Amazon encourages users to click phishing emails

While Amazon are not the worst culprits, they sent me an email today which illustrates how larger organisations are failing to help their users protect themselves against phishing emails.

Phishing (email messages sent that encourage a user to clickthrough to a fake account login, in order to steal usernames and passwords) are becoming increasingly sophisticated. Clearly, those responsible realised that badly-worded emails riddled with grammatical mistakes and misspellings were harming their conversion rates. The recent eNom phishing attacks were a good example of well-crafted phishing.

Unfortunately, you can't stop phishing at the source - it's just too easy to set up throwaway websites and send bulk emails. The only solution that protects users is to teach them to check for credibility signals in emails they receive, and to make it clear that there are certain things you should never do as a result of receiving an email, even a genuine one - i.e. don't click login links.

The larger ecommerce sites like Amazon and eBay are where users learn what to expect from emails they receive, and if you ask me, those sites have a responsibility to teach their users best practice. Unfortunately, many company's zeal for email marketing seems to over-ride the need to help users protect themselves.

So, it was with disappointment that I received the email below from Amazon today. I've bolded some items of particular interest.

From  	"Amazon.co.uk" <[email protected]>
To  	"[email protected]" <[email protected]>
Subject  	£3 for your opinion

Dear Amazon.co.uk Customer,

As part of our ongoing effort to provide better services to our customers,
we would like to ask a few questions about your overall satisfaction with 
Amazon.co.uk and your usage of other services. We know your time is valuable,
and we appreciate your help. To be eligible for the £3 Amazon.co.uk gift
certificate, you must complete the survey. The survey should take about
10 minutes to complete.

All of the information you provide is confidential and will be analysed in
aggregate with all other responses. The survey is active for a
limited time only, so please respond as soon as possible. Just
click the link below to get to the survey. If the link is
not active, or if you have concerns about authenticity and security,
please type the Web address into your browser's address bar.

http://globaltestmarket.com/survey/s.phtml?A_76365732_DHDGS7657

Thank you very much for your time and effort!

Sincerely,
Your Amazon.co.uk Team

!----------------------------------------------------------------------

We hope you found this message to be useful. However, if you'd rather
not receive future e-mails of this sort from Amazon.co.uk, please
visit the opt-out link below.
http://www.amazon.co.uk/gp/gss/o/

 
Please note that this promotional e-mail is being sent from an e-mail
address that cannot receive e-mails. If you have any questions and
wish to contact us, click here:
http://www.amazon.co.uk/gp/browse.html/ref=pe_legal/?node=502564

Amazon EU SàrL, a company registered in Luxembourg,
Registration Number B-101818, 5 Rue Plaetis,
L-2338 Luxembourg.    VAT Number LU 20260743.

Please note that this message was sent to the following e-mail address:
[email protected]

What's wrong with this email?

Sigh. Where do I start? Perhaps a short list is appropriate.

  • It includes a generic greeting ("Dear [company name] customer") - as favoured by spammers
  • It offers free money! for a limited time only!
  • It encourages clickthroughs to a domain that is not amazon.co.uk and is not operated by Amazon.
  • They even suggest that if I'm concerned about phishing, I could type the (non-Amazon) URL into my address bar, and access the (unknown, untrusted) site directly. This is catastrophically bad security advice
  • It tries to inspire trust by including a line saying that the email was emailed to...the address they sent it to

There is nothing in this email to prevent a phisher from entirely reproducing it, and merely changing the survey link to go to his own fake website. All that's needed then is to ask users to login to their Amazon account to complete the server and get their money. Voila - the hacker's Christmas shopping bill could be on you this year.

What would have been a better email?

The goal is to create an email that inspires trust from the outset, but regardless does not encourage users to click potentially harmful links. You'll probably get better response anyhow, since many users are rightly scared of phishing emails. And if you encourage them to visit your site, they may well buy stuff during their visit. Everybody wins. A quick example is below.

From  	"Amazon.co.uk" <[email protected]>
To  	"[email protected]" <[email protected]ple.com>
Subject  	£3 for your opinion

Dear Andy Langton,

Hopefully everything is good in Bedfordshire. As part of our ongoing
effort to provide better services to our customers, we would like to ask a few
questions about your overall satisfaction with Amazon.co.uk and your usage of
other services. We know your time is valuable, and we appreciate your help.
To be eligible for the £3 Amazon.co.uk gift certificate, you must complete the survey.
The survey should take about 10 minutes to complete.

All of the information you provide is confidential and will be analysed in
aggregate with all other responses. The survey is active for a
limited time only, so please respond as soon as possible. Just
visit the Amazon UK site, and click the "take part in our survey" link in the top right of our homepage.

We'd like to remind users that to protect their login details, they should not click account login links
within emails they receive. This is why we have not included direct links within this email.
More information is available in the Amazon help pages, entitled "protect yourself from phishing".

Thank you very much for your time and effort!

Sincerely,
Your Amazon.co.uk Team

So, come on, Amazon et al. You need to shape up and be part of the solution to phishing emails - you don't have to abandon email marketing, but adapt yourself to the changing climate of emails, and protect yourself and your users.

Category: 

Comments

"Dear Amazon.co.uk Customer,"

"Dear Amazon.co.uk Customer," vs "Dear Andy Langton,"...NOOO!!!...don't encourage that crap...companies should NEVER include ANY info they receive over a secure connection in insecure E-mail (or anywhere else insecure)!

Any official communication should simply be like...

---Example-E-mail---
has a msg for you...please visit our secure site to view the msg & to reply if necessary...

https:///what/ever

...if you don't feel the above is a link to OUR site, please fwd this msg to [email protected]
---/Example-E-mail---

If someone were to intercept that E-mail (E-mail IS INSECURE, anyone can intercept any E-mail!), nothing is lost, not my name, address (some companies include the shipping address in a confirmation E-mail...which is INSECURE & DUMB)...

They should not include Name, Address or ANY INFO in E-mail...I would much rather companies include my CREDIT CARD NUMBER in E-mail, since I can call my back & get a new credit card number...I can't change my name or MOVE everytime a company E-mails me to tell me my own name (did I forget my name?) or where I shipped something (if I forget where I shipped something, I should be required to LOGIN at the SECURE site to check on it)...

I agree companies should NOT use 3rd party sites (globaltestmarket.com) for anything...if they NEED to, the E-mail should link to their (https://Amazon.co.uk), notify them the survey is handled by a 3rd party site, then redirect them...however that 3rd party survey/site should NOT KNOW my name or address or any specific info...especially if that 3rd party site is insecure...I can just imagine that survey...

http://globaltestmarket.com/survey/s.phtml?A_763832_DHDGS7393

...(note not https & not Amazon.co.uk)...beginning with "Thank you Andy Langton for taking this survey"...insecure sites should be handled like insecure E-mail, no names/addresses/anything...

Add new comment