Monday, 20 April 2015

Emailing people asking if it is OK to email them?!

No, not spam related this time, but I have emailed A&A customers that have lines from us asking them to confirm they are happy for us to email them.

I have not gone insane, honest. OFCOM have made some rules, and to comply with them, we have to have explicit consent to email notices to customers. This is in spite of the fact we make it clear in our terms and customers are well aware that we email invoices, DD notices, and pretty much everything else.

The only mistake I made is that I should have PGP signed the email! Sorry about that.

I have tried to make it as simple as possible - one link from the email and a confirm button. I'd appreciate it if people could follow it and confirm.

We'll email people again if they don't confirm - sorry - but if you don't like it please do complain to OFCOM for being so "creative" with these new rules.

Update: I have resent the email to people that have not yet confirmed, PGP signed. Thank you for the comments on this. So far we have two thirds confirmed, thank you.

12 comments:

  1. Got one for my home account, not sure where the one's gone for work - or is that not needed?
    Did make me chuckle though.

    ReplyDelete
    Replies
    1. At this stage it is going to account email contact and should have gone to everyone. Once we have this down to a smaller number remaining we can work out if we have issues sending emails to some people...

      Delete
  2. To be pedantic, I agreed to more than email as you said "... by electronic means (e.g. email)).

    ReplyDelete
  3. The email from you looks like a classic phishing attack. Here's an email, claiming to be from your bank or similar, with a link saying you must click on it. Normally I delete those immediately, but given the URL had bothered to use https I cut and pasted the visible text of it into my browser to avoid any hidden text email exploits. Having done the comfirmation, I then virus scanned my entire PC since I was still concerned I had been successfully phished.

    There needs to be a better way of doing this to avoid being mistaken for phishing, or getting people accustomised to clicking on such links. PGP signing it would have helped enormously. Posting about it here on your blog first or putting something on the A&A status pages before sending the email would also have been a big help.

    ReplyDelete
    Replies
    1. A few years ago, the Nationwide Building Society (who I had an account with at the time), emailed me some marketing rubbish. The email contained the first half of my postcode and a load of links to different products. The links were not to Nationwide's standard domain and the email was not signed.

      I did as much as I could to confirm that the email was genuine, and then contacted Nationwide, pointing out that them doing this was completely nuts. Although none of the links asked for my banking logon details, I thought it was crazy to send legitimate emails that look almost identical to phishing mails, since that just trains the general public that it's ok to click links in random emails claiming to be from your bank.

      Nationwide replied completely failing to understand what the problem was - apparently sticking the first half of my postcode in the email proves it's legitimate so there's nothing to worry about! In the end I contacted the financial services ombudsman who replied saying they couldn't see a problem and wouldn't do anything about it. You do have to wonder about the thought processes of some of the people who are supposedly paid to think about security.

      My PayPal account is also currently "suspended" because I apparently didn't respond to an email they send demanding that I send them proof of ID... I'm sure that email got binned along with all the usual phishing emails claiming to be from PayPal asking me to do exactly the same thing!

      Delete
    2. "Hidden text exploits" - it was a text/plain e-mail, it's hard to hide stuff in those! :)

      Delete
    3. And paypal/fleabay have recently taken to sending emails with NO plain text section. Even when you have your settings 'plain text only' on their system. I believe that as my email client is set ONLY to show text/plain, and they're aware of that (due to my settings) that any policy updates they send me do NOT apply to me any more :)

      Delete
    4. I read most of my emails on iPad, so I can't tell whether an email is plain text or MIME. Also it only shows me the friendly text of the sender not their actual email address.

      Today I got an email from "Barclays" saying my online banking is suspended until I click on the link. Highlighting the sender shows the actually email address is nothing to do with Barclays, why on earth doesn't iOS show the actual address? (Yes I know these can be spoofed but most attackers don't bother to do that.) And the link to click on was not on a Barclays domain. But apart from that it looked very similar to the email from A&A ie. you must click this for service to continue. Biggest giveaway is that I don't have online banking on my Barclays account, I stopped using it a few years ago but never closed it.

      Delete
  4. Of course, if it had be constructed as a classic phishing scam, 99% of Adrian's customers would have already clicked on it.

    ReplyDelete
    Replies
    1. What worries me, now, is that it never occurred to me that Adrian's email could be a phishing attack or spam, when perhaps it ought to have raised alarms. I must have subconsciously recognised Adrian's style of sarcasm in the text so no alerts were raised. I doubt that any phishing email would provide such a detailed explanation of why it was necessary to click on the link provided.

      Delete
    2. I thought A&A customers are generally smarter than that. 99% seems very high even for phishing attacks aimed at the general public, my dad is paranoid about clicking on anything.

      Delete
    3. To be fair, as I read this blog, the email didn't come as a surprise :)

      Delete