June 20, 2003

Best Buy responds to email hoax

I've been getting a ton of emails claiming to be from the Best Buy Fraud Department regarding an order I've placed. It asks me to click a link and then fill out some information, including credit card info and SSN.

Um, yeah, right. There are *so* many things wrong with that! Let's see: I haven't placed an order with BestBuy online in quite some time, the emails aren't from a BestBuy domain (in fact, they're pretty much all over the place), the embedded links don't point to BestBuy, there's no way in hell I'm going to respond to an unsolicited request for CC and SSN info, and so on.

Best Buy responded recently by sending an email to, apparently, every single email address they've ever stored/mined/received. Normally I'd say that's a bad thing, but in this case it is understandable, particularly with the disclaimer they put at the bottom.

However, they still did some things wrong, IMHO. Here is my response to the email, which I sent directly to Best Buy:

To whom it may concern:

You made a crucial mistake in sending this out, in that you did not use the Best Buy domain to do so. A lot of people, myself included, are going to look at this and think that it might be an elaborate hoax, particularly since the link to your privacy policy doesn't go to a Best Buy site. When I get emails from companies with anything related to privacy or personal information, I expect all associated domains (from the email address to the links) to be on that company's website. Otherwise I treat it as fake.

This Privacy Policy link you've embedded, for example, is not only not on the Best Buy network but also contains a random string of characters, commonly used for tracking. As such, I won't click on it for fear that by doing so my email address will be logged in some database somewhere. Yes, I do recognize the irony that, by replying, my email address is going to show up in spite of my concern. However, I worked at Best Buy for over 6 years and enjoyed most of it, so I felt almost an obligation to say something. Anyway, a link to a privacy policy should *NEVER* be a traceable link; it invalidates the very concept of privacy! It should always be a straightforward link, such as www.BestBuy.com/privacy.

Furthermore, the main page of the associated link should acknowledge Best Buy! When I went to www.postfuture.com there was no indication right off the bat that that company was even associated with Best Buy. Given the presumed size of this mailing, that relationship should be acknowledged right up front. I was able to determine that there was a relationship with Best Buy by clicking the Clients link and drilling down.

Also, this announcement, or at least a link to it, should appear on the Best Buy home page, which is where people are most likely to go when they receive questionable emails. I was not able to find any information related to this matter on your home page.

On the positive side, though, the opt-out disclaimer at the bottom of the email is well done.

Regards,

Peter

-----Original Message-----
From: Best Buy [mailto:bestbuysecurityinfo@postfuture.com]
Sent: Friday, 20 June 2003 07:22
To: Peter
Subject: Official Notification from Best Buy

IMPORTANT: E-MAIL HOAX NOTIFICATION

Late Wednesday afternoon, June 18, 2003, Best Buy became aware of an unauthorized and deceptive e-mail to consumers titled "Fraud Alert." That e-mail message, which requested personal information (i.e., social security and credit card numbers), claimed to come from the BestBuy.com Fraud Department. That message was NOT from Best Buy or any of our affiliates.

Best Buy is working with the appropriate law enforcement authorities to quickly resolve the situation. We are working to shut down sites affiliated with that unauthorized e-mail and Best Buy will work with law enforcement authorities to prosecute any perpetrators involved in this illegal act to the fullest extent of the law. If you replied to the fraudulent
e-mail in any way, contact your bank and/or credit card companies immediately.

No Best Buy systems have been compromised, and our online business is secure. The privacy of your personal information is of the utmost importance to Best Buy and any information you provide to us is handled according to our Privacy Policy.

As part of the preparation for the relaunch of BestBuy.com, online purchasing will be temporarily unavailable beginning Friday, June 20; however, our product information and helpful resource articles will still be available. Rest assured, the fraudulent e-mail will not affect the launch of our redesigned Web site.

If you have any questions, call Customer Care at 1-888-BEST BUY (237-8289) or visit our Online Pressroom.

To find out more about protecting your information, visit the Federal Trade Commission's Identity Theft Web site at www.consumer.gov/idtheft.

Thank you for being a valued Best Buy customer.

--------------------------------------------------------------------------------

If you've opted out of Best Buy promotional e-mails, don't worry: you haven't been signed up again. We just wanted to make sure you knew about this situation, regardless of whether you receive Best Buy promotional e-mails. You will NOT continue to receive Best Buy promotional e-mails. Thank you.

Posted by Peter at June 20, 2003 09:19 AM | TrackBack
Comments

…lol

Posted by: blackjack on December 21, 2004 06:01 AM
Post a comment


Your name will display under your comment



If entered, your email address:
4 is hidden from spambots
4 allows you to subscribe (below) to this topic in order to see replies
4 makes your name into an email link*



* If entered, makes your name into a URL link instead of an email one




Subscribe to this topic and receive an email when someone posts a comment/reply
Unsubscribe from this topic and stop receiving emails when comments are posted





Enter email address below to subscribe/unsubscribe to comments on this post without having to post a comment above:
Subscribe
Unsubscribe
Email: