Email spam filters catch that vast majority of fraudulent email this days (Google says 99.9%), but there is still the occasional phish or three making their way through the nets.
Today, I was positive I’d spotted one (see my inbox above). An Uber-phish no less. The only thing that surprised me about the message, was how obviously fake it looked given the preview in my Gmail inbox. The hacker wasn’t even using the real Uber.com domain, it was from a Uber.us domain (see note 1), or so it seemed. And the offer seemed too good to be true, 50% off 10 rides, when I was already an active customer (see message below inset).
Naturally, I clicked on it to see what other clues the hacker had left in the message. But much to my surprise, I am almost positive it’s a legit, since there is no requirement to provide any personal info or even to log in. It turns out the Uber.us was just the company’s cute email sender name attached to a legit uber.com address (firstname.lastname@example.org).
And that crazy-good offer? It turns out it’s just for the next 7 days, and is capped at $10 per ride. So that that sounds plausible, almost, but not quite, a bait and switch. Here’s the full fine print (which could only have been written by a real marketing department):
Promotion applies to uberX and uberPOOL rides taken between 2017-06-19 08:00 AM and 2017-06-26 08:00 AM in Seattle, 50% off up to $10 per ride. No promotion code is required to redeem this offer. Your discount will automatically apply to your next ride. This offer is meant for you, the original recipient of this email, and can’t be shared with a friend.
- Sender address still matters, a lot. Don’t get too cute. While in theory it’s nice to rotate sender address to avoid spam filtering and email blindness (the email version of banner blindness), it’s counterproductive if the recipient thinks it’s fraud. And that’s always a concern, especially with financial services messages.
- Offer a way to verify the legitimacy of the message, especially when testing a new offer, sender, or heading. One of the easiest ways, though not foolproof, is allowing recipients to view the email/offer on your website. That’s another thing Uber failed to do on it’s 50%-off promo.
1. Uber.us is NOT registered to Uber, but to an individual in Washington state and is parked at Godaddy.