back to article Hilton hotels' email so much like phishing it fooled its own techies

Hilton hotels' HHonors loyalty program has shipped an email so similar to a phishing email it tricked its own IT shop into advising that it was a scam. The email was an attempt to get customers to confirm their contact details by logging into their accounts and revising their stored contact details. One user reported the …

Page:

  1. Pascal Monett Silver badge

    "tricked its own IT shop into advising that it was a scam"

    That is the demonstration of the gap that exists between marketing and IT security. Marketing wants to be as friendly as possible and make things as easy as possible for the user, so sends all details, puts links in buttons and invents stupid names like HHonor that make people forget what a typo is.

    The IT security comes in, sees all the stupidity and goes "That is too dumb to be real - avoid".

    Inevitable, really.

    1. Dabooka
      Thumb Up

      Re: "tricked its own IT shop into advising that it was a scam"

      Absolutely spot on.

      Like most on here I'd have had that in the bin within seconds, just on appearance and content, but I'd love to know how many recipients blithely clicked through anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: "tricked its own IT shop into advising that it was a scam"

        Most of the places I have worked have offered an employee's incentive scheme that looked so much like a scam that I never even looked at the discounts.

        The rest offered shitty discounts so I doubt I missed anything.

      2. Antron Argaiv Silver badge
        WTF?

        Re: "tricked its own IT shop into advising that it was a scam"

        I never click an email link to "confirm" ANYTHING.

        Think about it: if my details are somehow incorrect, I won't be able to avail myself of whatever service I'm subscribed to, so isn't it in my own best interest to insure that they're always correct?

        I thought so.

        Corporations may be people (at least here in the USA) but they appear to be very DUMB people.

        1. Alien8n

          Re: "tricked its own IT shop into advising that it was a scam"

          @Antron almost the same here, except where I know I've triggered the email personally from the website in question (usually a secondary security check for updating passwords)

      3. DJSpuddyLizard

        Re: "tricked its own IT shop into advising that it was a scam"

        Like most on here I'd have had that in the bin within seconds, just on appearance and content, but I'd love to know how many recipients blithely clicked through anyway.

        I imagine it's actually worse - lots of people thought it was phishing and may have clicked the SPAM! SPAM! SPAM! button, ensuring that no other legitimate emails from HHHHHonors ever reaches them.

    2. Swarthy
      Pirate

      Re: "tricked its own IT shop into advising that it was a scam"

      Obligatory Bill Hicks marketing quote.

      We all know it.

    3. Doctor Syntax Silver badge

      Re: "tricked its own IT shop into advising that it was a scam"

      "That is too dumb to be real - avoid"

      And given that they probably have some experience of marketing that translates as "too dumb to be marketing" which is really plumbing the depths.

      1. Anonymous Coward
        Anonymous Coward

        Re: "tricked its own IT shop into advising that it was a scam"

        Keep the link with the login information and only use your own link to sign into anything. Paranoid, yes, but simple and effective.

  2. Anonymous Coward
    FAIL

    If it asks for details and has a link

    It's a scam.

    End Of.

  3. Anonymous Coward
    Anonymous Coward

    I'm having trouble deciding..

    .. which specific scam this is (come on, it's a marketing email so it's a scam by default): Privacy Zuckering, Forced discolure, Roach Motel or a combination of all of the above.

    1. tfewster

      Re: I'm having trouble deciding..

      Thanks for the links - Interesting reading! My view is that I'll put no more effort into cancelling something that I did subscribing to it. 5 minutes, tops, including searching for an "unsubscribe" button or else emailing them. After that, I de-authorise them with the bank/Credit card company (another 5 minutes), and it's no longer my problem.

      Oh, unless they get nasty - Chasing invoices or threats to my credit rating - in which case I escalate, by informing them of MY charges for handling their "account" with me, CC'ing the MD and a couple of consumer advocates. I love it when they try that!

  4. Sgt_Oddball
    Paris Hilton

    Wait a minute....

    They're expecting the marketers writing these emails to not think like scam artists?

  5. Tony S
    Paris Hilton

    I had that email.

    My reaction was also "just another scam" as I haven't used Hilton since last year, due to the way they handled a complaint of mine. So I deleted it.

    Way to go Hilton. (Paris of course)

    1. Yet Another Anonymous coward Silver badge

      How did she fail to handle your complaint - wouldn't she rub in the ointment ?

      1. Alistair
        Joke

        For that she gets the hose.....

  6. Andrew Commons

    Situation normal then

    I get an email every year from a large Australian Domain Registrar asking me to go and verify my contact details.

    The ONLY part of the email that actually relates to said registrar is the branding. Everything behind it - including the link behind the text link to 'www.registrar.com' - is not related to the registrar. This includes the email headers. It's all through the mass mailer they have outsourced the job to.

    My attempts to talk to them about this lead me to believe that it is legitimate but everything about it screams BEWARE. They see nothing wrong with it.

    1. Hollerithevo

      Re: Situation normal then

      So nor just me. Every time I get one I think: why? Does this ever work for you?

    2. Doctor Syntax Silver badge

      Re: Situation normal then

      "I get an email every year from a large Australian Domain Registrar asking me to go and verify my contact details....They see nothing wrong with it."

      If they - a domain registrar, for crying out loud - see nothing wrong with it why are you still with them?

  7. Anonymous Coward
    Anonymous Coward

    The reason it looks like a scam is because it is a scam.

    But it's a genuine Hilton scam, not a phishing scam.

  8. anothercynic Silver badge

    The other thing about Hilton...

    ... They use external comms people to do some of this, so it's not even run by internal comms/support to check it's ok.

    *sigh*

  9. AMBxx Silver badge
    Coat

    At least it's not flash!

    We should all be grateful that flash isn't available for email content!

    1. Anonymous Coward
      Anonymous Coward

      Re: At least it's not flash!

      .. unless it's an HTML email ..

  10. Anonymous Coward
    Anonymous Coward

    We can do better.....

    In our company, we received two emails within the same week, both from internal company domains:

    The first one threatened us with losing various login and access rights, immediate within 48 hrs, unless we clicked on a link which would take us to an online security training that we had to pass. This (it turned out) was a test-phish by IT. Everyone in my team just delete-ignored. People who clicked on it in other teams (and went through the "enter credentials") were later contacted by IT, told they were very naughty and never do it again.

    The second one threatened us with losing our login and access rights, immediate within 48 hrs, unless we clicked on a link which would take us to an online security training. This, it turned out, was NOT a test phish. No-one in my team clicked on the link. We all lost our access rights, and couldn't check-in code for some days.

    AC for a reason.

    1. Antron Argaiv Silver badge
      FAIL

      Re: We can do better.....

      Someone in your company should take the person who authorised the second email out behind the dumpster and explain to him or her, in very clear terms, why that sh*t doesn't fly.

      1. Charles 9

        Re: We can do better.....

        And if it turns out to be someone over IT's head?

        1. Rich 11

          Re: We can do better.....

          And if it turns out to be someone over IT's head?

          Then deploy the cattle prods and sabotage the executive lift doors.

        2. Captain DaFt

          Re: We can do better.....

          "And if it turns out to be someone over IT's head?"

          Then the person administering the lesson should put a Balaclava on first. :)

      2. Anonymous Coward
        Anonymous Coward

        Re: We can do better.....

        Someone in your company should take the person who authorised the second email out behind the dumpster and explain to him or her, in very clear terms, why that sh*t doesn't fly.

        And THAT is why they invented percussive education..

        1. Charles 9

          Re: We can do better.....

          "And THAT is why they invented percussive education.."

          And then they discovered masochists...

    2. Alistair
      Windows

      Re: We can do better.....

      At least here, we have a specific group to handle things like that - -pick the mail up drop it in a new mail and forward off to the security team ...

      If it isn't a phish they come back with a *yeah, thats legit* comment. If it is they (try to) craft a rule to filter.

      If its a security test phish they send back a cute little "certificate".

      If you're a manager or above and you forward the mail to your entire team with the "ignore this" you get fairly nasty slap on the back of the head.

  11. bentaylor

    Banks are just as bad

    I had an email from my bank advising on how to avoid fraud, including clicking on links in emails and text messages. It had a link at the bottom to click and find out more *facepalm*

    1. Ben Tasker

      Re: Banks are just as bad

      Perhaps if you'd clicked it it would have resent the email, but in a larger font this time to try and get the information to sink in?

      But yeah, I've had similar from my bank - we take account security very seriously, click this link to a random looking domain to find out how to avoid getting scammed

    2. Doctor Syntax Silver badge

      Re: Banks are just as bad

      "It had a link at the bottom to click and find out more"

      It might, of course, be something akin to the test phish mentioned above. At least it would enable them to find out who are the numpties in their customer base. But the balance of probabilities is more likely a numpty in marketing - possibly tagging it onto a draft written by somebody who actually knew the score.

  12. d3vy

    They sent an email asking people to confiem their email address.

    Genius.

  13. Tikimon
    Thumb Down

    Sometimes they're even auto-flagged as malware

    One of my users was complaining that the links in a message from a known vendor weren't working. Clicking them got a web page generated by our web filtering appliance that said "This address has been associated with malware..."

    The links looked dodgy as hell! They were all a mile long, and used a weird-looking mail server address. Even a link to a short domain name was turned into something long and suspicious. I advised her that the warning may have been right, and could she send me an older message from that source to review?

    As it turns out, the sender uses a marketing outfit that routes all traffic through their domain (for conversion tracking, I suppose). After a few days the block was lifted, so I'm guessing they had in fact been used to send malware mails. Clearly they have no idea how to look legit in this suspicious world.

  14. MOH

    "should ask customers to call phone numbers they need to look up on credit cards or websites,"

    Hoping this is a typo, because I'm struggling to parse this

    1. Jeffrey Nonken

      "should ask customers to call phone numbers they need to look up on credit cards or websites,"

      Instead of providing (possibly false, which it would be if it were a scam) information directly in the email, tell the customer to use contact they would have elsewhere. For example, there are contact numbers on the back of your credit card. They could also log into a known website to get that information.

      How's that?

  15. Dave Harvey

    Purchase order systems can be just as bad

    Here's a REAL e-mail I received with an attached PO as a PDF named "216157871.pdf". And no, there wasn't a name after "Dear" !

    Dear,

    Herewith you receive our purchase order - 216157871.

    Best regards,

    Xxxxx Yyyyyy

    Procurement officer

    xxx@zzz.com

    How many of you would have thought of doing anything except binning it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Purchase order systems can be just as bad

      Phone them and ask them to confirm that the email looking exactly like a scam really came from them. Emphasise the reasons you are asking this and request that they try not to look like scammers in the future, then hang up and use a few expletives.

      1. Mark 85

        Re: Purchase order systems can be just as bad

        Emphasise the reasons you are asking this and request that they try not to look like scammers in the future, then hang up and use a few expletives and then hang up..

        FTFY

        1. Anonymous Coward
          Anonymous Coward

          Re: Purchase order systems can be just as bad

          It seems that the essence of a person's telephone manner often comes down to the order of those last two.

      2. The IT Ghost

        Re: Purchase order systems can be just as bad

        I would have replied back with "As you are a new customer, please pay half of the balance due immediately in Bitcoin or wire transfer. Once we have had satisfactory business relationships for two consecutive quarters, we will be happy to discuss Net 30 or possibly Net 90 payment terms. The paid amount is non-refundable unless we are unable to provide the agreed product within the agreed time frame. Thank you."

        Of course, I'm not in accounting, ergo I would never receive a real PO, so its easy for me to know it is not legit. At least its a PDF - we had a customer who got a very similarly-crafted email with a DOC attachment. Fortunately, the recipient was wary and didn't open it.

  16. VinceH

    Although not an email, and a bank not a hotel, HSBC have exhibited a similar level of facepalmery re a survey thing that was on their online banking back in January, which appeared when you logged off.

    I made a remark on the Twitter along the lines of filling in the survey so I could make a point of saying how crap their tablet-centric log-in was*. Their Twitter person/people replied to say there was no survey... I went back to their website, looked at the source, pointed out to them, and they confirmed that there was.

    * They've since changed it, and it's now unfriendly to keyboard users. Twits.

  17. Pirate Dave Silver badge
    Pirate

    Protection

    "sometimes, non-technical users need to be protected even when they don’t realise it."

    No, that would be "ALL THE TIME", not "sometimes". I swear, some users would try lighting a cigarette in a gasoline refinery.

    Education about the evils possible in an email helps, but it can take years to pound that through some people's thick skulls. Eventually, though, most of them will realize email isn't a happy utopia of rainbows and unicorn farts where everybody loves each other, but a dark, gritty place full of greed and malice. Mostly greed. It can take decades, though.

    1. Charles 9

      Re: Protection

      "Education about the evils possible in an email helps, but it can take years to pound that through some people's thick skulls. Eventually, though, most of them will realize email isn't a happy utopia of rainbows and unicorn farts where everybody loves each other, but a dark, gritty place full of greed and malice. Mostly greed. It can take decades, though."

      And for those who STILL can't get it? Especially those who happen to carry the immunity of an executive position?

      And BTW, if you're forced to coddle to stupid all the time, how do you get things done?

      1. Pirate Dave Silver badge
        Pirate

        Re: Protection

        "And for those who STILL can't get it? Especially those who happen to carry the immunity of an executive position?"

        I honestly don't have a good answer for this. I've realized that there's a small percentage of idiots who will ALWAYS do the wrong thing. in spite of my years of lecturing and harping, and sometimes some of them are C-level. For those, it's like dealing with a 2-year old - I know there are going to be messes to clean up and no way around it, so I just hope they move on to another job soon.

        Vigilance does help somewhat - if I see a new type of scam/virus email that gets past our junk filters, I immediately send a warning to all employees saying it is a scam.

        I work at a university - some things never get "done", they just get forgotten about with the passage of time...

  18. matchbx
    Facepalm

    Actual Conversation between 2 tech bods

    Tech1: hey Tech2... I got another "this might be spam email" from a user again.

    Tech2: How many times have we told those #$%^&$ in Marketing not to do that.

    Tech1: I don't know... I'm getting tired of this crap... they never listen us......

    Tech2: To @#$%$^ with Marketing... tell the user it really is spam and to delete it... that might drive the point home....

    Tech1: good idea....

  19. TXITMAN

    Pure junk either way. I have been blocking their mailings for years via my local DNS blocklist and email server setup.

  20. Brian of Romsey

    Verifiable?

    Should entities like banks etc. have published public keys so that customers can verify emails have come from 'Marketing at XYZ Bank' or 'XYZ Bank'? The peeps in marketing need their own key so they won't poison the reputation of the proper part of the enterprise. One could hope that the process to get messages signed would be rigorous enough and bypassing would be a sacking offence so that it would be taken seriously.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like