Exactly what I was about to say.

What a shame I never understood why people even scam its just not worth it and its unethical

Oh, okay. Thanks for letting us know!

Ah, yes, the most common type of scam. Luckily, Fisching scams are hard to fall for. Thanks for warning unknowing users instead of just letting it happen.

I don’t get how people don’t understand basic cybersecurity. I know it’s a major situation and it’s pretty bad, but just check the sender email for god sake. That’s one of the easiest ways to see.

I know I might know a lot about cybersecurity and related topics, but its just hard to think that this is really easy to do, especially to adults developing on Roblox with a large familiarization with technology.

Here is a resource that people can use to protect theirselves from phishing.

Advice specifically for this - when presented with an unexpected password/email/login reset request from any source, never use the provided link the email, no matter the source. Always visit the website with a trusted URL and reset your account from there. The same goes for things like notifications or new documents from financial systems - these are also common in corporate phishing. With this in mind, you would have gotten this phishing email, maybe said some swear words, gone to Tipalti using a bookmark, logged in, and reset your password there, and then never realize the email was phishing to start.

That is an interesting point. My guess is either they have found a vulnerability in this (unlikely), or they are relying on those who use password sharing. Ex: you have a valid email + password for Tipalti, maybe it works for a Roblox account? Or the bank the funds go to. That is just a theory, and I doubt we’ll get answers.

+1 Extremely important.
Never click links in unexpected emails. Go directly to the website yourself and seek it out.

You are not immune to phishing scams. A well timed or well formed email can be enough to trick you.

cough jim browning 2021 incident

Yeah, nobody’s immune, it’s still pretty hard to fall for if you know what you’re doing. Chances are, companies like this will never ask you for this kind of info. (Games such as Fortnite make this clear through in-game banners.)

I’m still surprised (yet glad) that Roblox is warning developers before most people have even heard about this scam. Last time (I think it was bookmarklets) there were already 8 million videos about it before the announcement was published.

The link looks IDENTICAL; they swapped an “L” with an “i.” I probably would have fallen for it if I wasn’t paying attention.

Thank you for this alert. A few of my developer friends received this and I heeded them with caution, I wish this had been announced earlier since I believe this has been happening for a while, thank you for bringing this to the awareness of others, this is urgent that we announce threats like these often on Dev Forum, for ease of access to sharing with other developers.

Nah I don’t trust with .withgoogle.com

It’s a legitimate domain. It’s registered by MarkMonitor and the registrant contact is google.com, so nothing awful hidden in that link.

What is Tipalti Support? Is this the moderation company of something?

It is the service Roblox uses for DevEx!

I’m just confused as to why this isn’t pinned, since I feel like scam awareness is really important

Sometimes I find it hard to believe how naive a person can be to fall for primitive scam patterns. If the post were about people unfamiliar even with basic technologies like links, I might be able to turn a blind eye. However, when a developer—someone who should understand the risks of clicking on any link, let alone handing over their data—falls for such tricks, it’s both amusing and foolish. Ultimately, I don’t sympathize with them at all.

It might be hard to believe, but it is the reality. In the corporate space where I reside, we don’t have fake phishing attempts just to teach people - it is because corporate phishing attempts are a massive problem. They range from just wanting your banking details, like a fake retirement account action required email thing that went around where I was ages ago and got several employees, to infiltrating systems for cyberattacks. A bunch of data breaches happen because of these phishing attempts.

The more mundane or believable the email, the better (mostly - intentional spelling mistakes can exist to eliminate people who wouldn’t fall for them). With the claims of previous Tipalti data breaches (never confirmed or proved, by the way), a disclosure email with claimed passing of time and a claimed legal reliability to disclose this with an unformatted email looks believable. I would have looked at it, sighed, went to Tipalti to reset my password without the provided link, and deleted the email thinking nothing of it.

I’m glad Roblox is actually alerting people.

I implore people reading this to perhaps set up a private DNS (Domain Name System) that filters out newly registered domains.

That tactic is commonly used among bad actors.