Urgent;I've had a phishing email re my donation to gofundme

[mimivanne]

Just checking my emails.1.19 pm, email from 'Nate' at the GofundMe trust and safety team requesting a copy of my government issued photo ID ,evidence of my connection to the campaign such as links to social media.
Failure to respond within 48hrs will result in the refund of my donation.
Checked GofundMe t @ c's ,states they will never request personal details.
Very worrying

I've finally had reply from gfm overnight. I think pp who say they've been investigating things may be right. They assure me I've been removed from their mailing by lists so we'll see.

Re. the HaveIbeenpwned site - being a suspicious type the first thing I did was check this site itself was legit - a quick google suggests it is (you're looking for reviews from reliable sources like TechRadar).

Turns out (at least according to that site) that I haven't been - which slightly surprises me, because I was caught in both the Mumsnet hack and the TalkTalk hack.

This is a very awkward situation - I agree with Vicxy's take on this, that there's a possibility of human intervention at the GFM end of things. If so it is, as Andhow says, absolutely scandalous. Let's be quite clear about what the accusation would be (and I'm not saying this is true, libel lawyers, just that there's something hinky going on with people receiving phishing emails, and this is one possible explanation of how it could have been done). This would mean (if true - I may just be suffering an attack of tinfoil-hat-itis) that a site which handles the financial details of millions of people has an employee prepared to leak details (not necessarily the financial details, but certainly the personal details) of people using that site for political reasons.

However, sadly it's going to be next to impossible to get anyone to investigate. GFM clearly have a vested interest in covering this up, up to and including pulling the fundraiser altogether if it gets too embarrassing for them. (There's an absolute shit-ton of bad reviews online from people complaining about their lousy customer service). I don't think the fraud action line listed above will be interested either, as even if true there appears to be no intent to defraud people of money. The information commissioner might be interested, but as far as I can see there's no smoking gun here, merely a load of circumstantial evidence possibly suggestive of an insider leaking email and ID details (and possibly cross links to other social media IDs where people have shared on twitter or facebook).

I've had Bitcoin emails too and never had anything spammy to that email address before.

May I suggest everyone who has had this email contact the ICO to passion their suspicion and also as many media as they can think of to try to get it publicly investigated too. Where's the Daily Fail when you need them!?

I've checked my proper email, my mn/twitter email and my fb/gfm emails, nothing suspicious on any of them luckily

I advise anybody who has received one of these emails to report it ASAP to the Information Commissioner, even if you have deleted the email. The more reports they get the better. This link will take you straight to the relevant page ico.org.uk/concerns/handling/

Just to let you know. I work in security and privacy and I've contacted Gofundme to ask them for proof that this is not an insider or external actor using a spear phishing attack against donors to this.

I've also told them I will report this to the ICO and ask for an investigation if I do not get a decent response. I also quoted the GDPR principle which sets out that political affiliations associated with personal data is a "special category" of data requiring more stringent controls.

Hopefully this will help stop any further targeting of donors - I'm beyond raged about this, but hold out little hope of any respect for our information or position.

Thank you @fluorine19
I feel this is the only way to get gofoundme to behave. They are a disgrace.

Thanks Antimatter. I'll let everyone know if/when they respond. I am beyond raged about the whole thing, how fucking dare they (bet it's an insider colluding with an external actor - be a good article for the privacy media)

I wonder if Watchdog would be interested. I'm going to take a look at their site later.

I'm going to email the ICO in a bit too. GFM won't want this investigated or publically acknowledged if it has been an "inside job" as it could well be PR suicide,

I wouldn't panic too much about keylogs/spyware just yet. I think this was about finding info (and in quite a clumsy way - did they really think people would just hand over that kind of info in order to bung a tenner to someone - they really don't hold women and women's intelligence in high esteem!). That said, I've done a malware/spyware sweep (nothing found) and changed passwords on vital accounts. Best to be cautious.

I think GFM shouldn't be allowed to brush this under the carpet.
It's data breach and security breach too.
I would never donate to any cause on their platform.

Maybe moving the fundraiser to crowdjustice would be safer. Don't know if that's possible or not.

This is utterly bonkers.

If the monies in the fund aren't needed for a legal challenge to AWS after all, I think they should go on representation for harassment and libel and possible criminal activity vis a vis data protection.

I wonder if gofundme has ever had an issue like this before. I would bet not, until women want to stand up for their rights and the TRAs descend.

I've re-emailed GFM (as per the recommendation from the IOC website) with the template for the IOC site, outlining my concerns and informing them that if they do not furnish me with their policy regarding the request for additional identification from a donor, within 28 days then I will be passing it along to be investigated.

They can ignore little old us all they like but they will have to answer fully to the regulating body.

Doubt they've ever had to deal with this kind of thing before. Feel a little bit sorry for the company as a whole, as one arrogant employee could have landed them in a load of 'business ending' shit. Mind you, it is on them to handle this in the most open and honest way possible and I wont have any sympathy if they just try and sweep it under the carpet.

I've received an identical email today to the one I original posted,other than its from 'Rita',rather than 'Nate'.
What do we make of this and have any other donaters on MN had a second one bearing in mind that donations were to be refunded within 48 hrs if donaters didn't respond ?

I think I would respond asking them to point me to the section in their T&Cs that requires this?

This is not how payment details are verified. Good lord, this is terrifying. One of their employees has gone off the reservation, I'm sure of it.

This is not how payment details are verified

They also use a third party payment processor (Stripe)

Forgot to add, so they should only really care if the payment goes through or not.

This refunding and asking for id / social media profile is a tad odd

Exactly. The payment is either fraudulent or it's legitimate.

Whether the person ticked the anonymous box, or had their screen name as Napoleon Bonaparte, as long as they provided a valid card, and the 3rd party processor was content it was legitimate, the story ends there. If there was evidence that the card was misused, then they can instruct the 3rd party to refund the payment. And the story ends there.

It stinks to high heaven. Their T&Cs are quite clear that they only function as a platform to join up donors and donees. That's all. They don't get involved in the legitimacy of the campaigns, and nor should they!

May I suggest that anyone who donates and/or provides any details to GFM saves a pdf of their current ts and cs and privacy policy (there is link in the ts and cs) in case of a need in the future to refer to these .

If it's a rogue employee, then why haven't they been dealt with yet? This is serious misconduct if unauthorised, and the company was first made aware of it days ago.

This looks like a real mess.

can you report to the IOC?

I have reported to the IOC already.

Any amendment to the T&C's should be dated (as per their own policy on their website) but a screenshot would be a good idea as I don't trust the lying fuckers.

Even though the emails are signed by different names, it doesn't mean that they were written by different people, it could still be one or two rouge employees who are trying to make it look like a company wide stance. I was going to have a look at their website tonight and see if I can find any contact info for someone above the customer services, because if the same people who are sending the rouge emails are processing the complaint emails, then nothing is going to be done about it.

It is likely to be the UK team handling this, I wonder what their US employers would feel about their total disregard for company policy?