Closed Bug 1647741 Opened 5 years ago Closed 5 years ago

Beware of phishing attacks: Mozilla will never ask you to call a number or visit a non-Mozilla website. Please ignore such requests.

Categories

(support.mozilla.org :: General, defect)

Product:
support.mozilla.org
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: FredMcD, Assigned: leo)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0

Expected results:

Please change that message to read:
Beware of phishing attacks: Mozilla will never ask you to call any 'support' number.
This is the official Mozilla support website. Please ignore such requests.

Component: Untriaged → General
Product: Firefox → support.mozilla.org
Version: 54 Branch → unspecified

Changing that message has been requested by me and others in the contributors forum. For example:
https://support.mozilla.org/en-US/forums/contributors/714221?page=3#post-78801
(quote) I said before that the current forum banner [1] (and email message [2])
<snip> ... should be changed to something like,
Beware of phishing attacks: We will not ask you to call a phone number or visit a non-Mozilla website for help with Mozilla products. Please ignore such requests. [Learn More]
<snip>
[1] https://github.com/mozilla/kitsune/pull/4418 add phishing banner
[2] https://github.com/mozilla/kitsune/pull/4421 add scam banner to email

Status: UNCONFIRMED → NEW
Ever confirmed: true

My message may be better as there are times we post links to other trusted support sites.
Search results for example.

It's a little complicated explaining what is a Mozilla site due to users not being very clear about the relationship between Mozilla, Firefox, Thunderbird, etc. And occasionally I point users to content Mozilla manages under another domain such as

Of course, I also link to threads on Reddit and mozillaZine, Malwarebytes, or search engine results, and my own Firefox-related pages like https://www.userchrome.org/ and https://www.jeffersonscher.com/ffu/scrounger.html .

Also, many users may not know how to read a URL to understand whether having the word mozilla or firefox in it indicates who operates the site.

Nevertheless, I think a simple general warning about non-Mozilla sites probably remains best, and if the user continues to engage with the community they then can make their own judgment about whether to trust a particular poster's recommendation to visit an external link.

Perhaps we could create a KB article with links to good community resources to cover the more common cases. Perhaps we already have that article?

(In reply to jscher2000 from comment #3)

Nevertheless, I think a simple general warning about non-Mozilla sites probably remains best, and if the user continues to engage with the community they then can make their own judgment about whether to trust a particular poster's recommendation to visit an external link.

Perhaps we could create a KB article with links to good community resources to cover the more common cases. Perhaps we already have that article?

What we should make clear is that we don't provide a phone number or link to a different website in reply to a support request. The warning message now includes a [Learn More] link to the Mozilla Support "Avoid and report Mozilla tech support scams" article, which currently says this under Protect yourself from scams:
(quote)
*Visit the official Mozilla Support site (https://support.mozilla.org) or other recognized resources for all technical support issues. There are no other Mozilla-endorsed technical support companies.

The "other recognized resources" link was added based on bug 1175997. The linked Get community support article includes an "Additional resources" section, which currently links to the Reddit and mozillaZine forums. We could add more links to that article.

Thanks for reporting this. I agree that the copy needs to be changed. We should keep it simple and err on the safe side by keeping the warning general, as Jscher suggested, and go with Alice's suggestion to add more recognized sources to that linked article.

Here's my suggested copy. What do you think?

"Avoid scamming attempts. Mozilla will never ask for phone calls or link to unendorsed sites. Please visit only Mozilla-approved sources."

I changed to it to the more general "never ask for phone calls" in case scammers start asking users for their phone numbers and called it "unendorsed site" to invite the user to learn more about what those are.

(In reply to Joni Chan from comment #5)

Here's my suggested copy. What do you think?

"Avoid scamming attempts. Mozilla will never ask for phone calls or link to unendorsed sites. Please visit only Mozilla-approved sources."

I would change Mozilla will never ask to We will never ask. The phone numbers or links posted on the support forum are replies by people who may or may not claim to represent Mozilla. For example, see this reply posted by user jims9021 in this support thread:
https://support.mozilla.org/en-US/questions/1291710
(quote)
Hi
Restart your browser after installing it.
or for more help click ---- >> here

(from comment #6)

(In reply to Joni Chan from comment #5)

Here's my suggested copy. What do you think?

"Avoid scamming attempts. Mozilla will never ask for phone calls or link to unendorsed sites. Please visit only Mozilla-approved sources."

I would change Mozilla will never ask to We will never ask. The phone numbers or links posted on the support forum are replies by people who may or may not claim to represent Mozilla. For example, see this reply posted by user jims9021 in this support thread:
https://support.mozilla.org/en-US/questions/1291710
(quote)
Hi
Restart your browser after installing it.
or for more help click ---- >> here

The part about never linking to unendorsed sites still bothers me, since the issue is linking to other sites for Mozilla support. We often link to other websites (for example, for operating system help) and we can't list them all in the Get community support article.

If you don't care for my proposed copy in comment 1 here's another suggestion:
Avoid support scams. We do not provide support by telephone and won't ask you to visit unendorsed websites for help with Mozilla products. [Learn more]

I would suggest showing a link to the approved websites list.

The [Learn more] article links to https://support.mozilla.org/kb/get-community-support but we could add this to the end of the banner, if Joni thinks its needed:

Please visit only recognized support resources.

@Joni: Are you still planning on updating the banner text or are you just waiting for more feedback?

Flags: needinfo?(jsavage)

Alice and Fred, thank you for the feedback. I still need to talk to our platform team about this so we can figure out any character limits and timing. I plan to do that this week.

Flags: needinfo?(jsavage)

I thought the Learn More button already linked to the endorsed sites, but I was wrong. We could link to the endorsed sites in the copy if there's space.

I'm concerned about this 'list' of endorsed links because the list could be huge and people just do not read massive lists, just like people do not bother reading T's & 'C's. It is almost a fultile expectation and is over complicating the situation. You can only ask people to be aware and take appropriate advise.

In addition to the current list, I may include links to :
any company that offers server settings.
any help forum that concerns a specific OS.
down right now websites for server issues.
microsoft, google, yahoo etc forums and help pages where advise is relevant.
etc.

I do not think listing all potential good endorsed links is the way forward.

I think it would be more helpful if the list was about endorsed products eg: Addons as some are paid for and all would probably like donations. Donations to Thunderbird and Firefox (as separate). Links to official downloads which potentially could include portable Thunderbird.

A suggestion for Forum Message banner:
This is a public forum. We are taking measures to remove scamming attempts, so short delays in posting comments may be experienced.
Beware : We advise you do not respond to any comment or link that suggests you contact a phone number or asks for payment for help or is advertising a product not endorsed - see link for list of endorsed products. You do so at your own risk.

(suggested by philipp)
https://support.mozilla.org/en-US/forums/contributors/714221?page=6#post-79014 [Feedback needed] Spam and scam prevention
now that the scam wave is curtailed and all published links get vetted (or come from vetted users) I'd say we can also do away with the banners.

So as it is being vetted do you not think it is worth telling people. It might put would be scammers off knowing comments are not auto shown.

This is a public forum. We are taking measures to remove scamming attempts, so short delays in posting comments may be experienced.

We're updating the banner to ask people not to call phone numbers or provide personal information but we don't have to worry about links anymore, as mentioned in comment #4. We're still working on the language and will post it here.

We would also update the https://support.mozilla.org/kb/get-community-support article to state that links are vetted by moderators as safe.

Here's the updated copy:

"Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

[Learn more] button"

The Learn More button will link to the same "Avoid tech support scams" article.

Need info'ing Madalina for the next steps.

Flags: needinfo?(mana)
Assignee: nobody → lmcardle
Status: NEW → ASSIGNED
Flags: needinfo?(mana)

Will that line include something like....Or pay for services ?

Please see my last post here :
https://support.mozilla.org/en-US/forums/contributors/714221?last=79139&page=6#post-79139

Users' posts still being vetted often results in their posts not showing up for an hour or longer.
Showing (the rectified) banner should suffice, although I'm convinced that the scammers gang will have found a new target by now and moved on.
Let's please get the support forum back to normal.

In my case, often the comments never even come through as emails. Many do but not all.

(In reply to Joni Chan from comment #17)

Here's the updated copy:

"Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

The support forum now shows the updated message. As far as I'm concerned, this bug is resolved.

(In reply to McCoy from comment #19)

Users' posts still being vetted often results in their posts not showing up for an hour or longer.

(In reply to Anje from comment #20)

In my case, often the comments never even come through as emails. Many do but not all.

These are separate issues.

Posts being held for moderation do not appear in the forum thread and no email notification is sent (only moderators can see the posts, which are flagged as "spam"). This is by design - see https://github.com/mozilla/sumo-project/issues/483

See also https://support.mozilla.org/en-US/forums/contributors/714262?page=1#post-78938 Posts held for moderation do not result in email notifications even after moderator approval. There's a github issue to fix that, which is still pending:
https://github.com/mozilla/sumo-project/issues/501 Send an email notification when a post in the moderation queue is approved.

The updated text is deployed to production. The notifications issue is tracked in the tickets Alice linked in the comment above.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.