Beware of fake email bills – and how the corporates are letting the side down

There are warnings of fake Telstra bills being sent by email.

They look like the real thing. The only clue that they’re not is that the View/Pay Bill button goes to a non-Telstra web site.

The lesson here is: check where the link goes. If it doesn’t go to an address that is clearly on the company’s web site (telstra.com), be suspicious.

…Which is why I’ve been asking South East Water about their email bills.

Those look legit, but the payment link goes to ippayments.com.au — in fact it’s worse — it goes first via a URL forwarder edmconnect.com.au (with a very long path/querystring)

So my simple question to them was: how is anybody meant to know this is legit?

Their response:

That I think shows a misunderstanding of the question.

IPPayments might be super secure (PCI compliant suggests that it is). But how does a punter know that?

They were still clearly not getting my point, so I persisted.

Still completely missing the point.

Okay, try another tack… provide an example of a company doing it properly:

No response. Radio silence.

Perhaps they finally understood; perhaps not.

It’s frustrating, because if you register for their online portal, you can make payments through that. You go to southeastwater.com.au and end up on southeastwater.secure.force.com — which I do recognise — it’s Salesforce.

Ideally they’d use a subdomain. Subdomains allow a company to delegate part of their web site to another one, for instance their online payment gateway.

If they can’t do that, they should direct users to their main web site, and have them click through to the payment gateway from there, so people at least can have some confidence that the web site they enter their credit card into is actually authorised by the organisation.

Paperless billing, using online instead? Great. But with so many scammers out there, corporations really need to make it easy for their customers to know they’re safe.

(Lead photo: Anonymous Hacker, by Brian Clug — Creative Commons. I love a hacker stereotype photo. ‘Cos all hackers wear masks when they’re working, in darkened rooms. I bet those screens are showing fast-scrolling green-screen character interfaces.)

If you enjoyed this post, please consider leaving a comment. You can subscribe via feed reader RSS, or subscribe by email. You can also Follow me on Twitter, or Like the blog on Facebook.

9 Replies to “Beware of fake email bills – and how the corporates are letting the side down”

  1. Well said, I agree 100%. In this day and age of receiving countless fake bill emails (which are very good replicas of the real ones) with payment links, not having a payment gateway as part of the company’s website (direct or subdomain) with https is just lazy and showing a lack of respect for their customer security.

    Their tweeted answer is a non-answer and frankly, I wouldn’t trust ‘ippayments.com.au’ for a payment, they could be anyone.

  2. Hi Daniel, I agree with you that SE Water’s responses are rather pathetic and they could and should do a lot better. Maybe a change back to paper bills posted to you might be a suitable comeback to make them be more reasonable??? I’m ‘old-school’ enough to still insist on paper bills posted to me for water, gas and electricity which I then pay by Bpay via my smartphone, which I still think is a bit safer overall and cuts out dodgy emails. I’m with Telstra and quite often get fake email bills allegedly from them which I know are definitely dodgy as I use direct debit monthly and receive a genuine emailed PDF bill copy from them with info contained which is able to be checked easily. Any fake or suspect emails purporting to be from Telstra get immediately reported to them and also to Scamwatch which is one good thing the Feds do.

  3. We once failed to pay a paper bill for our SE water and received an overdue bill. I called on the telephone. The lass apologised as the bill had been sent to the building next door. SE Water at fault and admitted it and said, our system does not separate the buildings very well. She was totally honest and knew that there were three highrise buildings together. I was then very impressed by SE Water. We do it all online now, and it is seamless, but only using BPay.

  4. Daniel
    great persistence. SE Water did not address your question because they do not have an answer. So pretend to answer it. And they are a monopoly (for your area).
    I am yet to receive any response for a complaint to SE water I made last week.

    PS I’m with Graeme Inglis. Get a paper bill and pay through bank website using Bpay. Never click on a link in an email!

  5. We’re all forked. Billing is hard and requires a proper back-end, and it’s not a good (or secure) idea for every company and utility to replicate this with their own work. But what this means is that even the tech-savvy among us have no idea if xyz.example.co.yz is the actual address of the actual company contracted to handle billing. At best we can decide that it seems right, or seems to be the same as the last one we paid. If it goes wrong we hope for clemency from our bank or provider.

  6. @George, but all they have to do is get a payment gateway company that can set up on a subdomain.

    Lots of online services do this for their status pages, eg https://status.dropbox.com/ is managed by StatusPage.io (Atlassian), but is on a Dropbox subdomain, with a Dropbox certificate.

  7. I have my bills e mailed to me but I always write down the amount and due date and then use BPAY to pay them. I never paid a bill through the link on the bill as BPAY is so easy to use and secure too. I never thought about possibly getting a fake bill but I can see how easily someone could be fooled. Most people are in a regular routine of paying their bills every month or some other regular interval and they probably don’t pay attention to the address in the email link if they pay their bills this way. A scam targeting thousands of people only has to fool a few of them to be successful for the scammers.

  8. I’ve had a problem where a bank I deal with sends me emails which tell me that they want to tell me something important about my account.

    But they don’t tell me what this important news is, in the actual email. They want me to click on some long dodgy url to get it.

    Each time, I call them and ask if they sent they email. The call centre person is unable to tell me, They suggest that I forward the email to their security department. I do this, and never get a response.

Leave a Reply

Your email address will not be published.