Why e-mails from Online Retailers, Networking sites, and other companies with a highly targeted email marketing strategy make it easy for scammers to target their customers/users with Phishing emails, Scams and Spam.
These days we are targeted by a vast array of marketing communications. From roadside billboards, to magazine and newspaper advertisements, television, radio, sms messages, leaflets, brochures and letters through our door and finally also in our email.
The biggest security risk is arguably caused by the latter. Unsolicited email, or spam form a large proportion of these emails, ranging from offers of fake watches or pharmaceuticals, to cleverly executed emails purporting to be from well-known brands such as Amazon, Paypal, Walmart, Booking.com, etc. These fake or fraudulent emails are harder to distinguish from the rest, because so many of us have dealings with these companies, and we are not surprised to receive emails from them.
I will be using Amazon as an example, as this is the one most relevant to me and my experience, but Amazon is by no means the only online retailer, social networking site, or company that this applies to.
It is so easy for scammers to target Amazon users, spam from scammers hide between the many daily communications from Amazon, one of the biggest online retailers in the UK. This also relates to other organizations, such as LinkedIn, and Facebook too.
I am a good Amazon customer. I love books. I love bargains, and I love the ease and simplicity of online shopping. This in itself makes me a pretty good target for email borne threats. I don’t love marketing emails though, and why will become clear in a moment.
To give an example, I recently bought Lloyd Sheperd’s “The English Monster”. It is a really good read, but Amazon wrongly assumes that I am keen to learn about the books other readers of “The English Monster” have bought. I receive regular emails telling me:
“You might be interested in knowing that other people who bought “The English Monster” have also bought “Butterflies sing in Gloom” by Lorenzo Gluttenfink. No doubt, these emails will continue until I buy something else, and I will then receive offers of other items based on what another random stranger has bought.
These emails are accompanied by endless requests to review the items purchased, one email per item, no less. It seems to me that the more I buy, the more opportunities will be found to send me highly targeted emails, or as they would say “marketing offers” tailored specifically to me, according to my past buying habits, and the buying habits of others who might share my interest, for a more unique and personal shopping experience.
In-between all these emails, there will inevitably be the odd fake email or scam. You have to be extra vigilant, as you have come to expect emails on such a regular basis; the risk is that often people don’t think before they click and as a consequence find that they are infected by malware, their pc is added to a botnet, and it goes on and on.
The most recent example was an email claiming to be from Amazon, seemingly about an order I had cancelled. The email asked me to click on the link to verify that I had successfully cancelled my order. I knew I had not cancelled anything, and that I was not expecting anything either, so rather than clicking on the link in the email, I went to Amazon the regular way, and logged into my account. No mention of any cancelled orders, as I suspected. But I could easily have been tricked to click the link, and possibly risked a malware infection.
By default, as a registered Amazon user, you are opted in to receive the entire range of marketing and promotional emails. You can stop this by going to your Account, and change your preferences. However, Amazon say they will still send you updates about products and services you have purchased, and other programmes you are opted into, so I am keen to see how much difference this will make.
The other bugbear of mine is that Amazon tends to send out many of their targeted customer communications after midnight. Naturally, they want to save on bandwidth, so send marketing emails during off peak hours also. This would not be a problem if I were not the happy owner of a smart phone! Even the discrete little beep of “New Mail” is enough to wake me up. Only last night was I woken up to an offer of buying a “Crazy Daisy cake slice”. It is almost as random as travelling by train through Egypt, and vendors dropping combs and lighters, dolls and pens into your lap hoping you will pick it up, so they can charge you for it.
The only solution I see is to categorize ALL email from Amazon as Spam.
Is this the solution? Is it really as simple as categorizing all newsletters, all communication from high volume e-mail senders as Spam?
Will this bring me peace of mind? I can just check my spam folder now and then for any shipping information when I know I have ordered something, and my problem is solved! Or forget about it, in the knowledge that my items will arrive very soon, because delivery is pretty much next day. No need to see any email from Amazon, or any other online retailer, or web site ever again!
But wait a second…
I have recently covered the LinkedIn Security Breach, where LinkedIn was hacked, and millions of passwords were posted online on a Russian website. LinkedIn then sent out emails to their members urging them to change their passwords as soon as possible. Two things happened in the wake of the LinkedIn security breach:
- Scammers targeted LinkedIn users and sent fake emails urging members to update their passwords by clicking links in Phishing emails.
- Because LinkedIn, like Amazon, are sending high volumes of emails to their members, with updates, marketing information, etc, around 25% of the affected members whose passwords and personal information had been breached did not receive the legitimate emails from LinkedIn. These members had chosen to classify emails from LinkedIn as spam.
What other legitimate companies out there are sending high volumes of newsletters and marketing emails / customer information?
Are all these emails really necessary? Do I need to read about chocolate, buy one get one free grocery offers, books to read, or banking related issues daily? My web-mail inbox is flooded!
My hypothesis is that for any legitimate company opting to send out high volumes of emails to their customers/users/members, there will be Phishing attacks and Scams targeting their users, too. (Note the use of plural)
Ideally, companies should show some common sense and think twice before spurning out emails several times a week, sometimes several times per day. Permission marketing it might be, but sometimes there is a question of misusing the trust and the permission, because:
- It is annoying;
- Criminals can easily hide scams and phishing emails in the high volume of emails from these companies, possibly resulting malware and virus infection, identity theft and/or financial loss;
- People may resort to redirecting all these emails to their spam folders so they end up never seeing emails from the companies in question and thereby miss legitimate emails and important information, as well as marketing offers.
And then we are back to square one.
Or are we?
As a reasonably IT savvy generation, the onus is on us to protect ourselves, use email filtering solutions, update the account information on the various sites we use to opt out of excessive marketing, ensure we never click in links from emails, etc. This would of course be a lot easier if:
- Companies displayed information relating to how to opt out of marketing mails more prominently on their websites. Facebook is pretty good regards to this; with LinkedIn it is less easy.
- Companies sending emails should not include lots of links to click, as it can be hard hard to both distinguish between a legitimate email and a legitimate link.
But are we really as tech savvy as we think?
Some of us are. But I dont know how many times I talk to people whose phones “ping” at regular intervals, accompanied by a mournful “If only I could figure out how to change my settings so I did not get so many of these messages”, relating to both social networking and online retailers.
So, putting the ball back in the court of Companies…
What do you think? Are online retailers, banks, social networking sites, other websites, putting their users at risk from malware infection, identity theft, financial loss by sending out such high level of email communications that it is
a) difficult to spot the fake; and
b) impossible to escape by categorizing as spam because you risk missing important information?
– The Omniquad Team