This article explains how to safely handle Zendesk tickets that appear suspicious, potentially fraudulent, or may contain phishing or malicious content. Follow this process to ensure no unsafe links, files, or downloads are opened on company devices.
When to Use This Process
Use this workflow if a ticket includes any of the following:
• You cannot locate the requester’s email in our systems
• The client reports fraud or an unrecognized charge
• The message includes links, downloads, or attachments you are asked to open
• The email content feels suspicious, generic, or inconsistent
• The sender requests a call instead of providing written verification
• The message appears to be phishing or impersonation
Example of a Suspicious Ticket
Messages similar to the example below should be treated as suspicious:
This is a follow-up regarding an unrecognized charge on my credit card, which seems to have originated from your business.
I am attaching my bank statement that identifies the disputed charge.
This document has been sent by e-Fax®:
{link}
If a message contains a link or attachment that must be opened to view details, do not interact with it.
First Steps: Verify the Requester
Before replying, confirm whether the requester exists in our systems.
User Lookup
Use Master Tools → User Lookup to search for the email address.
Email Server Check
Confirm whether we have sent or received emails from this address.
• Navigate to Account Settings
• Use Ctrl + F and search for “server”
• Identify whether the portal uses SendGrid or Postmark
• Most portals use SendGrid
If no record of the email exists, proceed cautiously.
Next Move: Reply to the Client
If the requester cannot be verified, request additional information without opening any links or attachments.
Ask for the following:
• Confirmation of the email address used for the portal
• Date the charge appears on the statement
• Last four digits of the card used
• Amount of the charge
• Any additional visible details from the statement
STOP: Links or Attachments Detected
If the ticket includes a link or attachment that must be opened or downloaded:
🚫 Do not click
🚫 Do not download
🚫 Do not open
Instead, request a screenshot pasted directly into the email thread.
Suggested Response
I’m sorry, but we’re unable to open external links or download attachments for security reasons.
Could you please paste a screenshot of the information directly into this email thread?
Submitting a Security Review Ticket
If the ticket remains suspicious, submit it for Security Review using our internal Zendesk workflow.
Step 1: Create the Security Review Ticket
Create a new ticket with the following values:
• Project: Security Review SRC
• Issue Type: Service Request
This routes the request directly to the Security Review team.
Step 2: Ticket Description
In the description field:
• Include the requester’s email address
• Copy and paste the client’s message verbatim
• Do not click any links
• Do not download any attachments
If the ticket includes an attachment or image that cannot be viewed without downloading, clearly note that at the top of the description.
Example:
Email of client: email address from Zendesk ticket
There is an attachment associated with this Zendesk ticket that has not been downloaded and may be malicious.
Client message copied below:
Step 3: Describe the Security Concern Clearly
Use concise language describing why the ticket is being reviewed. Examples include:
• Report of illegal or fraudulent charge by payee
• Suspicious link in email
• Suspicious email requiring a download
• Failure to provide requested verification
• Request for a call instead of written confirmation
Step 4: Priority Settings
Set the following values:
• Impact: Low
• Urgency: Medium
• Desired Resolution Time: Medium (3 days)
Reasoning:
• The issue impacts a single user or portal
• The content may be malicious and requires prompt review
• It is not a PIR and does not affect multiple clients
While Awaiting Security Review
After submission:
• If the client does not provide requested information, place the Zendesk ticket on hold
• If the client continues requesting you to open links or download files, keep the ticket on hold
• Do not interact with suspicious content until Security completes their review
What to Do Next
• Notify your Supervisor or Manager so they can monitor the Security Review ticket
• Monitor Jira and Zendesk updates regularly
• Follow Security’s guidance once provided
If the content is malicious, it will be removed or blocked.
If the content is legitimate, follow the next steps provided to assist the client safely
Comments
0 comments
Please sign in to leave a comment.