Strange email

JoeCrystal

When I sent a question to Scottish Widows concerning some details. I was surprised to get an email from Scottish Widows today asking me to open html document.

I am wondering if it is a phishing attempt or honest email from Scottish Widows Better to be safe than sorry. I do know that it request my name and new passwords when I clicked on it and went one link further.

Here is the screen-shot.

Cheers

Joe

bengalknights

Its look legit but check the link it directs to ifs it scottishwidows site with relevant security signs etc then it is and if it leads to scottishwindows etc then you know it isnt.

dunstonh

The use of encrypted emails is increasingly common. Many financial services firms are using unipass securemail (white labelled version of trend micros private post). Some are using their own versions.

As you have to create the username and password and no personal information is requested from you shouldnt have any concerns.

JoeCrystal

Well, I tried it and the message is indeed what I have been waiting for. Thanks folks! Everything is fine.

middlepuss

Glad it was genuine.

But how long will it be before some crook somewhere makes a convincing copy of emails like this to catch the unwary?

The more that companies like Scottish Widows transact business in this way the easier it is for the scammers.

dunstonh

middlepuss wrote: »

Glad it was genuine.

But how long will it be before some crook somewhere makes a convincing copy of emails like this to catch the unwary?

The more that companies like Scottish Widows transact business in this way the easier it is for the scammers.

Sorry, I dont understand how it makes it easier. The encryption company dont hold any personal information. Just a username and password which you create to be able to use with that and future encrypted emails which is also linked to your email address. All that does is encrypt/decrypt the contents to send between yourself and the other party.

The content of the email is only what the other party puts in it. So, in that respect its no different to any email you receive.

The whole point of encrypted emails is to make sure the data cannot be read as it passes through the multiple servers of third parties. Not to stop a person sending an email with a message about Viagra and some Nigerian prince wanting to send you millions.

jamesd

That's a lousy thing for Scottish Widows to be doing, training their customers to take actions that expose them to exploits. Never click on a link in an email. the sender is unknown (easy to forge) and you can mask the site the link takes you to if you're viewing in HTML form. A HTML attachment is even worse because it may open in a less secure web browser security zone than an email body.

The problem is that to get the message you have to view the source of the email to check what site the links go to so that you can be sure they are going to take you to a SW web site. If you don't do that then any random spammer can compromise your computer by sending you to a site that uses one of the exploits your browser is vulnerable to.

Joe, if there's no other way to get communication from them I suggest that you switch to a pension provider that takes security more seriously. If you must read this stuff the safer way to view it is to look at the message source. then you can see where the link is really taking you to. If they obscure that using some encoding then contact hem again and ask for them to communicate you in some secure way instead of this one.

Dunstonh, this is a flaw that risks compromising everything on your computer, not just the contents of one email.

middlepuss

dunstonh wrote: »

Sorry, I dont understand how it makes it easier.

I can't put it better than jamesd:

"That's a lousy thing for Scottish Widows to be doing, training their customers to take actions that expose them to exploits."

dunstonh

Sorry. I don't see the issues.

Scottish Widows have no choice. We all have to have encrypted email services now. Any firm without encrypted email provision is running the risk of being fined by the FSA. You can opt out if you want but I dont see what your problems with security are.

jem16

jamesd wrote: »

The problem is that to get the message you have to view the source of the email to check what site the links go to so that you can be sure they are going to take you to a SW web site. If you don't do that then any random spammer can compromise your computer by sending you to a site that uses one of the exploits your browser is vulnerable to.

It doesn't take you to a SW website. It takes you to the website of the company providing the encryption. That opens up with the normal https and padlock in the address bar of a secure site. You are then asked if you have received this email or sent the email - it also gives the email address of the sender.

From that screen you are taken to another secure website which asks you to fill in several pieces of info to confirm who you are. It also gives the piece of memorable information you chose so you can tell it's legitimate

This is all assuming you choose the web portal to view the email. If it's regular communication between a company or IFA you can choose to use Outlook and install the plugin which will decrypt the message once you enter your password.

I can see why you might be suspicious initially but having used the system I prefer to have the encrypted emails.

middlepuss

dunstonh wrote: »

Sorry. I don't see the issues.

Scottish Widows have no choice. We all have to have encrypted email services now. Any firm without encrypted email provision is running the risk of being fined by the FSA. You can opt out if you want but I dont see what your problems with security are.

If no bank ever sent an email to its customers you'd know for certain that any email purporting to come from your bank was fraudulent.

If banks all start sending emails to their customers with "click here" links, any scammer can copy the email - but the link takes you to the scammer's website and in goes your password...

Yes, I know and you know to look for padlocks, https, encryption etc etc etc, but an awful lot of folk out there don't.