I made a purchase yesterday from Meta (Oculus). A few minutes after payment, I received an email asking to click to confirm it was me.
It came from verify@verification.metamail.com, with alert@nofraud.com cc. All red flags for phishing.
I googled it because it had all the purchase information, so unless a malicious actor infiltrated Meta servers, it has to be right. And it was, after googling a bit. But why do they do such things?i would expect better from Meta.
Everything I hear about their processes, everything I experience as a user, says their software development is all over the place.
Uploading a video on mobile web? I get the "please wait on this site" banner and no sign of progress, never completes. An image? Sometimes it's fine, sometimes it forgets rotation metadata. Default feed? Recommendations for sports teams I don't follow in countries I don't live in. Adverts? So badly targeted that I end up reporting some of them (horror films) for violent content, while even the normal ones are often for things I couldn't get if I wanted to such as a lawyer specialising in giving up a citizenship I never had. Write a comment? Sometimes the whole message is deleted *while I'm typing* for no apparent reason.
Only reason I've even got an account is the network effect. If the company is forced to make the feed available to others, I won't even need this much.
If they stopped caring about quality of their core product, what hope a billing system's verification emails?
As a related anecdote.
On the phone with amazon refund department I was told to wait for a callback. Got a callback from a number that i obviously didn't get to vet. Then on that call they asked for my email address to email me an Amazon sign in page.
I almost just hung-up because you have the rep urging you to do it and I'm trying to vet that every link is what it says it is before I enter any Amazon info. The cookies from my already signed in session did not apply to thia SSO either. Ended up working out in the end.
I could not believe they have the same flow as the scammers do. This is the same company that regularily sends out warning emails about phishing to me. Go figure.
I have a home equity line of credit and every time I move to a new address, the anti-fraud department calls me and ask me to verify my address. I was rude af to them the first time because I was convinced they were scammers.
Meanwhile every time I am expecting a package via USPS or DHL, without fail, I get a scam text message about my incoming package. I never get them when I am not expecting a package. This is using a variety of devices, web shops, etc. Somewhere along the way, there is a data stream being sold or leaked.
>I never get them when I am not expecting a package.
For what it's worth, I get scam messages claiming to be about usps, dhl, et cetera even when I'm not expecting a package. Recently, I have a couple claiming to be about a package failing to clear customs (but if I just pay a quick fee...).
Looking at what No Fraud does [0], it sounds like Meta has either spun off the first party hardware store from their usual infra, or straight asked a third party to deal with it, and to insulate their main business they split the email domains.
Most companies are already splitting domains for customer and corporate communication, that's a step in the same direction.
While you're right it sounds fishy as hell, it's also mildly common IMO and understadable, especially when e-commerce is not the main business, and could be a reflection of how anti-phishing provisions are pushing companies to be a lot more protective of the email that comes from their main domain.
For better or worse, we've been in that world for a long time really.
If I ask my bank for a debit/credit card, they'll pass my request to another partner which will do my background check and potentially contact me for additional info.
If I order a delivery from IKEA it will be probably handled by some local company I'll have no idea how precisely they're bound to IKEA. Some complete stranger will be at my doorstep with a truck waiting behind.
There might be some mention of involved third parties in the contracts, but we usually don't read them.
So we used to get random phone calls from unknown numbers claiming to be associated with a reputable entity, and be actually legit even as it sounds completely fishy.
In my experience it's because getting a subdomain set up inside large companies is a MAJOR bureaucratic nightmare, whereas registering a new domain is very easy.
It's always infuriating getting email from Amazon or my bank "here's signs of potential phishing emails/texts" that doesn't include an exhaustive list of every email address and phone number that that organization will try to contact me from. That should be table stakes when it comes to phishing avoidance, and it's something that can only be done by the business, not the customer.
Yes, like you say, there's always the chance that someone hijacked an official domain - that's where other things like a formal communication protocol ("we will never ask for your password", "never share 2FA codes", "2FA codes are separate from challenge-response codes used for tech support") and rules of thumb like "don't click on shortened links" come in. Defense in depth is a must, but the list of official addresses should be the starting point and it isn't.
I've had (presumably the fraud department of) AmEx ring me and ask for personal verification details over the phone before they'll even speak to me about ANY details (even just if this is ringing about fraud etc, or how urgent the phone call is), on more than one occasion.
Even though I was pretty confident it was a legitimate call (typically an email notification arrives from them about some odd activity at the same time, or it's whilst I'm making a payment), I decline because surely this is exactly the same as what scammers would do?
Mine has a few times, without the "call us back". So far it's been the fraud department when I made an unusual payment, and have also occasionally gotten "how are we doing?" courtesy calls.
I have confirmed the fraud department one was legitimate, but haven't bothered with the others.
My bank doesn't tell me that. It's this kind of incompetence and lack of responsibility on their part that's leading to scams and phishing being so unnecessarily successful.
I have a HELOC and every time I move, their fraud dept calls me. And to call them back is not on their main bank number. It was super sketchy but legit.
I experienced the exact same thing when I bought the Flipper Zero. A "hacker device" and the email communication following the sale being made was straight out of a phishing email campaign book. I don't remember the details, it has been a while, but it was wild how sketchy the emails looked. I hope they have improved the email templates since.
I got way worse. I was fined for leaving an unattended baggage at the train station for a bit. The fine came through an SMS message redirecting to a domain which I had to whois to verify was owned by the train company…
My client is sending communication and security related guidance in either an external domain or with pdf files. Every quarter they do internal phishing tests. I have no words.
I noticed Substack recently switched from "click this link to log in" to "we're emailing you a code; enter the code to log in". Wish other companies would follow this approach.
I wouldn't expect better. Everybody sends these kinds of emails. Banks, shops, social media sites, hospitals, government... everybody. It's just easier this way for each particular site, and since data theft and unauthorized access has been successfully reframed as the victim's fault, there is no incentive not to do it.
It came from verify@verification.metamail.com, with alert@nofraud.com cc. All red flags for phishing.
I googled it because it had all the purchase information, so unless a malicious actor infiltrated Meta servers, it has to be right. And it was, after googling a bit. But why do they do such things?i would expect better from Meta.