Giveaway email: phishing or legitimate?

I’ve received an email claiming to be from GitHub, offering a free gift if I just give them some personal details (name, physical address, etc.). No catch, no terms and conditions, no nothing. Looks like a classic phishing scam, right?


The thing is, everything points to it really being from GitHub. I’m not up on the state of the art in how emails are signed and senders verified, but here’s what Gmail reports:

I’ve looked over the GitHub help for some way to report suspicious emails, but all I can find is how to report abusive or spamming users. So I’ve come here hoping for help. Can anyone confirm or refute the legitimacy of this email?

Hi @perey,

After some digging–I found that this email is legitimate and from GitHub.

Thanks for that. Is there any way that you know of for my feedback to get to the people behind it, suggesting they make sure there’s an easier way to confirm this sort of thing is for real?

Hi @perey–please do feel free to share your feedback here. I’ll make sure it gets back to the appropriate team(s). I’ve also shared this thread with them for visibility. :smiley:

The public are told all the time to beware of giving out information—even to (what appears to be) trusted sites, if they aren’t absolutely sure it’s genuine. Asking via email, and collecting information on a third-party website (Google Forms), are warning signs. So when a legitimate survey comes along, it needs to avoid:

  • Raising incorrect suspicions (reduces number of replies received, wastes support/community time in answering threads like this one).
  • Undermining security messages (this one was legit, so people are more likely to hand out information next time).

What I think anyone running a survey/giveaway needs to do is to have a source of information about it, separate from the request and verifiably from the genuine organisation (so, on the GitHub website).

At a minimum, there should be some statement like: yes, we sent this email, and yes, we want you to go fill out this Google Form. I expect, and I think most people expect, to see terms and conditions as well. Ideally there’d also be some confirmation: your survey has (or hasn’t) been received and we’re including (or not including) you in the giveaway.

I recognise that the survey that prompted this was meant for a limited number of people, and secrecy and transparency can be hard to balance (how do you publish terms and conditions for a private offer without making it public?). But surely there are best practices out there for this already.