The only thing worse than being fired is scammers fooling you into thinking you're fired A current phishing campaign scares recipients into believing they've been sacked, when in reality they've been hacked – and infected with infostealers and other malware that means a payday for the crooks behind the scam. The attack begins with an email that appears to be a legal notice informing recipients their employment has …
"the project managers, market researchers and developers are all doing a pretty effective job"
This is like saying someone who goes around stabbing people and taking their money is being a pretty effective surgeon. You wouldn't give them a job as a soldier or working in an abattoir either.
I've made it clear to everybody who matters (work, my bank, etc) that all emails claiming to be from them will be deleted unread. Anything of importance, particularly that which carries legal weight, must be printed and mailed in an envelope or handed to me directly.
I'm surprised there isn't some sort of law relating to the paper trail, not to mention some tangible "proof of delivery".
Can be tricky. for a while we were getting phishing emails that appeared to come from legitimate email addresses within our organization. The senders names were correct, and depending on the email reader you used you might not realize that the real source of the email was gmail.com. Not our .edu domain. Especially easy to be fooled if you were using a phone which may truncate the email address to only the user name which was correctly formatted as last name, first name. There were other clues usually embedded, like being unexpected email from an unexpected though legitimate looking source.
Unfortunately the DWP only emails, and if you don't respond within 30 days you forfeit any legal rights to appeal.
As a non-Brit I had to look up DWP Department for Work and Pensions and seems like a contest between the DWP and Gormengast for the title of more hideous.
The "Tell Us Once" project tickled my funny bone. I am certain many civil servants are told to <...>, but they never do.
Dear Bebu sa Ware,
It seems you don't appreciate the subtle and sophisticated British sense of humour. I have had dealings with DWP recently, and can assure you that the "Work" in the Department's title is purely ironic.
Signed
Still waiting for contact
First of all, "Tell us Once" is 'a service that lets you report a death to most government organisations in one go'. It doesn't belong to the Department for Work and Pensions.
Secondly, it is in fact an attempt by The Bureaucracy to alleviate the pain of the bereaved having to call many elements of the government to report their loss, and in general it is a Good Thing. I say this as a relatively recent user.
Oh, the DWP. The outfit that used to require my mother to go to the town mayor (the relevant public official over here) and have him fill out a form to say that she wasn't dead yet (as opposed to a form saying she was still alive).
The DWP are on an entirely different planet and I'm glad I don't have to deal with them.
Oh, the DWP. The outfit that used to require my mother to go to the town mayor (the relevant public official over here) and have him fill out a form to say that she wasn't dead yet (as opposed to a form saying she was still alive).
If I want to get my French pension I have to do much the same thing in the UK. The Assurance Retraite makes me download a "certificat de vie" every December, which has to be signed & stamped in my local council office to confirm that I'm not dead, then returned. If I don't do that I lose my pensions.
"Unfortunately the DWP only emails"
"Department of Water and Power". It's always good to expand an acronym on it's first instance of use in a document, post, etc. In the land of the TLA (Three Letter Agency, aka, the Unitied States), abbreviations are reused constantly and I, for one, often feel like "going postal" when they aren't defined. It's even worse on a Tesla earnings call that's loaded with acronyms being delivered by somebody with a monstrously thick Indian accent.
The only thing I know about the UK DWP is that they kill people.
That is quite true, but given the price of postage and the effort required, plus the physical materials and the fact that the faking officialdom carries penalties only marginally less than "dust off the old guillotine"...
...I think one can have a slightly higher degree of confidence in something that comes by post, as opposed to an email that any halfwit could knock out (something begging for an AI "solution").
This post has been deleted by its author
I would advise against that idea. None of your assumptions are true by my knowledge or experience. It does cost some amount to print a letter, put it in an envelope, and mail it. It isn't very much. Lots of scammers have sent mail through the history, and it isn't much more expensive if inflation is considered. Those doing it in bulk can often find ways to decrease the price. As for penalties, I don't see anyone going to lots of effort to track down and punish people who misuse the mail, not that it would be that easy to do. I can write any return address or none on mail and send it from lots of places and it will be sent. Tracking me down later wouldn't be easy even if someone was doing it.
Paper mail would be expensive for spray attacks, but it wouldn't be the first time. If they're picking specific victims, the cost of mail would be tiny in comparison to the potential reward. Mail is no more trustworthy than email, and in fact it is worse because you can theoretically verify DKIM on a message, but nobody does that on paper.
'not to mention some tangible "proof of delivery" '
There's a curious clause in many contracts I've encountered (which seems to be legally valid, at least in the UK) which states that proof of posting (not delivery) is sufficient evidence of serving.
In the UK, a court will accept service by first class mail provided proof of postage is retained. Typically, three days are assumed to elapse from the letter being deposited with the postal service to it arriving at the receiver, so if a dispute over dates arise this may come into play. It is not required to obtain actual proof of delivery, it could be argued the courts place a lot of faith (perhaps too much) in Royal Mail.
If the first you find out about court proceedings is when informed that a warrant has been issued for your arrest due to non-attendance in a court, tough shit.
You must schedule a couple of days off work to attend court on the opposite side of the country to tell the judge "I didn't receive anything in the post" in person, and they will respond with "do you want to come back next month for a hearing where you will be required to provide proof that you didn't receive it, or do you just want to plead guilty and save the hassle?".
Actually happened to my boss, who turned up with a letter from Royal Mail saying they stopped delivering his post because they had decided the building had burned down for some reason. The letter was not sufficient without also proving when the building had burned down... Which it hadn't.
I wholeheartedly agree.
In view of the sheer volume of mis-addressed email I receive, frequently medical or governmental, there's no way I'd respond to anything unsolicited directly even if suspect it's legitimate. If I recognise the sender and subject I'll attempt to initiate contact by any other means.
I'd like to say most of it is of left-pondian origin, but a large UK bank I shall anonymise as GnatEast insisted on sending a similarily named customer's confidential details regularly for over a year after I first alerted them.
It seems that large organisations care very little for any kind of privacy or responsibility for personal information, so the key is to give them as little as possible to lose and abuse.
Incidentally the bank eventually apologised and offered me £200 (basically "hush money"). I seriously contemplated contacting the other customer to see if the bank had even let them know, but no doubt I'd be hauled up before the Beak for some sort of GDPR contravention, or accused of attempted fraud, impersonation, or any other potential crime I spent a year trying to prevent.
I get similar from another bank, MBNA . They have one of my ISP provided email addresses linked to an account, the name of which isn't even close to mine, even though the email address is my actual name (primary ISP addy) There's nothing confidential in the emails other than they "confirm it's real" by including the last 4 digits of his account number. It's been happening on and off for at least five years. I did once contact them, which was quite difficult as most contact info requires signing into your account, eg reporting security or fraud etc. I did eventually get a phone call back from them confirming it really was from them (headers had already proved that to me). They were apologetic and it stopped for a year or two and last year it started up again. Maybe MBNA/Lloyds/$other_brand_name systems had to be restored from a backup? No idea. Maybe if I get another one I'll try contacting them again and mention Data Protection Act, GDPR, banking ombudsman etc and see what happens.
"In the UK, cases can only be brought to Employment Tribunals by employees, not by employers. So the above statement immediately identifies such emails as a scam."
As younger people enter the workforce and get assigned grunt work as in sending out notices, you start seeing degrading grammar and proper use of words. The maximum length of a thought for many teenagers is around 140 characters (and an emoji). Social media is training them up for the dole.
This kind of scam catches all sorts of people, from the least able to afford being ripped off to the top of the pay scales, it doesn't take a lot to fall for it, especially if you're distracted, against a deadline, worried for your job already etc.
No, I haven't, yet, but some of them are getting scarily convincing
We had a user enter their credentials in to a phishing email. Recently implemented security restrictions prevented a breach, but given the context it was decided to treat it as a full incident and do a complete gathering all evidence type analysis. This was the third time that specific user had fallen for a phishing email, and management wanted the paperwork to "remove the problem".
My investigation found that there was evidence that the user followed all of the training provided, as well as taking additional measures not covered by their training, and therefore can not be considered to be at fault in any way. The exact opposite of what management wanted to hear.
Before I had officially submitted my report the user received an identical email from a contact who had been compromised, by seemingly the same spam run as the email they had entered their details in to, so they forwarded it in to the helpdesk. The helpdesk replied saying it was a legitimate email and safe to open!
"...then they are rightfully "fired". Either they were not important enough in first place, or deserve so now for falling for it."
Many Tesla workers found out when they showed up for work and couldn't badge in as Elon doesn't believe in notices that much. When he does send notices, they are often rather poorly written. Many of those people didn't see it coming since it wasn't due to their performance at all, it was names from a hat.
When I worked more as a photojournalist, one of the writers I often worked with also worked in corporate communications. He would sit down with companies and create template documents for all sorts of situations. If something happened, somebody could reach for the appropriate form located in 3-ring binder (yes, hard copy as well as digital files, just in case). Fill in the blanks and send. At least in the US, it's very important to have a paper trail regarding employees. If there's ever a need to have a word with somebody, it must be done a certain way, documented and often the employee must be given a printed (hardcopy) notice. If it's later determined that the employee needs to be sacked, they've been informed of the issues, given an official warning(s) and have little to stand on if they try to fight back. Just sending somebody an email or text that they're being fired for cause will land a company in hot water. If employees have also been informed of how the internal procedures work, they shouldn't be taken in by these sorts of scams as they would know it's not done that way. For large companies that get their labor from a union, the company can dis-employee somebody, but the notice would go through the union or the union would also be notified so the worker could call the union office for verification.
I get plenty of notices from "my bank", credit card company, inheritance from a long lost relative, etc to not be suspicious of something "too weird to be true". It goes right along with "too good to be true". Maybe it's not taught enough to never click on links in emails. I've had people I know send me unexplained links (in an email without a subject) and I just trashed it without going any further. That Outlook script bug keeps coming around from time to time so I don't trust out-of-the-blue email with links from people I know. I have words with people using Outlook that aren't forced to for work email.
The one that puzzles me is an invoice for some popular service or software that's way off the chart. "We renewed your anti-virus software, but your card payment was declined" and the invoice amount is $964.32. Normally that anti-virus is something like $49.95/yr/household so the amount is way off. Too telling. If the scammers sent an invoice for the going price, more people might click the link thinking maybe they did sign up for it last year and forgot.
> As younger people enter the workforce ....sending out notices, you start seeing degrading grammar and proper use of words. The maximum length of a thought for many teenagers is around 140 characters ....
I retired in-part because of one remarkably stupid email form-letter from the student-staffed Help Desk.
"For students requesting a shell when their trying to find their course"
Hey! In 17 years I never noted that the Subject line (longest line in the whole message) was eXactly 140 chars.
The word "their" (for "there" or "they are") was abused again several times.
This student "moved up" to a SalesForce role.
...seems to be good advice, and widely requested by employers in their anti-phishing training.
So, why is it not routine for mail clients in the workplace to disable links?
Why tell people not to do something, when it is possible to simply prevent them from doing that thing?
You protect a safe with a lock, not with a sign that says "For security reasons, please do not open this safe".
If staff can click on links, they will. If you don't want them to, surely we can make it impossible, not merely contrary to policy.
"f staff can click on links, they will. If you don't want them to, surely we can make it impossible, not merely contrary to policy."
It's not just links. Phone numbers can be auto-dialed by mobes by clicking on the number. Of course I have that disabled, but many people will use that "feature". I can't go anywhere in public with there being some poster with a QR code. There were some posted in the county office as I was queued up to pay my property tax. I didn't see anybody scanning one, but I thought that a long queue would be a good fishing ground since people are just standing around waiting. I doubt anybody at the offices would take notices of the postings since they claimed to be something from the county like a check list/requirements for paying the tax. One could fleece hundreds before anything was done. Replacing stickers on parking meters is a favorite of scammers. Not only do people their bank account emptied, they get cited for not paying the parking fee either.
