A short email has been sent to a few customers tonight to ask for some confirmation of Tax Residency details.
If you get this email, don’t worry, it is genuine, but we require this information from certain users for reporting reasons and the simplest way to do this was via email. Because we are using an external tool to gather this, there is some extra wording in the email that might be confusing, so you are more than welcome to call Customer Service to do this instead, but in most cases it is just a single response that is required.
You’re seriously using surveymonkey for this?! It looks hugely unprofessional and I’m pretty sure the FCA wouldn’t be entirely happy about it either (were the world not otherwise falling apart)…
Why not just throw up a google sheet with all your customer details? I could do some friends’ details for them too then.
To be fair, SurveyMonkey is a huge business and not just the free tool you may know and love. Their professional B2B service is used and trusted by brands and businesses worldwide due to it’s high security and privacy standards.
All businesses are required to follow strict data protection laws, and as a twice regulated business we are obviously very much aware of our obligations.
However as per the email, if you prefer, you’re more than welcome to contact our customer service team via in-app chat to send your details.
I just got my email and I have to agree with Dan. SurveyMonkey may be a reputable company but it makes the whole thing look like a phishing campaign. I have filled it out as I didn’t need to share any horrible details… but anything that ends with ‘create your own survey’ doesn’t feel like my PII is being safely stored.
I understand why you have done it, but if you’re going to collect sensitive data outside of the app you need to have some sort of real authenticated website to do it in. I may be old fashioned but I like to be able to do things on a web page and not just in an app, even if the app is used to authenticate access to the web page. Maybe an idea for the future?
Just my 2p worth (or about a year’s interest these days).
I’d really hoped this was some sort of clever anti-phishing campaign… I was hoping if I clicked on the link an be told ‘Seriously Dan, you didn’t see this as an obvious phishing attack?’ (perhaps only after having entered my DOB/PIN/CVV for verification?).
The appearance of cheaping out aside (could you have paid Survey Monkey more to remove their branding?), you’ve horribly and irrevocably blurred important security lines in doing this. It normalizes users passing personal details to a 3rd party, based only on an (easily forged) email. You’ve just made it much easier for an attacker to spearphish your clients with just a free surveymonkey account.
The mind boggles that you couldn’t add a couple of fields in-app to collect this data - but I’ll assume all your iOS/Android devs are furloughed for now. But as @Wallsy points out - surely an in-app message which took users to a dozens.com web page collecting this data would have been a massively cleaner and safer UX? (You’d also have authenticated users, and therefore presumably less hassle linking this data together.)
When a company interested in using your platform asks “and its fully compliant with all UK banking requirements?” are you really going to say ‘Oh yes. Except for collecting tax status - but we can get you a good deal with survey monkey to capture those’?
Ha, you are not serious! I received one of these emails and the first thing I did was check the senders email address. As it was from @surveymoneyuser.com I immediately assumed it was a Phishing mail and deleted it.
I only popped into the forum by chance otherwise I would not have seen this. Next time please send an alerting mail to the selected customers first from a genuine Dozens email address.
Glad I’m not the only one who was immediaetly suspicious!
But you should be aware that its relatively easy to fake emails. Dozen’s have not gone out of their way to make this hard.
All of this should happen only in properly authenticated situations - ie in app, or on a dozens.com website.
Customers should be trained to only interact with their bank in app, or on the one official website they’ve always used (or, if you’re old school - in something called a ‘branch’ (?) ). The FCA has pushed strong customer authentication hard - but what about strong institution authentication?
@robert - I’m deeply concerned about this (as both a customer and investor) - could you please explain a bit more about why (on earth) you did it this way, rather than in app/on your own website, and why you think my concerns are not valid.
Of course you are right to be cautious. Even when the information appears to be coming from a known site or account it could be faked, so a healthy level of care needs to be taken at all times.
However, that does not automatically mean that all third party tools are necessarily fake or cannot be used - we always ensure we have carefully reviewed any data transfer or security issues. If you prefer to avoid them yourself, then you are more than welcome to call us instead as per the message on the email.
However, for the future, we are building new elements into the app that will allow us to capture and display even more information, but these are not currently available to all and we needed to go ahead and make sure we had the correct information.
I love MailChimp and our company also uses it. Gone are the days when it was small and unprofessional looking in my opinion. They have some powerful tools and it is used by many multinational companies.
This has nothing to do with mailchimp. Clearly it would be reasonable to use them to send mass emails that do not contain identifying information, for example.
But normalising users passing confidential information to Dozens via a 3rd party is a mistake. Dozens just phished their own customers. Think about it -
user receives an email - not actually from Dozens, but it has the logo etc to make it look legit - just like all the phishing emails I get
user clicks on a link in email, and is taken to a non-dozens website - just like when you’re phished
user enters confidential information into 3rd party website - you just got phished
This time it was Dozens phishing you. But at no point could the user reasonably be sure this really was being collected by Dozens. Passing confidential details to 3rd parties with no authentication just became normal for Dozens customers.
@robert - please tell me you understand that what Dozens did puts their users at greater risk?
After getting the Survey Monkey mail, do you think more or less users would click on a link in phishing mail - perhaps saying ‘Congratulations! You’ve won the Dozens savers award for May!’
After getting the Survey Monkey mail, do you think people would be more or less concerned that their ‘savers award’ was being administered by a 3rd party (perhaps survey monkey even)?
After getting the Survey Monkey mail, do you think more or less of those users would put some confidential information (CVV, PIN?) into such a site when it said ‘… just confirm your identity, and we’ll transfer £1000 to your Dozens account immediately’ ?
Thanks @dan_g I do accept your point. This was not the ideal way of capturing this piece of data, and this will not be normal practice.
Whilst we took every precaution in terms of the choice of service, the content of the email, plus we offered customers the alternative means of contacting us to send the information or verify the email (which several did), this was still something we would have loved to do within the app.
Unfortunately we did not have the relevant field in the app for some of the customers who joined last year, and so we needed to collect this single item as a separate exercise within a specific time-frame.
Even if we had been able to update the app to include it and ask customers to complete it, it would have required all customers to have the very latest version of the app, and this is not always the case. We do encourage everyone to always stay up to date, partly to have these new features, but also to have the very latest fixes and security measures, but it is up to users to update the app.
This is not the kind of exercise we will be doing again, but we are certainly grateful to the huge number of customers who got in touch to provide us with their details. And we are grateful to you for your honest concern and feedback.
On the subject of app updates, there should be a new release in the next week or so with fixes and improvements, so do look out for that.
). The FCA has pushed strong customer authentication hard - but what about strong institution authentication?
