I really wish legitimate companies wouldn't use third parties (and associated third party domains) to send out things like feedback surveys.

"Hi, we're from this company you trust and other company you don't know! Submit feedback to enter our prize draw to win money!"

It's indistinguishable from a phishing scam. And if a customer questions it and gets told they're legitimate emails, they're not going to question it if one arrives in their inbox that *isn't*

@babe @neil Exactly what happend with my Tax Advisor last week. Beside GDPR issues. I complained it. Next week they have set up a meeting as the seem to take my criticism serious.

Tell the companies. Most management will never know/do otherwise.

@babe
I now assume that all unsolicited calls, texts or emails are a scam, even if they seem to be from a legit source. I never answer anything and everything gets binned or blocked. Me being paranoid or legit companies outsourcing to 3rd parties with scammy behaviour?

@babe I usually advise them that I didn't give permission for my address to be given to a 3rd party and it was a breach of GDPR.

Used to work well, no so much now.

@babe The best one I have seen was when I was working in an IT security company. There was phishing training, and one time a reminder email about not clicking suspicious links was sent to everybody.

The next day, we got an email advertising some company event, sent by a different company, with a link going to some unrelated domain.

So of course many people reported it to the IT. The mgmt was pissed off because we didn’t trust it, though it looked exactly like a phishing mail, no way to check.

@babe one-upping this, our banks use different domains for some of their digital services. Alpha bank uses alphabankcards.gr instead of their official alpha.gr, piraeus bank used until recently winbank.gr instead of their piraeusbank.gr domain, and eurobank used eurocommerce.com for their payment processor. When I called them to verify if they controlled the domain the rep's response was "if it has our logo it's ours". After pressure he decided to not take responsibility and disavowed the domain (it's theirs). Btw it was using a bog standard let's encrypt cerificate.

How are clients supposed to avoid phishing?

@babe mbank.cz signs _some_ of their emails. I could not believe that was not a scam...

@babe I refuse to interact with those.