Calls for votes - distinguishing from spam / phishing.
Nov 6, 2014 17:31:05 GMT
alison, Come_on_Grandad, and 1 more like this
Post by sl75 on Nov 6, 2014 17:31:05 GMT
I note that the emails Assetz sends out asking lenders to vote on important matters are likely to contain several indicators that may normally be used to differentiate spam/phishing attempts from legitimate communications. In particular:
- email not directly addressed to the specific lender (presumably lenders are Bcc-ed?). For me, this bypasses the mechanisms my email client uses to automatically reply from the correct address/identity, but in general this is often taken as a potential indication of spam.
- email does not address me by name, but instead uses a generic "Dear lender"; often taken as a clear sign of spam.
- today's email was sent by someone I'd never heard of before (rather than David Ricketts who had previously sent out most similar emails)
- email includes "URGENT" and a message in block capitals in the subject and demands action almost immediately [as many spam/phishing attempts would - to avoid less-technical users consulting with someone more experienced who may be able to smell spam a mile off]
About the only thing about this email that couldn't easily be replicated in a "phishing" email is the @assetzcapital.co.uk address for collating replies.
Maybe Assetz could do well to review their procedures w.r.t. these (and other?) emails to avoid triggering quite so many spam signs? e.g.:
- arrange for emails to be sent individually to each lender, thus being able to show their email address in the header and their name in the salutation. [c.f. Zopa which includes the member ID in all bulk communications]
- arrange for all such emails to be sent from a "well known" address that users can add to their address book.
- following future developments on-site, have the "call for action" be to log in to the usual assetz website to cast the vote there, rather than responding by email to a previously-unknown person.
I also find it concerning that the message appears to have been sent directly by the sender using a "normal email program"... which gives scope for a possible serious privacy breach from a single mistake (putting all the recipients' addresses in the 'Cc' field rather than 'Bcc').
- email not directly addressed to the specific lender (presumably lenders are Bcc-ed?). For me, this bypasses the mechanisms my email client uses to automatically reply from the correct address/identity, but in general this is often taken as a potential indication of spam.
- email does not address me by name, but instead uses a generic "Dear lender"; often taken as a clear sign of spam.
- today's email was sent by someone I'd never heard of before (rather than David Ricketts who had previously sent out most similar emails)
- email includes "URGENT" and a message in block capitals in the subject and demands action almost immediately [as many spam/phishing attempts would - to avoid less-technical users consulting with someone more experienced who may be able to smell spam a mile off]
About the only thing about this email that couldn't easily be replicated in a "phishing" email is the @assetzcapital.co.uk address for collating replies.
Maybe Assetz could do well to review their procedures w.r.t. these (and other?) emails to avoid triggering quite so many spam signs? e.g.:
- arrange for emails to be sent individually to each lender, thus being able to show their email address in the header and their name in the salutation. [c.f. Zopa which includes the member ID in all bulk communications]
- arrange for all such emails to be sent from a "well known" address that users can add to their address book.
- following future developments on-site, have the "call for action" be to log in to the usual assetz website to cast the vote there, rather than responding by email to a previously-unknown person.
I also find it concerning that the message appears to have been sent directly by the sender using a "normal email program"... which gives scope for a possible serious privacy breach from a single mistake (putting all the recipients' addresses in the 'Cc' field rather than 'Bcc').