We have been notified of a phishing scam impersonating Tipalti Support. This fraudulent email directs users to a fake “Reset Password” page asking for the following information:
Your email address associated with your Roblox account
Current Password
New Password
Confirm New Password
Please do not click on any links or provide any information to emails with the subject line “Important Notice: Action Required to Secure Your Tipalti Account” without verifying that the email address is spelled correctly. In this case, emails from Tipalti will be sent from support@tipalti.com
If you did submit your credentials through the phishing link, please follow the steps below:
Please change your Tipalti account credentials immediately. Login using the correct link below - This is dependent on the group you are enrolled with.
Contact Roblox Support, and select “Developer Exchange Program (DevEx)" in the second drop down menu. Please provide as much information as you can on what happened and what information you provided.
For more information on how to keep your account safe, please visit our Help Center.
Ah, yes, the most common type of scam. Luckily, Fisching scams are hard to fall for. Thanks for warning unknowing users instead of just letting it happen.
I don’t get how people don’t understand basic cybersecurity. I know it’s a major situation and it’s pretty bad, but just check the sender email for god sake. That’s one of the easiest ways to see.
I know I might know a lot about cybersecurity and related topics, but its just hard to think that this is really easy to do, especially to adults developing on Roblox with a large familiarization with technology.
Here is a resource that people can use to protect theirselves from phishing.
[Phishing Quiz with Google](phishingquiz.withgoogle.com)
Advice specifically for this - when presented with an unexpected password/email/login reset request from any source, never use the provided link the email, no matter the source. Always visit the website with a trusted URL and reset your account from there. The same goes for things like notifications or new documents from financial systems - these are also common in corporate phishing. With this in mind, you would have gotten this phishing email, maybe said some swear words, gone to Tipalti using a bookmark, logged in, and reset your password there, and then never realize the email was phishing to start.
That is an interesting point. My guess is either they have found a vulnerability in this (unlikely), or they are relying on those who use password sharing. Ex: you have a valid email + password for Tipalti, maybe it works for a Roblox account? Or the bank the funds go to. That is just a theory, and I doubt we’ll get answers.
Yeah, nobody’s immune, it’s still pretty hard to fall for if you know what you’re doing. Chances are, companies like this will never ask you for this kind of info. (Games such as Fortnite make this clear through in-game banners.)
I’m still surprised (yet glad) that Roblox is warning developers before most people have even heard about this scam. Last time (I think it was bookmarklets) there were already 8 million videos about it before the announcement was published.
Thank you for this alert. A few of my developer friends received this and I heeded them with caution, I wish this had been announced earlier since I believe this has been happening for a while, thank you for bringing this to the awareness of others, this is urgent that we announce threats like these often on Dev Forum, for ease of access to sharing with other developers.
