Sophos Cloud Optix
Last week, when many people were still on holiday, Naked Security readers started complaining about suspicious-looking emails appearing to be from popular business networking site LinkedIn.
The emails implied that LinkedIn would give you cash – in return for a survey, that is, and only if you qualified, and so forth. Strictly speaking, the instructions actually said that there were two surveys: a pre-survey to find out if you actually qualified, followed by the real survey.
The text of the email was constant except for the amount up for grabs. The prize money varied, as recipients found out when they compared notes. Some were offered EUR10, others EUR20, one reader stood to make GBP15 and a colleague of mine in Australia suffered a dent to his pride with an offer of nothing. Literally nothing – the amount in his email wasn’t even AUD0. It was an empty text string, like this:
The email had all the hallmarks of a scam. In particular, the lack of any information about how you’d cash out the nominal “prize” – assuming you qualified after taking the pre-survey, of course – seemed suspicious. As Naked Security reader Carl pointed out, “Without any banking details, how will my GBP15 be realised?”
Presumably, the scammers would reel you in using their cash bait, lead you to believe you had genuinely won something, and then ask for personally identifiable information and bank details by means of which they could “send” your “prize”.
Additionally, the survey link you were asked to click didn’t take you to LinkedIn. In fact, it took you nowhere. It looked like the sort of tracking parameter gobbledegook you often get at the end of web links, but the URI had no hostname, and so didn’t actually lead anywhere. Just the sort of mistake a scammer might make, trying to keep track of which dodgy domain he was supposed to switch to for today’s spam run.
Nevertheless, the email headers said that the messages really had come from a LinkedIn server. (That’s not conclusive proof, of course. For all we knew, LinkedIn might have had a hacked email server, or a zombie infestation, or something of that sort. But everything pointed to it being legitimate.)
So it looked as though this was a genuine email campaign, carefully disguised to look like a scam! Most scams are boringly repetitious, but this one was getting interesting – I’d never heard of a bogus scam before.
Soon afterwards, a second email campaign kicked off, again from a LinkedIn server. This one was an apology for the previous email. Not, you understand, saying sorry that it has looked unnervingly like a scam, but that it had contained a broken link:
Peculiarly, the above sample is the apology my colleague received. Yet in his original email, the link was working. It was the prize amount which was broken. Intriguingly, also, the sender’s job title had changed. The first time he’d been the Research Solution Manager. But the second time he had been promoted – or demoted, more likely – to Manager of Member Engagement.
Oh, how we laughed! I don’t know if it was supposed to be a joke, but it worked. We sniggered like schoolboys. It’s hard to imagine a more appropriate job title for someone who has just supervised a monumental email cock-up than Manager of Member Engagement.
Fnarr-fnarring aside, there are some useful lessons to remember here:
* If you are conducting a legitimate email campaign, test it thoroughly before you send it out. Otherwise your campaign will rankle just like real spam – or more so, since it will probably get through spam filters and require human attention.
* Avoid prizes and tempters where no clear mechanism is described for claiming them before entering. Otherwise your competition sounds like a scam that’s building up to ask people for personally identifiable information at a later stage.
* Avoid offering prizes that sound as though they are available to every entrant when they are not. And make sure entrants can work out whether they can win before they click through. Otherwise your competition sounds cheap at best, and bogus at worst.
* Watch out for a job title that is comical. Otherwise you might get stuck with it.
In short, this LinkedIn holiday non-survey wasn’t a scam. And it wasn’t a competition. But it was fun nevertheless.
I'm not sure if this is in their remit, but promotions where a prize is offered have fallen foul of the ASA before now for not including all pertinent terms and conditions in their promotion (such as how to claim the prize), having errors that deny people an opportunity to participate, etc. Might be worth a referral though…
Better to ask the person to log in to the site and then
click on a link for the survey. Makes it much more legitimate.
It’s also a good way to avoid a scam, i.e. go to the site
using a trusted bookmark or by typing the URL in a web browser, log
in, then look for a special link to perform the action. This has
saved me numerous times, I’m sure (especially with my
PayPal account). Best regards, Tom Chief Assistant To The Assistant
Chief (how’s THAT for a job title?)
LinkedIn seems to be having all sorts of problems recently. It has been up and down since they where doing the maintenance. This wouldn’t surprise me that someone managed to click “send” on a template they are going to use in the future.