Envel Community

? umm hello as anyone out there it's been 6 weeks!



Let’s talk about this issue!!! What is this!! ENVEL! SOMETHINGS WRONG AND U HAVE BEEN IGNORING ME FOR 6 WEEKS

Hey Morgan,

What is the email associated with your account?

Best,
Jacqui

Thank you, our support team is looking into this now.

Best,
Jacqui

As a systems and security guy, I have to point out that it would be nice to have a way to correlate accounts with members of the forum that does not require posting one’s email address. If I were a scammer I’d have a pretty iron clad connection between an individual an institution where I know they have/had an account and would craft a targeted email/phishing campaign that’s more likely to capitalize on the trust they have with a known entity.

At the very least you could remove/mask any email addresses people post so that bots don’t scrape them and harvest them for spam.

1 Like

Hey there!

You always have the option of messaging me directly. Do you still think this leaves room for scamming?

I can see the email address that someone signed up this forum with, but that doesn’t always correlate with the email address on your Envel account.

Best,
Jacqui

Yes, the option exists for people to message you directly but many people don’t know how to do that as they are not familiar with this particular forum software. In the exchange above you asked for @Morgan 's email address and she posted it, in response to your query.

Her (presumably) personal email address is now public for any scammer to come grab. imagine a couple of years down the line when she’s forgotten all about this forum/post and receives a message tailored to Envel users saying something like “Act now before all of the money in your Envel account it lost forever!! click here…”

The issue isn’t about me and my information. I’m secure in my knowledge and practices. I raise the issue because @Morgan complied with your request and as a result is more likely to be targeted by scammers who can correlate her (email address) with an account at Envel. I haven’t checked reddit or the other threads here to see how many other users’ email addresses are publicly available but from the perspective of a scammer: Every email address posted publicly here is a potential victim. There’s no need to send thousands or millions of scam messages using the most popular institutions as bait, hoping that user X has an account at PayPal, Chase, or Citi. Instead one could just suck down all of your web pages, search for a pattern like [[:alphanum:]]+@[[:alphanum:]]+.[[:alphanum:]]{2,4} and have a list of users with a known association with a specific entity. Half of the work is already done for them.

If you have a CISO or even a CTO you should talk to them about the implications of users posting their email accounts linked to their envel accounts on the public fora you use.
It sits somewhere between sending unencrypted SSN’s via email and writing down passwords on a post-note attached to your monitor. In both cases the risk to any single instance is relatively low but in aggregate it presents a target to rich to ignore. Like sure some secretary working at some business firm probably won’t be the victim of a teen sneaking a peek at her password when she’s not looking. There were however hoards of teens who did what was called “dumpster diving” to passwords in the trash of companies in order to gain access to their systems back in the 80’s and 90’s. You have to have specific knowledge to understand why it’s a potential issue and then you have to have experience extrapolating unintended consequences. it’s nuanced but it’s also important to understand. that’s why I raise it

Hey there,

Thank you for this information. I’ve deleted Morgan’s email, and will be more careful to give directions to users on how to direct message me in the future. I do need a way to figure out which user on this forum is correlated to which Envel account in order to better assist them. Would asking for them to DM me their name or phone number on the account be better?

Best,
Jacqui

Yes, probably the easiest thing to do is either make a short video or create a blog entry and refer people to that so you don’t have to type out instructions repeatedly. Whatever you choose, instructing people to DM you would be much better.

1 Like