[petesergeant]

I'm disappointed by how little protection we're getting against phishing campaigns. Google's SafeSearch takes forever to process stuff, where presumably very quick response times are much more effective, Fastmail, despite being great in general, is _terrible_ at detecting phishing, Booking.com met my report of a phishing campaign over their site (hotel got hacked) with a "it happens, we might talk to the hotel about it one day" shrug, and banks and other institutions continue to send legitimate messages that look like phishing.

[infotainment]

> Booking.com met my report of a phishing campaign over their site (hotel got hacked) with a "it happens, we might talk to the hotel about it one day" shrug

This is my problem with almost every "report spam/fraud/etc" flow. It's always a digital shrug, and then nothing happens.

Only one site I know of ever had it right: Instagram, up to about 2021. When you reported an account or post, you would actually be notified when they took action, which would usually take about a week and be something like "the account was removed". It was so satisfying to see a spam account get taken down after a report. But, they removed that in favor of the "hey thanks for the report we've tossed it right in the trash lol" user flow that every other site uses. Unfortunate.

[bluGill]

The problem with the feedback is scammers can abuse it - they report a few of their own scams and then use feedback to check on those and thus see what happened an in turn they better know when they are blocked and have a better idea how to create new accounts that are hard to block.

[Dalewyn]

Generally, I find the effectiveness of feedback is inversely proportional to the ease of submitting it.

[Plasmoid]

> banks and other institutions continue to send legitimate messages that look like phishing.

The Canada Revenue Agency (tax collectors) once called me up about something. They literally said "To verify your identity, please give me your social insurance number". It's hard to blame people when actual government agencies are training people to be phished.

[Terr_]

I ranted about something similar when it came how the US Internal Revenue Service was implementing authentication for their free-filing service.

They're training taxpayers to put in large amounts of extremely sensitive personal information into a third-party domain called "id.me". Even if you trust the private company, I think it's insane they didn't at least whitelabel the process through a *.irs.gov domain!

(For those curious, the .me TLD is run by the country of Montenegro. Control over DNS has some security implications for phishing and man in the middle attacks.)

[effluvium]

Do business with business that have local offices. That way anytime something needs verification or seems off, go into the businesses building.

[jplrssn]

If you live in Canada you can't really opt out of doing business with the CRA.

[Scoundreller]

When a Canadian gov agency calls, a good reverse verification method is to test their French.

« Êtes-vous une pamplemousse? »

[CodeWriter23]

Just curious, how did you confirm it was The Canada Revenue Agency and not scammers?

[Plasmoid]

I logged into the CRA website and found something.

[Terr_]

"Contact the suspicious person back through the official number or website" is always a good heuristic, especially since it works pretty well as advice for non-technical relatives.

[MattGaiser]

Is detecting phishing all that straightforward? As banks, travel agents, and even governments, are all terrible at avoiding the signalling of phishing.

Equifax had its entire response to its breach on a different domain, the kind of thing we tell people to watch out for.

https://www.equifaxsecurity2017.com/

This looks like phishing. But it is legitimate.

[heipei]

It is not straightforward, and it is complicated by a number of factors. The first would be bad "brand hygiene": If a company has dozens of legitimate domains across different TLDs, different providers and different geographical locations then it's already more complicated than just one canonical .com domain. If teams within the company are permitted to spin up their own domains (e.g. marketing campaigns, branch offices) then it gets 10x worse. Lastly if a legitimate brand frequently changes its appearance, it will be harder to pin down the true brand identity.

But even if you follow all of these best practices there are still powerful attack vectors. A threat actor could host their phishing page on an unrelated (compromised) domain with good domain reputation, in that case you wouldn't even know about that site until the first email or SMS hits your customers. Or the threat actor could use one of the many file-hosting or website services to create their site and host it on a shared third-party domain with perfect domain reputation (e.g. amazonaws.com).

And then there's incentive: It's no the companies that suffer financial losses, it is their customers. If you were talking about their employees being phished that would be a different story. Same thing for Google Safe Browsing: Their incentive is to protect against most of the obvious phishing, without any false positives, ever. If they are slow to detect something they won't suffer any losses. If they generate a False Positive their Chrome browser might suffer significant reputational damage if a popular legitimate domain is blocked.

[bartvk]

Vattenfall (a big Swedish energy company) had the same for a while. Their marketing created a website where you could log in as a user, on a completely different domain.

Most have been fixed but my current pet peeve is receiving email newsletters from these companies with tracking links. I get it, you're trying to measure something. But they're genuinly sending you links like sx4pv.mjt.lu/lnk/EEEAAAA-3434-asdfasdfasdf

[sureglymop]

Even tech companies do this wrong. Github had it's upcoming/beta features on githubnext.com and even sent out auth related e-mails from there. I wanted to test their new features but when I got the email I lost my faith in them and opted not to.

[cameronh90]

DHL sent me a shipment tracking email from "dhlecommerce.co.uk" the other day. I almost deleted it, but then I remembered I was actually waiting for a package.

This is a huge issue and it seems like we've just given up on it. There used to be EV SSL certs, but they are essentially dead now. There's BIMI for email, but support is mixed, and only partly addresses the issue.

[ecosystem]

Indeed. They haven't learned their lesson.

AT&T finally copped to enormous breach this month. In their notification to individuals (sorry, sign up for identity protection, etc), they made sure to let you know official email always comes from: att@message.att-mail.com

...an email address and subdomain that have never contacted me before on a sketchy sounding domain that doesn't match the service (hosted at https://att.com). The email links to experianidworks.com which asks for email, address, and SSN upon clicking the CTA.