My latest cell phone bill is here. Yippee. But these folks did so many things wrong that I think I just have to say something. If I call them, they won't listen (actually, Credo might), so I'll write it up here where they almost certainly won't listen.
First, this is from the e-mail informing me that my bill is ready:
Note the URL. Who the heck is credobilling.com? I know who it sounds like, and I strongly suspect it's really Credo, but they think it's a good idea for me to click on a link that takes me to a web site I have never before seen, and then provide my login credentials? Credo is training users to fall for phishing attacks.
Not comfortable with that, I type the correct address into my browser, credomobile.com. This is the page I get:
Note the Member Sign-In box at the lower right, and also note that there is no indication in the address bar of HTTPS in use. This amateur behavior is not new to Credo. At least one other outfit that I do online transactions with does this same thing; I'll post on that later. Sites that try to get users to submit passwords seemingly in the clear often have a more secure failure-mode. For example, if I provide my cell number but omit the password, I get here:
That's not really my phone number. Every month I get to see the same error message, but it's worth it to see the green https:// in the address bar before proceeding.