1Password.co Tracking Links
PSA: 1Password uses “1Password.co” for email links — instead of their usual “1Password.com” domain.
So the “phishing link” with the .co domain was a valid link and documented as such.
But I still find it inexcusable.
That link caused 30 minutes of complete panic. I know enough about how phishing works to know how absolutely fucked I’d be if that link hadn’t just been to track my click in the email.
Which brings up another question: why is a company I pay to protect my private information using tracking links in the emails it sends me?
Craig isn’t an idiot; it 100% feels like phishing. If you ask me, tracking link clicks and opens in emails is simply not worth the potential freak-out when you think you’ve been phished[…]
Another way of looking at this: [it’s] best practice to use a different domain for stuff like this. If the marketing tool gets compromised, you don’t want it to have the ability to send actual phishing domains on the real domain. You’ll see it with other stuff, like Microsoft logins being on “microsoftonline.com”. I agree it does mean you do some double takes.
best practice is using subdomains and not cousin domains.
What makes this situation so ridiculous is that while we’re all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers! Here we are in the era of burgeoning AI-driven scams that are becoming increasingly hard for humans to identify, and FedEx is like “here, hold my beer” as they one-up the scammers at their own game and do a perfect job of being completely indistinguishable from them.
Previously:
2 Comments RSS · Twitter · Mastodon
I realize that I'm old-school, but I still find it perplexing that reputable companies choose to use Colombian domains for anything at all.
> If the marketing tool gets compromised, you don’t want it to have the ability to send actual phishing domains on the real domain.
But it now is a real domain, and people are used to clicking on links on it. So it wouldn’t mitigate anything.
Time to start 1domain