QUESTION: As you read this post, also think about it from a communications and reputation-management perspective. If you were the company affected by this scam, how would you handle it?
Well, imagine my surprise yesterday when I made myself a mid-morning cup of coffee and re-opened my email to get caught up, and suddenly found there an invoice for nearly $300 for two pairs of pants I never ordered!
After the initial “WHAT?!” shock, and just I was about to run my mouse to the link to deal with this mistake, something made me just stop moving for a moment. I removed my hand off my mouse, took another sip of coffee, and then just quietly stared at the message, reading it very carefully. I didn’t click on anything, I didn’t touch any buttons or try to open any links. I just sat and looked at it. I asked myself a few questions, too, while doing so.
But first, here it is:
Pretty convincing, eh?
Funny how much you can take in in just a few seconds when you decide that something is wrong other than what initially appears to be wrong (i.e. the initial thing that appeared to be wrong was the purchase; upon reflection, the secondary thing that appeared to be wrong was the email itself).
Here were the questions I pondered:
- Could someone else have ordered some nice new clothes for me as a surprise? Answer: not likely, especially not in that size! (heh, I wish…better get back on my bike!)
- Is this a legitimate company? What’s it called? Shop LA Style. Answer: Yes. I Googled it in a separate window, without touching the link in the email.
- Could someone have stolen my credit card and email address and placed an order for themselves? Answer: No. Not this time. No charges were put through on my credit card.
- Could the link displayed in the message be legit, or is it somehow masking a different URL that I would be whisked off to, only to have my entire digital life destroyed by some nasty bug or bomb or something? Answer: It’s a masked URL pointing to a site that is nearly, but not quite the same (they added a few letters to the end of the legitimate company’s URL). I found that out by carefully hovering my mouse over the link then right-clicking it to reveal the link without actually clicking on it (NOTE: this is how it works in MAC MAIL !!! Don’t know how this works in Outlook, so BE CAREFUL!)
In more detail, here are the clues that tipped me off, and that I would encourage you to consider if you encounter a potential scam like this before you click on ANYthing!
- I received two copies of this email…
- …to two different email accounts…
- …from a company I’ve never heard of…
- …for an order of clothing I could only fit into in my dreams…
- …on a credit card that was already too close to the limit for an order of this amount to go through…
- …and they don’t give any hint as to the number used for the payment (most online receipts for VISA payments show the last four digits of the VISA card to prove validity and to help the customer, who maybe has more than one VISA card, figure out which card they actually used.
- Clue number 7 came when I inspected the link in my email without opening it: the visible link says that it’s from shoplastyle.com, which I googled and is a real clothing store with a website, but the real link that is revealed when I inspect it is “shoplastyle-clothes.com” — even though it looks like a duck it really squawks like a chicken. (HINT: Even just one letter different in a URL is a COMPLETELY different domain/registration and can be owned by someone completely different. Masking the real URL and making it look different to the eye than it is to the mouse click is not hard for hackers, not hard at all….)
- And clue number 8 is in the copy itself, the instructions about refunds. Invoices are rarely included in the order — the emailed invoice IS the invoice, the paperwork included in the order is just the packing slip. The information there is all wrong. I figure they are trying to prevent people from storming Shop LA Style’s retail stores demanding refunds for orders they didn’t place (and don’t exist) because that lets them fly under the radar just that little bit longer on that particular store’s name.
Of course, I have to admire the cunning strategy they are using, much as I despise them for it. They aimed to upset me and entice me into clicking their link so that I, in my agitated “But I didn’t order anything from you!” state would get sucked in to their cesspool while I thought I was undoing an order I didn’t order, or trying to figure out who ordered it on my card, or whatever.
It has nothing to do with the real store, I’m quite certain.
On a marketing note, this is one of the reasons why “transparency” is SO important, and why reputation and trust in the digital world are so fragile. I can only imagine the potential for hate-mail, angry phone calls and furious customers descending on Shop LA Style from people who have been tricked and don’t fully realize it yet… If you were the communications and marketing manager at www.shoplastyle.com, what would you do to respond to this threat to your credibility, especially as it has nothing to do with you? Shop LA Style is as much a victim of this scam as I nearly was… and maybe more-so…
I’ll bet this scam really, really works well.
Be careful out there.
ea/
I nearly clicked on that link too – the one that is supposed to show the invoice/order info!!! I think that’s the one leading to the virus or whatever or perhaps it’s something that will ultimately get our VISA info? As I have told on my blog, I just got out of bed and just 50% conscious when I read the email. lol.
This is really savvy, if you ask me. nearly got me and I’m no noob in the virtual world too, living and breathing the internet to put it mildly, so, you’ve got to hand it to these scammers. hand them a bomb or something, that is. lol ๐
Hi gie,
I’m glad I wasn’t the only one. It’s pretty scary how much willful damage smart people with anti-social/self-serving goals can do to the rest of us.
๐
Thanks for your comments!
ea/
I’m Cynthia from ShopLAStyle.com. This is a great post and it’s interesting to hear the reaction of somebody who received the email. I’ve obviously heard from hundreds of people about this email. It was a clever one. I heard from some pretty savvy people who fell for it or at least were tempted like Erin was.
Another red flag with these emails is that all order confirmation emails I receive have some sort of billing and shipping address information. This email had none. It was one of the things we pointed out when we were trying to convince people that it was a fake. All of the order confirmations we send out include the billing and shipping address for the order. We also have some pretty good experience dealing with actual credit card fraud since we have been an online retailer for almost 9 years. When we receive an order that is placed with a stolen credit card the criminal never uses the real person’s email address. Their goal is to get the merchandise shipped to them while drawing the least amount of attention to their order.
Here is a little insight as to how things went on our end yesterday morning. Like Erin, I had not been up very long and was drinking coffee, checking email, etc. when I started getting voice mail notifications one after another. I’m talking like 5 messages every few minutes. I immediately knew something was wrong. I listened to one of the voice mails and it was somebody who was pretty upset about the order that they didn’t place. Since this is the second time the spammers had used us (it had happened 6 months ago as well) I immediately knew what was going on. My heart sank and I knew I was in for a tough day. The first thing I did was leave a message on our voice mail trying to explain to people what was happening. I knew we didnโt have the manpower to return all the phone calls that day and the voice mails just kept pouring in. This worked pretty well. The next thing I did was update the contact us section of our site because I knew this was where people were going to be looking. But the site was down. The last time this happened it did not bring the site down. So now it’s time to call our IT guy and get his take on what is bringing the server down. I think sometime after that I post something to our facebook page. There were already many angry posts. What is tough is that I never got the email. I didn’t know about it until it was out there for a bit so people were looking for answers before I was even aware of what was going on. We spent the rest of the day answering emails, posting to facebook, blogging, fixing the site, etc. It was a frustrating day and it was hard not to take the angry comments personally. Now, I think most people understand what happened and that we were not involved. It really helps to have posts like this one to inform people.
I’m resigned to the fact that this situation will happen again since there is nothing we can do to prevent it. For the business owners that have yet to experience something like this, I can tell you what I will do differently for the next time. I will have facebook, twitter, blog posts, etc. pre-written so that they can be posted quickly. You can not respond fast enough. People will be demanding answers 20 minutes before you even know there is a problem. I am also going to have a spam section of the website up permanently that describes general spam tactics. In addition we will be making some technical changes which are too boring to list here.
Now that we are 24 hours out I can say that good things came of this experience. We learned a lot and itโs situations like this one that push me to run my business better.
Thanks for stopping by, Cynthia. I’m glad it was interesting for you to read a recipient’s experience, and hope my analysis is helpful to others who received this email scam, too.
I’m sure this has been an awful headache for you. I hope it dies down soon and you can get back to business-as-usual.
It’s scary to see how easy it is for an unscrupulous person (or crew) to cause serious damage to someone’s reputation. Thank you for listing your “lessons learned thus far” so others can learn from your experience.
I think I might dig around a little and see what I can glean from others’ best practices that they’ve developed in the wake of such nightmares. There might be a few more good rapid-response ideas out there, too.
Good luck sorting this all out and settling it down. Maybe you can even leverage this into a higher profile and win some new customers!
Hey, why not try?
๐
ea/
You might be interested in this one blogger’s analysis of the story, and ShopLAStyle’s reaction to it: http://kian.gl/6v4r
I was, of course, only one of hundreds of people hit with this hacker’s email message.
My deepest sympathies to the folks at ShopLAStyle. On the bright side, I’d never heard of them before, and now I have, and I feel empathy for their struggle in this issue. I might even have to check out their store.
Every cloud has a silver lining.
Maybe.
ea/