The next Sub-Post Office Horizon scandal?

The next Sub-Post Office Horizon scandal?

I just want to highlight a lawless area of big business stealing cash from small business. SMEs, remember them? The engine of the economy? Over the last three decades of running AXLR8 I must have wasted days documenting the theft of funds from our bank account by the telcos.

Telcos adding grey items to bills

There seems no point in complaining and obtaining a complaint reference (if you even can get one these days). Ofcom is useless. Here are just two examples that should get you checking your bill!

Vodafone

Vodafone has added back in the subscriptions for services our business cancelled many years ago. Suddenly, they just come back on the bill. Although these services are unused, there is no check to see if the service (previously terminated) has been asked for and reordered by the client. This has happened on more than one occasion in the last 10 years. Vodafone also carried on charging for a phone purchase contract long after our business had paid it off. Those past “try-ons” add up to a four figure sum. Also, I have a current serious complaint with Vodafone and nothing has been done. The business moved and we cancelled our FTTP line to the old address and bought a new one at the new address in June last year. There cannot be any doubt and the email trail is clear as are the admissions of the agents we have spoken to. We are still paying A YEAR LATER the rental on the connection at the last address. The last address is a building site, by the way. At £50/month, that is a lot of money. There appears not to be email address for complaints so you need to telephone Vodafone. That is a marathon of at least 30 minutes and some times more than an hour every time. I am sure I am not the only one that has these problems with their Vodafone bill. I believe we have been a Vodafone client for 30 or more years. However, our spend with them has reduced considerably because of this lack of trust.

BT

BT is a huge drain on business productivity and will have wasted many man-days of precious senior management/owner time in SMEs in just the few minutes it has taken me to write this article.
Right now, our business cannot cancel a £250/month contract with the promised 50% cancellation charge. We have been with BT for 30 years and this 60 month contract had run 55 months when we gave notice. We are hardly a fly-by-night client. The bills have become random and two months ago we were charged double for some reason. Simple admin tasks like changing the commercial contact from me to our Group CEO are ignored. Billing refer us to the “Customer Success Team” They send us back to billing. All the time we are paying their bills for a service we have not used for months.

Like criminals, I am sure these large telcos will have lawyers who can tie me up in knots. They certainly train their staff to “brick wall” customers with legitimate complaints.

If you refuse to pay unfair bills, they will come after you with aggressive third party collections agencies. This actually happened to me with Gigaclear who dreamt up a loner notice period than I signed up to. There is always the possibility that they can somehow affect financial reputation of the most solvent and fiscally careful SME.

Regulation

I cannot believe I am calling for more regulation. However, for bullies, there has to be a big stick.
There is much discussion about why the UK cannot increase productivity in two decades. Depending upon the political views of the person talking, it is blamed on so many factors that they are too long to list but include everything from regulation and compliance, taxation, housing, transport, lazy youth, daft degree courses, Brexit (or not enough of it). Chasing clients who will not pay and chasing utilities for over charges has to be part of what saps the time and motivation of small business owners.
The telcos, upon which a modern economy relies, cannot be allowed to pinch £100 here and £1000 there and not have a manager in court. Like the water companies, fines just get added to our bills. There must be several board members who fear for their jobs and reputations when these crimes happen. Right now the systems of customer contact and the lack of options for escalation paint a picture of sociopathic management only beholden to share holder returns. No wonder people are screaming for privatisation. People of my age recall how awful nationalised industries became. So let’s strengthen the basic rules of accountability to which these behemoth monopoly suppliers have become accustomed. The managers must be held accountable. There is no point in fining the company. We cannot afford nationalisation. So regulation with proper powers to name and punish (like health and safety) it is.

AXLR8 SMS (Text Messaging) Migration

Commercial background

AXLR8 have provided text messaging services as part of many applications for around 15 years. Occasionally, in spite of due dilligence and monitoring, a supplier to AXLR8 goes bust. This provides us with a challenge and expenses of migration to another supplier and rebuilding portals, learning how to deal with the “quirks” of the new supplier. You understand. You have your own supply chain challenges!

It is just an impression but SMS unit platforms and their wholesale channels seem to be running on very low margins. Several may be “running on empty”.

Prevention

We have learned from the upheaval and expense of suppliers going out of business. Sometimes they reduce their service to a point where we cannot keep commitments to our clients. Smaller suppliers come with flexibility but also risks for several years. Around 2014, AXLR8 chose a supplier who was too big to fail (part of Cisco) with great service. That seems to have worked for ten years!

We also increased volumes with them to obtain discounts that we could pass on to clients. Then we invested heavily in their system so our clients could log in on our white-labelled portal (HTTPS://sms.axlr8.com) to view traffic and control their account. We also developed systems around their APIs.

Regrettably, the platform supplier has been rolled into another part of Cisco. Hence the move.

Actions now

The supplier we have used for ten years will cease to provide the service by the end of November.

So AXLR8 have procured another text supplier and have added more details about how you can migrate on to this new SMS service. We narrowed it down to two: eSendex or WebexInteractive. In the end, we went with Webex because they undertook to take over client account balances for unused SMS units. This was possible because they were both Cisco stablemates.

An AXLR8 FAQ explains how this works for you in practice. It will be published when we have agreed it with all parties concerned.

Other suppliers

AXLR8 can help you integrate if you register with another supplier. You must make sure the supplier has all the features you require.

  • Dedicated telephone number for sending. Also, you may need the ability to deal with replies to text messages
  • Email2SMS facility whereby a message can be sent from you to <phone-number-of-recipient>@<service-domain>
  • Supports a protocol compatible with AXLR8

You will also need AXLR8’s managed service for SMS messaging so that we can plug in your third party service provider.

Other alternatives

Other Media: Remember, AXLR8 can provide many ways in which you can contact staff, clients, users and other stakeholders.

  • AXLR8 Chat
  • Email
  • Newsletters
  • Trigaware(tm)

There are risks in using WhatsApp.

MFA

There are alternatives to using SMS messages for 2FA. The simplest is to use email. There are also authenticator apps. Please let us know if you would like to drop SMS altogether as a service.

Please check out the FAQ here and call AXLR8 Support if you have any problems.

AXLR8 Cyber Essentials Plus 2025-6

AXLR8 Cyber Essentials Plus 2025-6

AXLR8 have achieved Cyber Essentials for 2025 -2026. Next week, we will proceed to our Cyber Essentials Plus 3.1 (Montpellier) audit. This involves invasive testing by an expert third party and demands evidence for the statements and claims in the self-assessed CE qualification. We have maintained this standard for a couple of years and find it a good exercise for checking our cyber security.

Random internal audit checks (3 or four times a year) mean we are always on our toes and we catch, for example, bad habits. More regular checks find issues such as machines that have not fully updated.

Penetration testing

The parallel project of penetration testing on our customer server fleet (AXLR8 Cloud) in the rest of January.

Staffing

Government

New FAQ site for Staffing clients

We are building up a new Frequently Asked Questions (FAQ) section for AXLR8 Staffing Agency clients.

The volume of explanations and answers for frequently aske questions is growing steadily as we substitute the bespoke answeres and screenshots for clients with generic FAQ material. It adds 10% to the time taken but many of the questions are really frequent.

Most importantly, they are genuine questions we get in Support each day!

The obvious new home for these will be to integrate them into the system and the client portal for each market. For now, they are on specialist websites as follows:

  • General FAQs are on the this www.AXLR8.com site. These cover horizontal AXLR8 components present as options in all AXLR8 offerings such as Questionnaire Builder, Trigaware, MessageStore, Newsletter Builder, Report Builder, Security Login mechanisms and many others.
  • AXLR8 Staffing Operations, HR and ATS client staffing.axlr8.com
  • AXLR8 Government IG clients www.requesttracker.co.uk
  • AXLR8 Commercial Finance Broker clients www.loanmatrix.co.uk

DMARC, SPF and DKIM: What and Why?

The short answer is email security delivery and spam prevention which are related in many ways. Do not ignore these seemingly boring acronyms: DKIM and SPF. They help us assess whether we can trust emails.

What is the problem?

Opening every email is a risk. You need to trust emails you open. You need recipients to trust the ones you send.

One way to reduce that risk is to know who has sent it and assess whether or not we trust them. So how do we know who the sender is? Not by the sender name, that is for sure. Something purporting to come from a large trustworthy company, perhaps? Nat West bank or “SCREWFIX” (i.e. the tools and materials retailer) might mail you about your account or a competition. It may have come from from a different email domain if you click into it. SCREWFIX<dhlkjlj@zxyildgt .ru> is an example where you can see the “friendly name” “SCREWFIX” is completely different to the email domain name (the bit after the@-sign). See if you can spot this in the email below received as I looked for examples whilst writing this.

So people send emails “spoofing” that they are someone else. Much spam is probably going out from your company name right now and causing damage to your reputation. This happens to every company after a while. So, how can we be even more sure of the sender?

How do you check a sender?

Where does this email come from?

Each server on the internet has a unique “IP” address to identify it. The IP address of the server where the mail originated provides a little more assurance. You can see the IP where an email originated (and all the servers it went through before getting to your email inbox by looking in the email “headers”. Different mail programs hide this in different places but you should be able to google where it is. It is a bit like the postmark on an envelope. If it says it was posted in Leeds, and your sender lives in Leeds, you can have a bit more confidence. If it says it comes from Santa Claus and the postmark says “North Pole” any grown up knows post marks can be forged. Regrettably, an IP can be spoofed in the same way. However, there are a couple of major problems even if the IP address of the sender is completely genuine. How do you know if it is the IP of the sender or just some other IP? The answer is SPF (Spam Protection Framework).

The SPF standard allows email domain owners to say: “Email from my domain may only come from the server with this IP address and any other IP addresses should not be trusted.” That is really helpful because even if you do not go comparing the IP address from which the email originated and the IP address(es) that the domain owner has configured, the mail relays will do so. It is relatively easy for them to compare the two and many will block mails that do not comply before you receive them. Now turn it around the other way. If you do not set this up for your email domain, more and more servers will block your emails and people will not receive them. I.e., you will have a “deliverability issue”.

To add your valid originating IPs for your company, you need to add the details to the “SPF record”. This is done in the DNS control panel for your domain. The task requires technical knowledge. Do not attempt DNS changes unless you understand how it all works. Call your ISP or hosting company to ask their advice. Also, you should make sure you (or a technical manager you trust) know the access credentials for the DNS for any domain in your business so you can make changes when required.

What, When and Who are valid for this email?

Experts soon saw that the above weaknesses in SPF needed to be addressed. A new method was needed. There had to be some way machines could trust an encrypted key mechanism to see if the email was genuinely:

  • sent at that date and time
  • from that email address (sender)
  • to that/those email addresses (recipients)
  • Subject line.

This is accomplished by DKIM (Domain Keys Identification Method) whch was designed to address the problem. You need to make sure you have this set up correctly for any servers you authorise to send your email. You need to make sure your incoming email servers check it, too.

The way it works is that the email server generates an encrypted string (2048 bit is acceptable at time of writing) which encodes the above facts as the email is sent. When any mail “relay” server receives it, it can check this against a 2048 bit DKIM key that is shown publicly on the domain. If the two “fit” together, the email is passed along. If not, some other action ranging from nothing to an alert to blocking (or even deleting) takes place. Because of the challenging rise in spam and dangerous emails, the servers and mail applications are getting increasingly strict.

Once again, to set this up, you need a DNS skilled professional. The whole process should be less than half-an-hour including checking with a tool like MXToolox.com or demarcian.com. It may seem expensive and complicated but “doing nothing” is will probably come with a cost! Your business emails will get blocked and become more and more undeliverable.

You may hear about another Acronym: DMARC. (Domain-based Message Authentication, Reporting and Conformance) This is a way that email management professinals configure their servers to react to the SPF and DKIM data associated with the emails. Basically, the rules as to whether it is fine, marked a spam or so dangerous it needs to e deleted. Different professinals take different views. However, the large organisations that move the most email traffic also getting stricter. So you need to be verified byut them also or your email will be rerouted or deleted if not properly configured to prove you are who you say you are.

Verification records

In addition to the above internationally accepted DMARC standards, the major email traffic players have their own additional verification checks. If you or your clients or staff or any other stakeholders or consumers have gmail addresses or other google mail services such as G-Suite, You will need Google Verification. Ask your tech person to click here and follow the process for Google Verification. There are similar processes for other mail relay providers including Apple and Microsoft.

Some further reading

You may also wish to read this article from AccountingWeb which explains it in easy-to-understand lay terms.

Support

If you are experiencing deliverability issues sending mail from your AXLR8 system, please contact Support by email or call. We will review all of the above with you.

AXLR8 Cyber Essentials Plus 2024-2025

AXLR8 Cyber Essentials Plus 2024-2025

AXLR8 received IASME confirmation that we had achieved Cyber Essentials Plus for 2024-2025 at the Montpellier (version3.1) level today.

IASME confirm AXLR8 have passed CE+ for 2024/5
IASME confirm AXLR8 have passed CE+ for 2024/5

Once again, thanks to RightCue whose expert assistance helps us shut down cyber security threats across our networks As external auditors, they also provide the tools and advice to keep our audits and internal tests up to date and effective.

Cyber security is an essential part of AXLR8’s risk management plan. We invest heavily in the systems, processes and external testing and advice to protect both AXLR8 and our clients.

Was your data breached when Mailchimp was hacked?

You may not be aware that the AXLR8 system has a full Mailing Manager module, enabling you to send out compliant mailings and newsletters and report on viewings and clicks afterwards, just like Mailchimp (only better of course)!

Many MailChimp clients have had to move away from Mailchimp and embraced the AXLR8 Mailing Manager instead. 

On April 4th 2022, MailChimp acknowledged that their systems had been hacked, with over 300 accounts accessed. As a non-UK and non-EU company they have no requirement to inform the ICO (Information Commission’s Office) of the data breach. They have informed the public with a vague press release. You can read more on this by clicking here.

A further incident was also reported in August 2022 – read more here.

So are you hacked off? Have you had enough of Mailchimp? Are you thinking of moving your data to the UK, where the suppliers are under the GDPR legislation (If a UK supplier is hacked, they have to inform the ICO and customers within 48 hours – you don’t just happen across a vague press release online)?

AXLR8 provide a full CRM system in UK data centres, not just a Mailing Manager, for the cost of the Mailing Manager. Read more about the product here.

If you would like to talk further about the AXLR8 Mailing Manager, please call us on 01344 776500 or email sales@AXLR8.com. We would love to demo the software to you and discuss your requirements.