XKCD tells it like it is. Click to enlarge. |
I got a phone call from an unknown number, which I naturally let go to voicemail. I later listened to it just in case it was someone actually trying to get a hold of me from some strange phone system; mostly I expected it to be another telemarketer. To my un-amazement it was a computerized voice, just like the majority of the other telemarketers that have called. It claimed to be calling on behalf of Best Buy reminding me that I had some kind of "reward points" that I needed to redeem before they expire, and all I needed to do was go to my reward zone dot com and create an account. Immediately there were red flags, alarm bells, and just about every other cautionary type of signal being emitted from the rational part of my brain; it was obviously a phishing attempt. Here are the red flags my brain threw up as I listened to the message:
First, the computerized voice. There are some legitimate circumstances in which a reputable organization would make an automated call using a computerized voice. For instance, a doctor's office calling to remind you of <your name>'s upcoming appointment on <date and time of appointment>. You see, they could have a computer program working with their appointment database which calls each appointee a couple days before their appointment automatically. Because the <your name> and <date and time of appointment> need to be filled in for each phone call, it would be impossible for a person to prerecord the messages, requiring a computer to read an automatically generated message. Other than circumstances like that though, the computerized voice probably has a more nefarious purpose, like a mass distributed spam message. This certainly wasn't a call from anything like a doctors office, it was supposedly coming from a commercial company which, best case scenario, would be trying to sell me something. Any company worth my time isn't going to have an automated voice call me and try to sell me something, let alone tell me that they would be needing my personal information. And maybe my standards for trust are unreasonably high, but a computerized voice needs to do more than just claim to be calling on behalf of a reputable company for me to start taking orders from it.
Second, the voice claimed to be calling from Best Buy, but I could think of no reason that Best Buy would need to contact me by phone, and I don't even remember giving them my phone number. I hadn't even bought anything at Best Buy in over a year. And why would a reputable company like Best Buy be calling me with a computerized voice? Don't they have employees who speak English and are capable of recording a real-life human voice message, giving the message at least a modicum of credibility? I don't believe for a second that Best Buy is resorting to these kinds of marketing tactics.
Third, the URL that the message gave me didn't even have "Best Buy" anywhere in it. I would expect a phisher to have at least obtained a URL like "bestbuyrewards.com" or something, at least giving the illusion that the website was associated with the actual Best Buy. It was like they weren't even trying.
Some of the common ways to identify a phishing attempt |
Out of morbid curiosity I went to the site to see what kind of phishing attempt was going on. Maybe I would take a screenshot and post it to my facebook to warn my less-technical friends about the lame phishing attempt going around.
What I found at the site absolutely disgusted me. I was absolutely shocked and appalled. The site...I can't even say it... The site was actually Best Buy. It was actually Best Buy's reward zone website, and the phone message was legitimately trying to remind me that I had reward points from a laptop I had purchased a while ago. It was worse than the phishing attempt I had expected. Much worse. It was like Best Buy was part of some collusion to legitimize phishing techniques. In the world of mainstream internet usage, there are a few bad habits that get people into a lot of trouble, and it's like Best Buy just validated all of them.
Imagine a unkempt, heavyset, 50 year old man driving an old beat up van. The windows of the van are blacked out, and he's driving through a nice suburban neighborhood where he stands out, and nobody recognizes him. He pulls up to a local park where children are playing...and waits. Some kids are playing hide and seek, and eventually one of the unsuspecting children finds a hiding spot near the van; completely unaware of the man who is intently watching. The man quietly slides the door open and whispers, "psst... hey kid!" The kid looks over quickly, startled to realize that someone is watching him. "I've got some candy over here in my van" the man continues, "do you want some?" "Awesome!" the kid thinks to himself as he starts to walk over, "I love candy!" The man hands him a bag of his favorite candy and says, "Alright, have fun playing hide and seek!" The man drives off, leaving the kid content with his new candy.
That's what Best Buy just did to internet users.
Best Buy is a pedophile-looking old man in a beat up van waiting outside of a park, giving kids candy. I'm trying to be the responsible adult, teaching kids how not to get abducted, and Best Buy just messed it all up.
No comments:
Post a Comment