Banks and financial institutions are constantly giving out advice about email safety, helping customers to avoid phishing scams. Make sure the email is genuine, don't click on links, never give your personal information away online. Sensible advice, unless the financial institution doesn't make it easy to actually verify their emails.
As an American Express customer I was quite annoyed to receive the email below, which appears to fail at common sense in a number of ways. Let's take a look at the email:
I have obscured some details for obvious reasons, but at first glance three things immediately stand out:
- The link is to aefeedback.com (WHOIS data, note no mention of American Express).
- The email address is @researchhq.com.
- Nowhere in the email is there a single mention of, or link to, americanexpress.com.
I have never heard of either of the above domains, nor do they appear to be related to American Express.
It gets stranger, if I hover over the "START SURVEY" button and check the link (always good practise) then it actually points to http://click.amex-email.mar0.net/?qs=<removed>. The email comes from the same domain: email@example.com.
There's a footer on the email which contains some helpful links and company registration details that anybody could find on the internet:
Where do these three links go? Perhaps to americanexpress.com, the legitimate site? No, the "Contact Customer Service" link points to the same click tracking domain as above (click.amex-email.mar0.net), as do the other two. Another domain with no details linking it to the company.
A quick Google search for "researchhq.com phishing" returns an official American Express page as the first link, which is encouraging. Perhaps they will list researchhq.com as their preferred supplier of surveys? Unfortunately the word "research" does not appear and the page hasn't been updated since 2008.
So to summarise we have:
- An unsolicited survey.
- Three different domains, none of which appear to relate to American Express.
- No means of verifying that this is legitimate, such as a unique customer ID or small part of my billing address.
I understand that companies like to do surveys, I am a data geek and like to complete them. I understand these are often outsourced to specialist companies. But it is simply not good enough to send emails which are impossible to verify.
American Express, please consider the following:
- Encourage me to visit your official site for this sort of activity, even if it explains I will be sent to a partner.
- Use your own domain to send out emails.
- Use your own website for links in emails (including click tracking, if you must).
- Include some method of verifying that an email is legitimate, even if this means I have to login to the customer portal.
- Let me manage my communication preferences (including third-party surveys) through the existing customer portal.
PayPal improved this years ago, it is time for other companies to catch up.
Footnote: the plain text version of the email is slightly better and does reference americanexpress.com for "Contact Customer Service", but not all links. Regardless, HTML email is so pervasive nowadays among non-technical users that I can't forgive the multitude of failings above.