Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Crooks Trying to Work Around Apple Two-Factor ID | Main | Worthless Rewards Spam Piling Up »

September 30, 2014

Rewards/Surveys Scams

A lot of retail companies have so-called rewards programs that give customers cash back or discounts throughout the year in return for registering as a shopper with the establishment (usually a chain). You, as a customer, essentially give up highly detailed shopping pattern information each time you go through the register line and show your numbered rewards card.

Many of these companies also encourage customers to sign up for email notifications of special pricing or discounts. It's not uncommon to receive at least one such email each week. After a time, you don't think twice about the validity of the email, especially if it displays many of the same iconography (logos, trademarks, and HTML design elements) from week to week.

For example, here is an email originating from the CVS Pharmacy chain directed at its ExtraCare rewards program members:

Legitimate CVS email

After you have seen dozens of these kinds of emails, the following one comes into your inbox, indicating the sender is "CVS Card Savings" and the Subject: is "Attn:CVS-Card Perks Currently-Expiring! #1421138629":

Legitimate CVS email

Because the overall appearance of the second one has plenty of recognizable visual cues borrowed from email messages you've seen before, your instinct is more than likely to consider the second one to be as legitimate as the first.


Ignoring the fact that the message content arrives with an action deadline from a couple of weeks ago, all it takes is a mouse rollover of the active links to discover that the destinations of second message's links are not to cvs.com (like the first message) but to something entirely different. While it is true that some legitimate companies hire outside firms to handle genuine surveys, I can't imagine CVS hiring a firm whose domain name was created one hour before the email message was sent.

I don't know what happens if you start following the click trail from the second email (life is too crowded today), but the consequences for you could range from putting survey money into the hands of the spammer (and don't expect to ever see your bonus reward in return for your wasted time) all the way to more nefarious drive-by downloads/installations of malware on your computers (especially of the unpatched or unprotected Windows varieties).

As a rule, I avoid all survey requests received online (or via telephone robocalls) as if they are capable of sneezing ebola into my face. The more you are promised in return for your participation, the faster you should run away.

Posted on September 30, 2014 at 11:30 AM