How NOT to Warn Your Customers About Phishing

Sometimes I’m amazed at how poorly big companies can be at executing upon the simplest things. Future Shop, a big-box retail chain in Canada, sent out an email on the 13th warning customers about an email phishing attempt. That’s nice of them, but they violated one very important rule that all companies should follow when they warn customers about phishing attempts: they made their email look like a phishing email. The small thing was the lack of a FROM name – the email came in with no information about who it was from. The bigger thing was the URLs they were using for linking. Check out the screen shot below:

futureshop-phising-email.png

The easiest way to determine if something is a phishing attempt is to look at what URL the links are going to send you to – if it’s anything other than the companyname.com, you should be slightly concerned. When you mouse over an URL that’s typed out as www.futureshop.ca, you should see an URL that says www.futureshop.ca. When I looked at this, I thought to myself “What the heck is DCM5.com?” That’s sure not Futureshop.ca! The length of the URL was also raising a red flag – it was linking to an unknown domain, sure, but it also looked like it was linking to a script that would do something. I tried going to DCM5.com in my browser to take a peek, but it didn’t load, which is also suspicious.

Eventually I just clicked on one of the links, trusting in Firefox and Vista to protect me from anything seriously bad happening, and wouldn’t you know, it ended up taking me to a legitimate Futureshop.ca page about phishing. I suspect the DCM5.com URL is some sort of click-tracking service, but guess what: when you’re emailing your customers about an issue of security, tracking their clicks should be the last thing on your list.