The Problem?
Companies are frequently asking you to do surveys after you have an interaction with them. Unfortunately, these surveys are usually provided in a way that puts you at risk. How so? Well, you usually receive a link to each survey in an email, and this email is usually sent by a third party, who the company has never mentioned.
When so many companies expect you to trust emails from these unknown third parties, it reinforces the idea that emails from an unknown party should be trusted. This idea that you should trust an email because it references a company you’ve interacted with, perhaps recently, is what puts you at risk.
Malicious emails can easily be sent on mass, or to target a person/group, when the threat actor (aka bad guy) believes the person/group has interacted with a specific company recently. People are far more likely to enter their credentials or other private information on a website, when they believe they were linked to it by a trusted company. This use of third parties for legitimate emails doesn’t just affect surveys. Companies are using third parties to send other types of emails as well, such as marketing emails.
What should companies do?
First, if a company is going to use a third party service to send you emails, it must provide the domain name (“thirdparty.com”) that you should expect the emails to come from. It could/should become standard practice for a company’s website to have a “How we contact you” link, which points to a webpage detailing exactly that.
This way, their customers can verify the legitimacy of emails they receive. Many third parties also have instructions, detailing how a company can authorize them to send emails using the company’s own domain name. However, many companies don’t use this feature.
What should you do?
Don’t click on that survey! Don’t click on links in emails from unknown senders, whether or not they talk about any interaction you’ve had recently. Contact the company or organization, and tell them about your concerns regarding their use of third party email senders. You can send them a link to this posting as well, to make the issue clear. Ask them to add a “How we contact you” page, so that it’s clear where you should expect emails to come from.
Conclusion
No matter the source, you should always be vigilant when opening emails, clicking links in them, or opening attachments. Pay attention to the domain name and content. Don’t be shy about contacting the sender directly, if you’re unsure.
As in the real world, the online world can be a dangerous place, if you’re not careful. The companies and organizations we interact with everyday need to do a better job of not being a part of the problem. Some of them just need a bit of prodding.