I’m not too ashamed of myself to whore out a few select email addresses for personal gain, or even promote a certain company by liking or retweeting something if it will benefit me more than the actions required, but I always keep a hesitant nature towards most of these promotions. I mean who doesn’t like free money?
I received an email the other day supposedly sponsored by a reputable programmer-related site. What it entailed was signing up for a big vendor’s developer program. If I did so, they would send me a $15 gift certificate to one of the major online retailers. I’m trying to keep all parties in this matter anonymous simply because I do not want to promote anything involved in this so-called promotion, and the actual parties involved are irrelevant. The email went something like this:
Happy Holidays Developers!
Get a $15 [online retailer] Gift Certificate by joining the [vendor] Developer Program (no charge!)
Thanks to your [programmer site] participation, here’s all you have to do!
1. Visit The [hyperlink to vendor site] and register at no cost!
2. [vendor] will send you a validation email: confirm your registration following the URL provided in the email which will prompt you to choose a password
3. Once you have chosen a password, [vendor] will then send you a password reset email: forward the password reset email and the sign up email address used to [promotional site email]
4. Once verified on our end, a gift certificate will be sent to you promptly after the program ends!
Hurry! This is limited to the first 600 respondents, one per person.
For full terms and conditions please visit [marketing link to promotional site]
Step 3 is the one that caught my eye here. You want me to forward you an email sent to me that allows me to reset my password? By doing this I would essentially be sending the promoter an email that contained a link with an embedded token allowing them to authenticate as myself and then change my password, essentially gaining access to my account at this vendor site. Mind you, this isn’t exactly a critical account. But still these are very poor security practices.
So, what’s to be learned from this? Pay attention to what’s being asked of you. If it seems slightly out of the ordinary, it probably is. Inboxes are being filled with more and more spam these days, some make it through, and some even seem legitimate. It’s up to the users to educate themselves on how to detect and avoid these types of situations. In closing, I’ll leave you with a list of things you can do to help protect yourself.
- If it seems too good to be true, it probably is. So use common sense people!
- Do not click on links in emails – period! Just because it says it’s a link to SiteA doesn’t mean it’s actually going there.
- Enable spam controls on your email client – if you’re using Outlook, Thunderbird, or even Gmail’s web interface – they are all pretty good at detecting what may or may not be spam.
- Use multiple emails or use gmail’s ‘+’ email features or mailnull to help sort out those mailing list emails and let you know which emails are being distributed to others.
- Do not load images by default or at all.
- Do not enable scripting at all!
These are just the tip of the iceberg, but you get the idea. Help protect yourself and you’ll be helping to protect all of us.