There are warnings of fake Telstra bills being sent by email.
They look like the real thing. The only clue that they’re not is that the View/Pay Bill button goes to a non-Telstra web site.
The lesson here is: check where the link goes. If it doesn’t go to an address that is clearly on the company’s web site (telstra.com), be suspicious.
…Which is why I’ve been asking South East Water about their email bills.
Those look legit, but the payment link goes to ippayments.com.au — in fact it’s worse — it goes first via a URL forwarder edmconnect.com.au (with a very long path/querystring)
So my simple question to them was: how is anybody meant to know this is legit?
Utility companies would help security by hosting their online payment gateways on their actual domain (or a subdomain).
My @southeastwater email bill wants me to pay on a web site https://t.co/dX1YhKhnVH – how would I know if that's genuine?— Daniel Bowen (@danielbowen) April 25, 2018
Their response:
Hi Daniel, it's important to us to provide our customers with a secure payment gateway to pay bills & keep information safe. IPPayments is an accredited, PCI compliant payment site that specialises in taking payments. You can rest assured that it is a secure payment gateway.
— South East Water Aus (@southeastwater) April 27, 2018
That I think shows a misunderstanding of the question.
IPPayments might be super secure (PCI compliant suggests that it is). But how does a punter know that?
Thank you for the reassurance, but how is the average person meant to know that?
One of the signs of a scam email is that it appears to be from a reputable company (like SEWL) but links to a different one.
Any reason you can't host your payment gateway on your domain?— Daniel Bowen (@danielbowen) April 27, 2018
We use a globally recognised partner with a proven reputation for secure payment processing transactions, to transparently demonstrate the necessary levels of assurance for information security (confidentiality, integrity and availability) for government compliance requirements
— South East Water Aus (@southeastwater) May 1, 2018
We also engage with multiple other secure payment channels and agencies (as listed on our bills) so our customers can choose how they pay their bills. Thanks for your questions and patience in us getting back to you.
— South East Water Aus (@southeastwater) May 1, 2018
They were still clearly not getting my point, so I persisted.
Thanks for responding, but that doesn't really answer my question.
How do I, as a customer, know that a link in an email to "https://t.co/p5k7tWRsxO)", which then forwards to "https://t.co/da5hxmXaIX", is legit? Neither of these addresses are listed on the paper bill.— Daniel Bowen (@danielbowen) May 2, 2018
Hi Daniel, we take security very seriously and as mentioned use secure, accredited and reputable payment channels so our customers can rest assured that the links take them to a secure payment page.
— South East Water Aus (@southeastwater) May 2, 2018
Still completely missing the point.
Okay, try another tack… provide an example of a company doing it properly:
Thank you for the responses, but you still are not answering my question.
In contrast, an email bill from Optus links to a payment gateway on an https://t.co/llk4FelSqg domain. Can I suggest you review and see if you can do the same.— Daniel Bowen (@danielbowen) May 5, 2018
No response. Radio silence.
Perhaps they finally understood; perhaps not.
It’s frustrating, because if you register for their online portal, you can make payments through that. You go to southeastwater.com.au and end up on southeastwater.secure.force.com — which I do recognise — it’s Salesforce.
Ideally they’d use a subdomain. Subdomains allow a company to delegate part of their web site to another one, for instance their online payment gateway.
If they can’t do that, they should direct users to their main web site, and have them click through to the payment gateway from there, so people at least can have some confidence that the web site they enter their credit card into is actually authorised by the organisation.
Paperless billing, using online instead? Great. But with so many scammers out there, corporations really need to make it easy for their customers to know they’re safe.
(Lead photo: Anonymous Hacker, by Brian Clug — Creative Commons. I love a hacker stereotype photo. ‘Cos all hackers wear masks when they’re working, in darkened rooms. I bet those screens are showing fast-scrolling green-screen character interfaces.)
Update 11/6/2018: I noticed that Optus also use IPPayments, the same payment gateway as South East Water, but Optus uses a “secure.optus.com.au” subdomain.
10 replies on “Beware of fake email bills – and how the corporates are letting the side down”
Well said, I agree 100%. In this day and age of receiving countless fake bill emails (which are very good replicas of the real ones) with payment links, not having a payment gateway as part of the company’s website (direct or subdomain) with https is just lazy and showing a lack of respect for their customer security.
Their tweeted answer is a non-answer and frankly, I wouldn’t trust ‘ippayments.com.au’ for a payment, they could be anyone.
Hi Daniel, I agree with you that SE Water’s responses are rather pathetic and they could and should do a lot better. Maybe a change back to paper bills posted to you might be a suitable comeback to make them be more reasonable??? I’m ‘old-school’ enough to still insist on paper bills posted to me for water, gas and electricity which I then pay by Bpay via my smartphone, which I still think is a bit safer overall and cuts out dodgy emails. I’m with Telstra and quite often get fake email bills allegedly from them which I know are definitely dodgy as I use direct debit monthly and receive a genuine emailed PDF bill copy from them with info contained which is able to be checked easily. Any fake or suspect emails purporting to be from Telstra get immediately reported to them and also to Scamwatch which is one good thing the Feds do.
We once failed to pay a paper bill for our SE water and received an overdue bill. I called on the telephone. The lass apologised as the bill had been sent to the building next door. SE Water at fault and admitted it and said, our system does not separate the buildings very well. She was totally honest and knew that there were three highrise buildings together. I was then very impressed by SE Water. We do it all online now, and it is seamless, but only using BPay.
Daniel
great persistence. SE Water did not address your question because they do not have an answer. So pretend to answer it. And they are a monopoly (for your area).
I am yet to receive any response for a complaint to SE water I made last week.
PS I’m with Graeme Inglis. Get a paper bill and pay through bank website using Bpay. Never click on a link in an email!
We’re all forked. Billing is hard and requires a proper back-end, and it’s not a good (or secure) idea for every company and utility to replicate this with their own work. But what this means is that even the tech-savvy among us have no idea if xyz.example.co.yz is the actual address of the actual company contracted to handle billing. At best we can decide that it seems right, or seems to be the same as the last one we paid. If it goes wrong we hope for clemency from our bank or provider.
@George, but all they have to do is get a payment gateway company that can set up on a subdomain.
Lots of online services do this for their status pages, eg https://status.dropbox.com/ is managed by StatusPage.io (Atlassian), but is on a Dropbox subdomain, with a Dropbox certificate.
I have my bills e mailed to me but I always write down the amount and due date and then use BPAY to pay them. I never paid a bill through the link on the bill as BPAY is so easy to use and secure too. I never thought about possibly getting a fake bill but I can see how easily someone could be fooled. Most people are in a regular routine of paying their bills every month or some other regular interval and they probably don’t pay attention to the address in the email link if they pay their bills this way. A scam targeting thousands of people only has to fool a few of them to be successful for the scammers.
Good on you for calling them out.
I’d never pay a bill through a payment link. BPAY for me.
I’ve had a problem where a bank I deal with sends me emails which tell me that they want to tell me something important about my account.
But they don’t tell me what this important news is, in the actual email. They want me to click on some long dodgy url to get it.
Each time, I call them and ask if they sent they email. The call centre person is unable to tell me, They suggest that I forward the email to their security department. I do this, and never get a response.
You can get electronic bills via BPay and your Internet banking – that’s what I do with our gas, water (City West) and council rates. Paid via BPay, not the organisation directly. Not sure why Maribyrnong council can’t do that with pet registration – they use the Australian Post payment mechanism as their third party, which I find annoying because you can’t schedule a payment. And Maribyrnong council got really shirty a few years ago and went straight to issuing fines when pet registration wasn’t paid on time.