EXTREME HEADS UP
I just go phished on my 1Password account from an email talking about unconfirmed users. Clicked a link to:
httpx://mkt-lnk.1password.co/n/
And it's on a Family Account that's managed by my wife who's currently in Kuwait.
FUCK!
/cc @1password
I've been getting a lot of those "your parcel couldn't be delivered" phishing attacks lately and if you're a human with a phone, you probably have been too. Just as a brief reminder, they look like this: These get through all the technical controls that exist at my telco and
So the “phishing link" with the .co domain was a valid link and documented as such:
https://support.1password.com/email-domains/
But I still find it inexcusable.
That link caused 30 minutes of complete panic. I know enough about how phishing works to know how absolutely fucked I'd be if that link hadn’t just been to track my click in the email.
I am just now starting to recover from the episode.
@chockenberry Craig, if the 1Password logo has shown up in Mail.app or your client of choice — BIMI standard used by Apple, Visa, Wise, etc. — would you have felt better?
I got an email the other day that *for sure* was a scam, but the “Verified Logo” (the term used in Mail.app) built trust.
@chockenberry Actually that raises the question:…
@1password Why doesn’t 1password.com (and your other domains) have BIMI set for a “Verified Logo”? https://support.apple.com/108340 & https://easydmarc.com/tools/domain-scanner?domain=1password.com
Craig Hockenberry
Andrew Escobar (Andres)