I really wish legitimate companies wouldn't use third parties (and associated third party domains) to send out things like feedback surveys.

"Hi, we're from this company you trust and other company you don't know! Submit feedback to enter our prize draw to win money!"

It's indistinguishable from a phishing scam. And if a customer questions it and gets told they're legitimate emails, they're not going to question it if one arrives in their inbox that *isn't*

I received one from Ovo today. "Ovo and human8".

I've never heard of human8. The domain the email is from is theirs, not ovo's. The link obviously goes through to a survey company so that's another unknown domain. And you're enticed to interact with potential monetary reward.

It would be absolutely trivial for someone to copy that in a scam and chance upon some of their customers, so it's not just putting customers at risk but the company too.

@babe @neil Exactly what happend with my Tax Advisor last week. Beside GDPR issues. I complained it. Next week they have set up a meeting as the seem to take my criticism serious.

Tell the companies. Most management will never know/do otherwise.

@lennybacon @neil I've sent an email to say "hey, can't you see what you're doing here?" but I don't expect anyone to actually pay attention to it

@babe
I now assume that all unsolicited calls, texts or emails are a scam, even if they seem to be from a legit source. I never answer anything and everything gets binned or blocked. Me being paranoid or legit companies outsourcing to 3rd parties with scammy behaviour?

@MostlyTato I'm exactly the same. If something seems like it could be legitimate then I'll still swerve it and go direct to the company through their official channels

@babe I usually advise them that I didn't give permission for my address to be given to a 3rd party and it was a breach of GDPR.

Used to work well, no so much now.

@babe The best one I have seen was when I was working in an IT security company. There was phishing training, and one time a reminder email about not clicking suspicious links was sent to everybody.

The next day, we got an email advertising some company event, sent by a different company, with a link going to some unrelated domain.

So of course many people reported it to the IT. The mgmt was pissed off because we didn’t trust it, though it looked exactly like a phishing mail, no way to check.

@babe one-upping this, our banks use different domains for some of their digital services. Alpha bank uses alphabankcards.gr instead of their official alpha.gr, piraeus bank used until recently winbank.gr instead of their piraeusbank.gr domain, and eurobank used eurocommerce.com for their payment processor. When I called them to verify if they controlled the domain the rep's response was "if it has our logo it's ours". After pressure he decided to not take responsibility and disavowed the domain (it's theirs). Btw it was using a bog standard let's encrypt cerificate.

How are clients supposed to avoid phishing?

@qwazix Can't be letting something as unimportant as customer security get in the way of nonsensical arrays of seemingly unconnected domains

@babe mbank.cz signs _some_ of their emails. I could not believe that was not a scam...

@babe I refuse to interact with those.