How NOT to Warn Your Customers About Phishing

Sometimes I’m amazed at how poorly big companies can be at executing upon the simplest things. Future Shop, a big-box retail chain in Canada, sent out an email on the 13th warning customers about an email phishing attempt. That’s nice of them, but they violated one very important rule that all companies should follow when they warn customers about phishing attempts: they made their email look like a phishing email. The small thing was the lack of a FROM name – the email came in with no information about who it was from. The bigger thing was the URLs they were using for linking. Check out the screen shot below:

futureshop-phising-email.png

The easiest way to determine if something is a phishing attempt is to look at what URL the links are going to send you to – if it’s anything other than the companyname.com, you should be slightly concerned. When you mouse over an URL that’s typed out as www.futureshop.ca, you should see an URL that says www.futureshop.ca. When I looked at this, I thought to myself “What the heck is DCM5.com?” That’s sure not Futureshop.ca! The length of the URL was also raising a red flag – it was linking to an unknown domain, sure, but it also looked like it was linking to a script that would do something. I tried going to DCM5.com in my browser to take a peek, but it didn’t load, which is also suspicious.

Eventually I just clicked on one of the links, trusting in Firefox and Vista to protect me from anything seriously bad happening, and wouldn’t you know, it ended up taking me to a legitimate Futureshop.ca page about phishing. I suspect the DCM5.com URL is some sort of click-tracking service, but guess what: when you’re emailing your customers about an issue of security, tracking their clicks should be the last thing on your list.

  • I think you mean “Phishing” and not “Phising”…

    …and YES that is a very suspicious looking URL!!

  • Whoops, thanks for the correction – I only got it right once in the whole thing. It’s such a strange word to spell…phishing… 😉

  • Mysekurity

    I’m guessing that the dcm5.com website got shut down, and the the phishing URLs got redirected to their anti-phishing website. I highly doubt they were trying to track clicks, but I could be wrong.

  • In case you were still wondering, DCM5.com is a domain used by Connectus (now split into Antarctica Digital and Vigorate) for an email marketing solution. The long urls are, in fact, for link tracking and redirects. For bigger brands, especially those involved in e-commerce, you should be using private IP addresses, a branded domain and authenticating this. That will take care of the perception of phishing.