Quote:
NO LEGIT BUSINESS IS GOING TO ONLY PROVIDE YOU A LINK TO RESOLVE AN ISSUE.Well, in fairness, this isn't a legit business. It's the government of the State of Minnesota.
Slowguy
(insert pithy phrase here...)
Lavender Room
Login required to started new threads
Login required to post replies
Re: Fishy Email from State IRS? [DavHamm]
[ In reply to ]
Well, in fairness, this isn't a legit business. It's the government of the State of Minnesota.
Slowguy
(insert pithy phrase here...)
Re: Fishy Email from State IRS? [atkid]
[ In reply to ]
atkid wrote:
I have worked in Cybersecurity. With the limited information provided, this seems like it could be legit. My advice would be to not click the emailed link, but login to the State site directly and check your Inbox for messages. @Kid
This. x1000.
Re: Fishy Email from State IRS? [40-Tude]
[ In reply to ]
On a tangential topic, recently noticed that the IRS has outsourced their login credentialing to 3rd party, ID.me....
Or wait, did I just get scammed ??
Assuming legit, what if ID.me gets hacked? They now have some key bits of personal info.
Re: Fishy Email from State IRS? [ryans]
[ In reply to ]
Anyone can fake a url. I’d call them. I would not click on it
Re: Fishy Email from State IRS? [DavHamm]
[ In reply to ]
DavHamm wrote:
wimsey wrote:
trail wrote:
wimsey wrote:
It's tricky. If it's legitimate, the link is precisely for cyber security reasons. My company's accountants send me emails like the OP's regularly, because they are required to have encryption and other layers of security in place when dealing with third party financial info.
Though I'm always surprised at how companies/government put out emails with legit links to encrypted messaging systems and seemingly go through great efforts to make them look like phishing emails. One I had even warned not to go online to find other links to the service "because of the risk of scams." Right, don't do any due diligence.
As a conspiracy-minded person, I always screen shot and save encrypted messages. Because one downside of most encrypted messaging services is you do not own a copy like with real email. The company/government owns it, and can make it go away if they want. And they may lose it if their retention policy isn't long or they're struck by a cybersecurity attack. Always good to document legal/financial correspondence for yourself.
Agreed. I've worked with our accountants for close to a decade now and I still call them every time to make sure they actually sent me the message w/ link, because my default reaction is 'this just looks scammy.' And for company filings, my business partner and I make sure that we (or our admin) print out a copy of the important communications and stuff it in a physical file.
Sorry, No legit reason to send an unsolicited email with a link. There are better ways.
OK.
I'll take my two decades of experience as a software lawyer elsewhere with my input on this and defer to your expertise.
Re: Fishy Email from State IRS? [ryans]
[ In reply to ]
Could be legit. But. What if it isn't?
To be sure, you'd need to be an expert at these things, and analyze the SMTP headers as well as scrutinize the link URL for unicode obfuscation, redirects, fake domains (minesota.government.gov.notmngov.ru), display name vs actual URL, and some other tricks.
Log into their web site yourself. Don't follow the link.
To be sure, you'd need to be an expert at these things, and analyze the SMTP headers as well as scrutinize the link URL for unicode obfuscation, redirects, fake domains (minesota.government.gov.notmngov.ru), display name vs actual URL, and some other tricks.
Log into their web site yourself. Don't follow the link.
Re: Fishy Email from State IRS? [wimsey]
[ In reply to ]
wimsey wrote:
Sorry, No legit reason to send an unsolicited email with a link. There are better ways.
OK.
Quote:
I'll take my two decades of experience as a software lawyer elsewhere with my input on this and defer to your expertise.I agree on the unsolicited part. IT cybersecurity best-practices to treat customers with some respect would be to:
1) Only send a message notification email for a system the user already has an account on. The messaging system account creation should be an independent step from the first actual message. This account setup should detail the important URLs, how the messaging system (if 3rd party) was contractually authorized, and what privacy protections are in place. And it should require 2FA.
2) Don't include any links in a message notification email. Tell the user to log into the system they already know about. If necessary as a reminder, include a link in raw text (vs embedded hyperlink) to the main login for the system.
3) Include a phone # for verification. Have this phone # also be available on a public Web site so it can be at least partially validated as being unlikely to lead to a "phisher" on the other end.
trail wrote:
wimsey wrote:
Sorry, No legit reason to send an unsolicited email with a link. There are better ways.
OK.
Quote:
I'll take my two decades of experience as a software lawyer elsewhere with my input on this and defer to your expertise.
I agree on the unsolicited part. IT cybersecurity best-practices to treat customers with some respect would be to:
1) Only send a message notification email for a system the user already has an account on. The messaging system account creation should be an independent step from the first actual message. This account setup should detail the important URLs, how the messaging system (if 3rd party) was contractually authorized, and what privacy protections are in place. And it should require 2FA.
2) Don't include any links in a message notification email. Tell the user to log into the system they already know about. If necessary as a reminder, include a link in raw text (vs embedded hyperlink) to the main login for the system.
3) Include a phone # for verification. Have this phone # also be available on a public Web site so it can be at least partially validated as being unlikely to lead to a "phisher" on the other end.
I generally agree with your input.
I would not characterize an email from a state revenue authority as 'unsolicited'. I am mandated by law to have a relationship with the revenue authority where I live, and they are mandated to have a relationship with me. That has been true since I started having a money-generating job.
Communications in today's world are overwhelmingly digital. Most people prefer to have communications be digitally mediated in some form. For sensitive communications, many people would prefer those communications to be wrapped in additional layers of security, and in some cases it's required to happen that way.
Those realties are going to end up requiring some interim steps sometimes. That both provides additional security; provides additional opportunities for bad actors; and makes it more likely that the messages don't get through.
For example, to "include a link in raw text (vs embedded hyperlink) to the main login for the system" - yes, that's good practice. It's also something that suggests the sender doesn't have their act together, may not be tech savvy and/or generally not legit. (How many times have people griped in the LR about other posters not being able to properly post a hyperlink?) It also will almost certainly reduce the engagement with & effectiveness of the initial message if you add in an additional required step for the recipients.
None of that means your 3 steps are inaccurate or not appropriate. But it does mean that DavHamm's all caps declaratory statements that no legit entity should ever do it this way - that's simply not true.
Cyber security is a huge pain in the ass, and communications on important matters can suffer because of that. To state that there's only one right way to do things that both provide meaningful security and also achieve the ultimate purpose is pretty reductive.