After getting the account, immediately I get shipping bills for international shipping in the thousands of dollars, both sender and recipient have nothing to do with me. Credit card on file was auto-charged. Removed credit card, started getting thick FedEx bills in physical mail.

It turns out FedEx allows billing to be charged to any account as long as you have their nine-digit account number, so of course scammers do this all the time just generating random numbers. FedEx didn't give a shit, denied my reporting of fraud, allowed more scam shipping even after I reported. Finally I had to initiate chargeback via the credit card issuer and only then did they close the account. But I still get marketing emails that I can no longer turn off. Absolutely not a company anyone should use.

I called Fedex to try to rectify this and, as far as I remember, they either never answered the phone or told me they had no way of contacting the delivery driver (??).

I've always avoided fedex (and UPS, for that matter, since they destroyed two antique lamps that I ordered through ebay) since then.

Wonder if they share a vendor.

At least they don't automatically lowercase and truncate your password behind the scenes like AMEX. Lol.

I used to be able to load the rewards to my account without logging in at all, just clicked the link in my email, but I guess they fixed that and then I realized I didn't know my password.

The package got returned to the sender who wouldn't respond. When I quibbled with my credit card company (Cash App) they said the package had been delivered to the sender, so it was technically "delivered" and I was not eligible for a refund. When I persisted they permanently terminated my account with them so I can never have another Cash App account, thanks to FedEx.

I no longer use FedEx for any shipment that I need to have arrive.

Sure enough... I had to go down to the local branch to get my account unlocked, as well as prove the amount of money I was transferring was... available in the other account? Absolutely ridiculous. I don't even know what sort of fraud they were trying to prevent, as this wasn't a new bank account and I'd made transfers between them before.

But when I contacted them about a phishing practice, it was A-OK because it was a "legitimate" website that phished your credentials to view the last 180 days of transaction histories, compute a credit score, and then withdraw the money. They would "look into the situation and see if a better solution could be found" with this german company...

I don't understand how anyone is okay with this but klara or klarna or something is a pretty popular payment provider in germany as far as I know, but so my experience is now that banks like to change their security-relevant terms one-sided. But it's your fault if you give out secrets to the wrong person of course, not like the bank was going to care if your social security number had gone to a scammer for example

Any time anyone asks me for any part of my social over the phone, I ask for some other method of verification. Most folks have other ways of doing stuff. It's ridiculous that what should purely be an ID number is so powerful, but I can't change that fact, just how I interact with folks with regards to it.

As a bonus, when I was finally put into the system, they managed to get my zip code, phone number, and SSN wrong. At ADP, quality is job zero.

I'm super paranoid about even the last four. The first five digits of an SSN were algorithmic for most of US history, and still mostly are but a tiny bit more random entropy, and can be narrowed down with mostly only the city in which you were born and what year. You can often use basic k-means clustering to find it even without that information. More often than not entire families share the first five (or close to it) and you only need to phish one family member to k-means cluster the five digits for the rest.

The last four are more often than not the most significant digits in terms of identification and entropy. Masking the rest is almost silly for most Americans. Our masking schemes have actually made phishing easier because people feel safer sharing just the last four, when for most those are the only four that matter.

SSN was never intended to be a secret so its design is horrifyingly bad for something that has come to be a huge secret in banking and healthcare and so many other industries. Recent SSN changes have made it a little better for anyone born after roughly 2010, increasing somewhat the entropy in the first five, but the rest of us have problems that we can't solve easily and banks should be ashamed they helped lead us to these problems.

Can you guess what happened next? Yep... The complaints team cold called me and requested PII to confirm they were talking to the right person. I refused and the call ended.

Later got a letter saying it wasn't possible to followup on my issue and they didn't see any issues with what I had raised. I tried... :/

The issue, I think, is the larger the company is the more incentivized it is to hide away access to it's internal employees. If you can call a department directly you can start phishing between multiple employees pretty quickly. Locking that down and putting a horrible automated system in place makes that harder to do.

Plot twist! Didn't see that coming.

Seems bizarre to me that this would happen, but reading sibling comments just keeps having me shake my head in dismay.

The same guys also force us to change our passwords every 6 months and block the last twenty. Passwords we have to enter in systems that can’t pull directly from password managers and thus have to type 10-20 per day. Guess the average strength of an employee password!

I think IT incompetence should lead to audit fails or even better delisting from exchanges.

So I hang up and call my bank directly. I spend 10 minutes going through the phone maze to talk to someone. Finally I get to them, and they confirm that is a number that they use to contact people. How come when you list numbers on your website you don’t list this one? Well, they said they often call from numbers they haven’t listed online. How about that e-mail, do you send those? Well, we sometimes contact people by e-mail, if it says it’s from us in the from: line you can click on it. Did you guys send that one? I don’t have that information; don’t click on it if the from: line isn’t us, but if it is, go ahead.

Sorry for the probable sarcasm. In a company that size, if the IT center does not provide a means to report phishing attempts then there are more serious problems than a dodgy email campaign.

This might be a reasonable trade-off for centralising monitoring, but it significantly hampers the ability to judge the legitimacy of emails myself. At least update your training!

It happens.

It’s insane.

Obviously it doesn’t excuse the practice, but I can see why people use alternative domains to get things done. The above anecdote was also purely within the company; I’m sure that if you add in a partner/managed service, it only amplifies the complexity.

There are, of course, a whole plethora of services that a CTO-type person can hire to phish test your employees. Some of them even have several hundred real domain names with live MX on them that you can add into your office365/gsuite mail flow permit-list controls, as an admin, to ensure that the phish test arrives correctly in peoples' inboxes.

What's worse, you can't even go to the lnks.gd root to check where a shortened link is going. And the "shortened" link was actually longer, with all the payload crap they rolled in. They could have just used the normal url plus small internal identifier of which email it was if they needed to track it, and it would have been shorter.

There was no reason to use a shortener, let alone such a shady one!

Ignored it.

Later got my manager asking as the expense team had been chasing down managers of people with overdue reports.

ich arbeite als (externe) CyberCyberCyber Nase in einer Organisation irgendwo in der Sparkassengruppe. Ich kann dir versichern, dass niemand, der auch nur im entferntesten was mit InfoSec in der Bank zu tun hat, von dieser Marketing Idee erfahren hat.

"I work as an (external) CyberCyberCyber nose in an organization somewhere in the Sparkassen-group. I can assure you that no one who is involved even the slightest with infosec at the bank, has heard anything about this marketing idea."

What the hell.

> Terms and Conditions, Price and Service List, Conditions.

> Dear customer,

> our price and service list, our terms and conditions, as well as further conditions which will come into effect on May 1, 2024, can be found on the USB stick.

> With kind regards,

> The Sparkasse Bremen AG

I called my insurance broker and yes indeed it was legit. I also tried to explain to them how this letter was a few steps removed from a Nigerian prince scam based on all the red flags, but i don't think it made a big difference.

> but I'm a smart human so I don't fall for this (that's a joke, read why humans are bad at URLs).

It's clear that he thinks relying on heuristics to distinguish scammy URLs is not a scalable long term approach.

It can't become any more true than it already is. Humans already fail to identify phishing 95% of the time. And a human can already create an exact duplicate e-mail, website, text, etc as a real one. There's no need for AI.

Include a link, make it a part of the core domain, short, and prominent: https://example.com/contact. If the user isn't logged in, lead with a login flow explaining "If you received a message from us, login for details", and include a contact form, phone number, and if there's a chat with customer support, that too.

These are all things a phish can spoof to some degree, but that's not a good reason to force the user to figure out how to resolve whatever problem you're bringing to their attention.

Could easily be one person writing the message. Another who demanded partial edits in a Jira ticket. But then the data types didn't match up with what the writer requested and then the dev didn't want to deal with it and just shipped it.

Or it could be that the message is made with a bunch of disjointed and constructed if statements and only the final output is piped to the customer. I have seen some very terrible log messages like that as nobody is looking at the entire message, just the little bit in the conditional they are editing at that point.

As an anecdote, I once worked on code that generated these very detailed error messages about why something went wrong. I discovered most never made it to the customer as someone later down the line reassigned a variable rather than +=. Piles of support tickets could have been avoided.

"Incompetency" is an interesting word.

The old maxim about incompetence versus malice suggests a binary choice.

I prefer the more nuanced take that there is a spectrum of positions between the two, and other dimensions that describe a cluster of intents, both conscious and unconscious.

Take the UK Post Office scandal where we see incompetence layered on top of malice, layered on top on incompetence. In some organisations obviously deliberately harmful positions are written into "policy". Often this comes under "PR" [fn:1]. More and more "AI" will be used to disguise malintent and deflect scrutiny.

In the final episode of the ITV dramatisation [0], Alan Bates (played by Toby Jones) delivers an absolutely shocking, knock down line. When talking about incompetence and evil he says: "They're the same thing" At some point there is no difference between incompetence and evil. For a deeper psychological discussion of that listen here [1].

[0] https://en.wikipedia.org/wiki/Mr_Bates_vs_The_Post_Office

[1] https://cybershow.uk/episodes.php?id=23 (from 39:20)

[fn:1] Edward Bernays seminal definition of public relations outlines a creed of deception, manipulation and disinformation which is antithetical to security [2].

[2] https://en.wikipedia.org/wiki/Public_Relations_(book)

If you ever drive on a toll road in Texas (there are a lot of them and more every year) there are no toll booths that allow you to pay then and there but you'll get a bill in the mail 6-12 months later informing you that this is your fifth and final warning and you owe $4 for the toll and $80 in late fees. I guarantee you the people behind this have friends or family in the Texas legislature supporting them.

For every utterance of "reasonable" in law you can be sure over $1B of laywer fees have been (or will be) spent.

Then I later got a physical letter in the mail about the same, and then I called the bank. Apparently I had some account there holding some pension stuff from a previous employer. Shrugs.

FedEx needs to do a better job with these notifications. At the very least they need to hire a copywriter.

They are, since non compliance will either result in destruction of the package or sending it back (differs a bit per country and type of goods).

It's a bit sad there are no easy ways to prepay taxes and it's hit or miss if you get checked. I'm glad the EU figured it out and have almost no weird surprises any more, except from the Uniteds (states and kingdom).

For this reason, whenever possible, I choose delivery through the post office.

For SMS and voice calls, it would help if they could implement call authentication so can trust the number. Phones should show the user if the number is validated. It would also be good to add trusted CallerID names; Google does with some numbers.

To sign in, you are sent a 'challenge', and must sign it and return it. The challenge includes a "Relaying Party Identifier" (RPID) which is basically the domain of the site requesting authentication.

That way, if a phishing domain prompts you for auth, they can not proxy your response because the RPID you signed will not match the authentic domain, and therefore be invalid.

I moved to Schwab a while ago, so I'm not sure what I would've done to change the password. Schwab is much better, by the way. BMO is a joke. I never thought I would say this, but I miss Bank of the West.

The outside security vendors also run phishing security campaigns that they send out from their own domain, and that have "phishing" URLs that point to the same domain we do the training on.

I got reported as being phished for following a link that goes to the SAME domain as our required security training. Our security compliance team got my point when I reported every required training reminder as coming from a known phishing domain.

like this case: https://news.ycombinator.com/item?id=37250024

A funny thing I discovered in this process is that "delivery instructions" are shared for all packages to a given address regardless of the associated name, and never flushed unless you go in and do it manually on their website. I found the name and contact information for the prior tenant of my unit on the FedEx site with no other info besides 1 tracking number to the address (it also let me change the delivery instructions with said info). Potentially they were still calling that person when they tried to deliver initially, though I have other reasons to doubt they actually came to the door that day.

If they use their main domain, their normal corporate email will get blocked by anti-spam filters.

So everyone uses a different, unrelated domain for bulk mails.

Nearly 100% of the time, I am expecting a notification from Canada Post or Amazon (FedEx less frequently, but still).

Even outside of that, you can often predict when people are expecting a package. Christmas. After various sales weeks.

If calls are routed over internet then it becomes more viable but obviously there is still a large coordination problem and misalignment of incentives.

Are you sure about this? Canada Post's webpage (https://www.canadapost-postescanada.ca/cpc/en/support/articl...) says:

>> We apply a handling fee of CAN$9.95 per dutiable or taxable mail item.

If anyone has honest anecdotes around this I'd love to hear from you (maybe privately is best if its detailed accounts)

But many times there are no customs fees, so there's no issue -- it depends entirely on the pair of sending and receiving country and the category and amount of merchandise. That may have been your experience.

Generally speaking, customs can't be charged upfront with your order. Perhaps there are exceptions with certain delivery services in certain countries which have managed to modernize some of it, but I haven't come across that yet.

Countries also have their own limits below which they don't bother with the taxes. There was so much abuse of this in the EU+UK the limit is now zero.

The only time it should be surprising is when the foreign website isn't paying the taxes, and it also isn't clear it's a foreign site. Generally on cheap crap from China.

There are also import duties in some places like the US that can be a surprise if you don't know where the seller is or how they're shipping: https://en.wikipedia.org/wiki/Customs_duties_in_the_United_S...

I forget the name, but the USPS has a special service shippers at companies like Aliexpress often use to avoid stuff like this when shipping to the US.

It is crazy how much the "paying duties at the border" situation feels like an afterthought for all currier companies. It is almost as if it was not really their design they just tackled it on later.

I wanted to send a present to my brother in an other country using DHL Express. It was impossible to convince them that I would like to pay duties. Not a thing. Can't be done.