Hi all. I've been a SN listener forever. I have a policy of trying to share things I learn to help others. Today I made ~TWO security mistakes. Everything is fine and it all worked out. But, I wanted to share this so you can tweak your mental shields and recognize that even security conscious people can get caught off guard.
I'm a member of a national organization which is politically active on some key issues I'm concerned about. I've been reviewing some finances and had decided to make some contributions to some organizations. So, I get an email from this organization and it says important things are happening and they need some money. It also says give over a certain donation limit and get a free gift. Click here. We're not talking about a lot of money here. It was $ 24.
So, I clicked the link. SEMI-MISTAKE #1. So, I'm thinking it will go to a web page and say, here's your donation, review, enter data, click pay. But, it didn't. In actuality, BOOM, it instantly went to a web page and said thank you for the donation you JUST MADE. No data entry. No review. No confirmation. Nothing.
So, I said WHAT THE HECK? I didn't even know that was possible. Note that clicking the email itself, not the web page, did the deed. So, I looked at the thank you page and found the phone number and called it. MISTAKE #2. So, I got hold of customer service and told them I had a complaint about this instantaneous transaction. She even anticipated what I was calling about.
Now the rest of the story. The email was legitimate. The donation was legitimate. And, everything is OK. But, afterwards, I was mentally slapping myself for making the semi-mistake of clicking on the email and the mistake of calling them back at the phone number they gave me.
Now, here are a few things in my defense. 1) I use custom TO emails, which cannot be faked, for all organizations. So, the email came to the proper address. 2) The original email had the last 4 digits of my credit card number (which I only noticed after I clicked). 3) Their answering service sounded like what I'm used to (which I didn't know until after I'd made the mistakes). 4) The rep was able to tell me my membership expiration date (which I didn't know she could until after I'd made the mistakes).
So, I feel highly certain it was legit. And, frankly, the correct TO address gives me a large amount of confidence to click on the email. It's HIGHLY unlikely for anyone else to send me email at that address. But, I really should have separately looked up the phone number to call rather than using the one presented to me.
So, take this for what it's worth and remember, you're never invincible to mistakes and attacks.
May your bits be stable and your interfaces be fast. Ron
I'm a member of a national organization which is politically active on some key issues I'm concerned about. I've been reviewing some finances and had decided to make some contributions to some organizations. So, I get an email from this organization and it says important things are happening and they need some money. It also says give over a certain donation limit and get a free gift. Click here. We're not talking about a lot of money here. It was $ 24.
So, I clicked the link. SEMI-MISTAKE #1. So, I'm thinking it will go to a web page and say, here's your donation, review, enter data, click pay. But, it didn't. In actuality, BOOM, it instantly went to a web page and said thank you for the donation you JUST MADE. No data entry. No review. No confirmation. Nothing.
So, I said WHAT THE HECK? I didn't even know that was possible. Note that clicking the email itself, not the web page, did the deed. So, I looked at the thank you page and found the phone number and called it. MISTAKE #2. So, I got hold of customer service and told them I had a complaint about this instantaneous transaction. She even anticipated what I was calling about.
Now the rest of the story. The email was legitimate. The donation was legitimate. And, everything is OK. But, afterwards, I was mentally slapping myself for making the semi-mistake of clicking on the email and the mistake of calling them back at the phone number they gave me.
Now, here are a few things in my defense. 1) I use custom TO emails, which cannot be faked, for all organizations. So, the email came to the proper address. 2) The original email had the last 4 digits of my credit card number (which I only noticed after I clicked). 3) Their answering service sounded like what I'm used to (which I didn't know until after I'd made the mistakes). 4) The rep was able to tell me my membership expiration date (which I didn't know she could until after I'd made the mistakes).
So, I feel highly certain it was legit. And, frankly, the correct TO address gives me a large amount of confidence to click on the email. It's HIGHLY unlikely for anyone else to send me email at that address. But, I really should have separately looked up the phone number to call rather than using the one presented to me.
So, take this for what it's worth and remember, you're never invincible to mistakes and attacks.
May your bits be stable and your interfaces be fast. Ron