Monzo Phising Attempt...?


(Alexander) #1

I think I’ve just had my first Monzo based phising attempt. I receieved an email to my non-Monzo email address:

Hello,

I noticed you have signed up for a Monzo card previously, but have not got your card yet.

Here are three reasons why we think you should get your Monzo card today:

fee-free travel abroad
real-time notifications when you spend
nifty budget breakdowns

Simply download and log into the Monzo app, make your first top-up and your card will then arrive in the next 1 to 2 business days.

Go to Monzo on your phone (iOS)
Go to Monzo on your phone (Android)

You may also want to read our customer reviews on Facebook.

If you have already got your Monzo card, please ignore this email.

Thank you,
Sunny and the Monzo Team

It came from Sunny Yu hello@monzoemail.com. All the links on the page direct to monzo.us10.list-manage1.com. I’m 95% sure that it’s a phising attempt. It’s completely unbranded. Is it worth forwarding it to support or somewhere else?


(Sy) #2

if you do forward it…don’t just forward the text but also the headers


(Sy) #3

As Sunny is a member of the Monzo group on this community I assume he is staff

https://community.monzo.com/u/sunny/summary


(Sy) #4

Maybe you originally expressed an interest more than once, under different email addresses, and that is how they got your other email?


#5

I don’t think this was a phishing attempt. I got this as well and assumed they had made a mistake because I had bypassed part of the onboarding process as I already had a card to activate it with, rather than needing one delivered. Did you bypass that bit too?


(Caspar Aremi) #6

xxx.usxx.list-manage1.com are links from mailchimp emails - they redirect you (so they can track which links in an email people click on). So I think it’s legit. Maybe sent by mistake? I’ve seen a bunch of people post screenshots of these emails this morning




(Alexander) #7

Ahhh, fair enough. Having taken the plunge and clicked on the links they do look legitimate. Although it did have valid DKIM and SPF authentication in the headers; I probably should have checked those first. I would give the marketing team a kick because it’s an unbranded email with links to a non-Monzo domain name, and the address it came from hello@monzoemail.com looks slightly dubious as well. Given the rage on Twitter it appears I’m not the only person who thought this!


(Danny) #8

@monzoemail.com is a legit domain

If you have had any marketing E-Mails they come from that domain


(Alexander) #9

Yup, it appears that is the case, although I unsubscribed from marketing emails so I don’t see it that often. :wink:

In my defence this unbranded email came from “Sunny Yu” whereas all the previous marketing emails came from “Monzo” and were branded.


(Alex Sherwood) #10



Image from tweet.


(Simon B) #11

Definitely not a phishing attempt, Sunny is a member of our marketing team and monzoemail.com is one of our domains :+1:


(Alexander) #12

Just pointing out that the From: address in an email can be set to anything. If I was sending a phising email from Google it would definitely be from Larry Page or Sergey Brin.


(Sunny Yu) #13

Hi Alex!

I can confirm with you this email is not a phishing attempt.

I would like to point out that the following do not increase or decrease the chance that the email is a phishing communication:

  • Whether the email comes from a person or an organisation
  • Whether it is a plain-text email or in the format of HTML

We acknowledge there are emails sent to users who have already got a card. There are various reasons causing this, one of the major ones being the users signing up with multiple email addresses. In this case we often encourage the users to unsubscribe us at the email addresses their card is not linked to.

Hope that makes sense!
Sunny


Community Debrief 28/07/17
(knows someone who knows Tom quite well) #14

I’d be suspicious of that email address - why do companies create new domains to send things from? How are we supposed to know it’s legit?

I could create a variety of domains with monzo in them, how would anybody know they weren’t legit?


(Marta) #15

That’s in no relation to ‘why Monzo’, but I know a little about ‘why’ more than one domains is commonly used. It’s partially about sender’s IP reputation and a bit about technical setup. It’s safer to use 2 different domains:

  • one for marketing. Comms in this category which often cause a slow degradation or general poor performance of emails. Lower volumes of opens and clicks are observed/scored - if Gmail for example realises that stuff is bad, they vanish emails completely. It’s often first email sent to an account, so scrutiny is even harder.

  • one for serious stuff like magical links to login. They have very good open rates and click rates.

If you send from one domain… you risk tainting reputation, causing serious emails not being delivered due to marketing emails. I’ve had this problem in my company, password reset emails were totally s**tlisted by AOL and no magic could make this go away.

Monzo appears to use @monzo.com for personal work emails (keeping reputation), while getmondo.co.uk and monzoemail.com are used for marketing, as well as magical login links. Monzo seems to go quite light on marketing, so reputation (in context of users always receiving login links - quite essential stuff) seems to be not a concern.

Also - setup for specific company. Some emails are sent from backend, some are sent from ESPs, like Dotmailer, Mailchimp or Pure360. For ESP, you have to point NS records for their servers to go fine through SPF checks. This is done to help Gmail - as an example - verify IP xx.xx.xxx.xx is okay to use YZC.com domain. This is mechanic that flags emails from bill@microsoft.com as spam, cause they were not sent from IP allowed to use microsoft.com domain.

Now, why 2 totally different domains? Sub-domains inherit/share reputation and cumulatively under top level domain. Rules are a bit magical and no one ever explained to me if we know anything solid… but it somewhat makes sense that subdomains contribute to top domain’s reputation, otherwise companies sending could just switch to new subdomain to deliver spam successfully.

Moving to a new domain isn’t easy as well! In my company we did controlled sends to 100, 200, 300, 500, 1000, (keep increasing) users a day, just to reach capacity to send a full blast to 500,000 users. And even that was throttled and we had some hiccups along the way.

End! Let’s say I had few marketing or ESP related integrations behind me. Left me a bit traumatised. :smiley:


It would be nice if Monzo had all eligible emails in FAQ somewhere, under ‘I received an email from X, is it genuine?’.


(Jonathon) #16

Hmm. I appreciate it’s not a scam but I would have thought a little more branding would have gone a long way here to make it look more official and real.


#17

So unprofessional, with a dodgy looking domain, no pictures and pretty much zero formatting. I genuinely thought I was being phished!

I left Monzo by closing my account a while back and joined Starling. I do not wish to be contacted again and never approved marketing messages.


(Alex Sherwood) #18

Thanks for sharing your concerns Thom, I’ll take some comfort in the fact that you only commented on this post because it was linked to from another community & not when you ‘received’ the email.


#19

No I wouldn’t. I think it shows how little I actually care about the product now that I didn’t bother reporting it at the time I received it; but bothered only when I had an easy link to post that as an ex user I received an email. Something Monzo may not have been aware of? Also implying I never received the email is a petty thing to imply! I’m saddened to ACTUAL tears that you even suggested that in passing. :cry: I work six and sometimes seven day weeks at long hours. I can’t remember or report every email I get, the thread nudged my memory.

Carry on playing at being Monzo staff when you clearly aren’t and leave your wise cracks and sarcastic tone for someone who actually cares and will raise to the bait.

I was ready to let bygones be bygones but you had to have a little dig. You and a few others were one of the main reasons I ditched Monzo as I couldn’t even talk rationally here without having someone jump down my throat.

I wouldn’t bother replying as I won’t read it and know I won’t be able to get you to see how badly you have Monzo fanboyism.

Yes I’m using Starling now after being with a legacy bank for a time after Monzo and it too has it’s faults, as any new software does. I personally like Monzo and it does some stuff better than Starling and Starling does others better than Monzo. However I can talk about them on their forum without feeling personally attacked and having words thrust in my mouth or used against me.

I feel constricted here and not at all comfortable or welcomed and that this is not a good place to be. I just spoke rationally in the past and said things how I saw them, I wasn’t even rude and stuck to facts! I will and did freely admit if I was wrong or read something incorrectly. I find that it coming to this is really sad. See you Monzo as this will be the last time I visit this community.


(Rika Raybould) #20

I think we can leave this one here. We’re fully aware that this email has caused a lot of concern and are discussing internally how to improve both the emails and our sending of them going forward.

You are free to unsubscribe from them and we will make sure you don’t receive anything similar again.