Email Worst Practices

I had to send this “support request” email today because of some seriously bad error in judgement when someone hit the sent button today. Seriously folks, this is 2014… have web companies and their employees learned nothing?

Hi,

this morning I got an email asking me to click a link embedded in the email to verify my email address as a condition of maintaining my *********

The email is worded exactly like a phishing attack: requiring fast compliance, threatening a disconnection of service, lacking a link to verify this policy anywhere and the email is unsigned by anyone.

Someone in security who works there must be aware most phishing attacks are carried out exactly this way, and that you should NEVER encourage a user to click a link whether it is a legitimate reason or not in an unsolicited email because of the bad precedent it sets.

Instead, you should give the user a one-time unique token to enter and tell them to login into their account, and enter the token on their account page to verify the email was receive and in fact they do own the account. Not doing so would allow anyone with access to a client’s email account to potentially hijack the account with your service.

If you disagree, then I will have to look for a more competent company to *********. Please escalate this email until it gets to a policy-maker that understands the importance of why this is ““worst practice.”” If this does not happen, I might as well cancel my account because it is only a matter of time before your customers or your client-facing DBs are hacked.

Thanks.

Just to clarify, the raw headers show it was sent from their mail server, and the message looks legitimate, but maybe someone hijacked that through completely unrelated blunder. Anyway, the moral of the story is: do not click links in unsolicited emails. If this was a case of a password reset I requested or a two factor auth thing, or even a newsletter I opted-in for, those are totally understandable, but in this case it was probably just bad form. To allow the company time to correct their policy (or regain control of their mail server) I have not mentioned exactly which web services company this is… but this is yet another case of sloppy work in the IT sector. And, as Danny Glover once said in a movie where he co-starred with a crazy guy, “I’m too old for this shit.”*

Thanks for reading.

*luckily this last word is no longer banned from TV, and thus — in this usage — it is appropriate to describe a distinct lack of professional behavior from a commercial company.

Advertisements

Another round of Dropbox Scam Emails Spikes my Blog

I have gotten about 10 or more fake dropbox invites this past few weeks, and a funny thing happened: my blog stats spiked like crazy! So, given that fact, I want to help people by reposting the link to that article that should show up in searches as being a fresher piece of info. Again, the advice remains the same, timeless in its wisdom: look before you click.

https://noivad.wordpress.com/2012/06/21/dropbox_invite_scam/

As previously commented: I seriously doubt Dropbox had anything to do with the release of email addresses. Instead, I think that the people phishing have compromised some end user systems and gathered data on who else might have dropbox installed.

Why Dropbox Would Sell Email Addresses

Someone commented that they wondered if Dropbox sold user email addresses. Based on what email address the phishing scam is going to, I would say no. Also, I mentioned that Dropbox makes its money by people upgrading their accounts, and would alienate paying customers if they did. So, the marginal income they would get for selling any customer info would easily be outweighed by the loss of revenue from customers going to one of the many other cloud backup and sync providers.

Personal Cloud Devices

Speaking of cloud or cloud like data access, I am close to purchasing Connected Data’s personal cloud device the Transporter once they can answer a few simple questions. Or I might go with Hyper or Akitio’s Personal Cloud devices. If anyone has experience with these devices, please contact me on app.net (the user name is the same), or comment here. Thanks for reading.

Bye the way: you tech heads need to make sure this Dual 2.1A USB adapter & extension cord succeeds because I need this product. I get nothing out of it but my reward level for backing it, BTW. However, by my estimates, nuPlug will miss funding by 3 days unless we help it out. So please pass this link to NuPlug’s Kickstarter. Daddy needs a new charging solution. I have stepped on extension cords; had to use 2 chargers for a 2.1A iPad and another device, and I have seen companies charging as much (or more) for just a Dual 2.1A USB charging adapter!