Yeah I got a text from one of these a couple years ago. Something like. “You have an overdue doctor bill of $183.56, please kindly pay immediately at this link: http://my-doctorpay.net/defintelylegit123. Thx!” Didn’t even include the name of the doctor or office, but after calling the only doctors office I had used recently it was apparently legit. I let them know whatever company handles their billing is completely incompetent.
The US healthcare billing model’s total lack of authentication and disconnection from point of service means that it’s broadly plausible you do owe some random provider money at any time up to several years after your last doctor visit.
Send someone an official looking piece of paper telling them they received $394 worth of in office medical laboratory service from Tristate Medical Partners Inc in August last year, that insurance paid $374 and that they just owe you a $20 copay, and I think a lot of people will just go to the online bill pay site and hand over the money.
What incentive do they have to change it? People will still click and still pay, and if they don’t, they’ll refer it to collections and ruin their credit. As long as the billing office gets the money, in their view, the bar for “competence” is passed.
This is something that only people like us can see. The rest of the world doesn’t care about the problem, and even if they did, they have zero incentive to fix it.
> People will still click and still pay, and if they don’t, they’ll refer it to collections and ruin their credit.
Healthcare has one of the lowest payment collection rates of any consumer industry. And as of a couple years ago, medical debt under $500 can no longer go on your credit report even after going to collections. States have passed even more consumer-friendly versions of this law, like NY where no amount of medical debt can affect your credit score.
So actually medical billers are directly hurting themselves with their incompetence in this and many other departments.
Lets not forget all the typosquatting looking domains Microsoft uses. It almost seems like they bought them up to protect users, forgot why they did that and said "hey we have all these domains, lets use those?"
Office.com redirects you to login.microsoftonline.com which isn't horribly bad, but is starting to get there. Now you have microsoft365.com and friends, too.
At least when things were login.microsoft.com you could apply the "last part is definitive" now that heuristic is pretty useless. And if you watch the actual DNS requests during a login, whew.
CDNs make it even worse, here's a few VALID requests from my DNS cache:
Also Azure AD and Entra ID and other parts of Microsoft 365 all use onmicrosoft.com, too. A fun bonus to that particular domain is the random meaningless to people GUID-derived tenant IDs in the second level. Knowing what is legitimate, and what is tied so a specific corporate tenant, seems impossible. Certainly helps Microsoft themselves avoid XSS problems, I'm sure, but greatly adds to the confusion of what is a legitimate M365 URL.
Yea, it's really fun to log into some some Microsoft site and get redirected 10 times. The domains it goes through are staggering, some of them don't even look like MS names at all. More than once I've been convinced that there is something fishy going on. Only to realize that, nope, that's the way MS wanted it.
I’m supposed to pay my semi-annual property taxes (on the order of ~thousands of USD) on a site that ends in .org instead of .gov, and nobody apparently sees anything weird or wrong with it.
Some places in the US outsource not only payment processing, but the entire tax collection process to the private sector. I've heard stories of people living in Pennsylvania who have gone years without filing their local tax return because they thought the tax form was spam. Nope, that sketchy looking mail from some random business, with the .com address is the legally designated tax collector.
Our government uses equivalent of www.mydatabox.cz (real one is mojedatovaschranka.cz).
Literally a domain that looks like from teaching material for phishing, no databox.gov.cz or something like that.
The domain is for an official legal documentation communication with government and has same legal weight as letter that was person delivered and recipient was checked against ID.
Worse every doctor/lab sends their own separate bill with their own separate account numbers and URLs. You could probably make a ton of money just a bill to every address in your city, so long as the amount is around $50 many will not question it anymore as they get so many of those things.
It’s insane.