.
Turns out it is a marketing mailer with subject "Cash Withdrawls made Easy!"
Facepalm.
But many times there are no customs fees, so there's no issue -- it depends entirely on the pair of sending and receiving country and the category and amount of merchandise. That may have been your experience.
Generally speaking, customs can't be charged upfront with your order. Perhaps there are exceptions with certain delivery services in certain countries which have managed to modernize some of it, but I haven't come across that yet.
Countries also have their own limits below which they don't bother with the taxes. There was so much abuse of this in the EU+UK the limit is now zero.
The only time it should be surprising is when the foreign website isn't paying the taxes, and it also isn't clear it's a foreign site. Generally on cheap crap from China.
There are also import duties in some places like the US that can be a surprise if you don't know where the seller is or how they're shipping: https://en.wikipedia.org/wiki/Customs_duties_in_the_United_S...
I forget the name, but the USPS has a special service shippers at companies like Aliexpress often use to avoid stuff like this when shipping to the US.
First of, texts are not encrypted and they can see ALL communication.
On the other hand the US forces me, using Twilio for SMS automation, to sign up "campaigns" with "Sample messages" if maybe all I want to do is building a personal assistant with text commands. My messages will get hit with fees for non compliance, or end up silently blocked without any visibility.
Then there are these scammers sending the same or very similar messages to millions of people, pretending to be the same 50 companies (national banks, shipping companies, cell phone carriers) - how about these $bigcorp register their "campaigns" to combat scams and they'll leave me alone (one number sending texts to always the same one or handful of numbers).
... Oh wait I figured it out! Telco don't care, they enjoy inflated traffic numbers in their network and charge for it - why would they stop it
It is crazy how much the "paying duties at the border" situation feels like an afterthought for all currier companies. It is almost as if it was not really their design they just tackled it on later.
I wanted to send a present to my brother in an other country using DHL Express. It was impossible to convince them that I would like to pay duties. Not a thing. Can't be done.
Brilliant. Troy is the best.
They have an option to have your package held at a FedEx store. It's great for when the package requires signature and you're not able to wait at home all day for it.
Recently I used it. Unbeknownst to me, the FedEx store changed its physical location while the package was in transit, to a different strip mall across the highway. So for several days in a row, I was notified that FedEx attempted to deliver, but that the business was closed. Every call to customer service yielded understanding and sympathetic employees who had no idea how to fix the issue.
After about 5 days, something clicked, and my package showed up at the new FedEx location.
A) spreading misinformation. Not hard to confuse people that their polling location is closed but the inconvenient one across town is still open
B) fake fundraising. Blast out an sms from "citizens for action" who need money to support ${popular cause/candidate}
It's absurd.
You can find that number in the sms on an official FedEx page somewhere or other - I ended up using that as enough evidence to trust and call.
I get the feeling this system as a whole doesn't see much use - from a FedEx perspective, the vast majority of people paying duty will be via some specialised importer, not b2c direct.
Banks do similar dumb things. I once vented to a a Wells Fargo security manager about a similar issue. They had no defense at all.
I know we tech people think this is type of messaging is ridiculous, but I’m constantly pulling less technical friends and family away from crap like this. Half a dozen have asked me about Elon Musk’s crypto trading breakthrough.
Hah!
