Don't get hooked like a big dumb Trout!

Owners of my security e-book The Hacker’s Nightmare have been too well educated to ever be caught by scams like the following. However they are exactly the type of thing that catches millions of less wary people on a regular  basis.

TWITTER TWADDLE!

The scumbag spam brigade is currently inundating e-mail in-boxes with fake messages purporting to be from Twitter.

You can easily identify the fakes — they contain a link that the sender wants you to click.

PLEASE KEEP THIS IN MIND…

All legitimate providers of any sort of membership service (social media sites, financial institutions, etc) are now awake to the fact that, in the interests of their customer’s security, they should not include “Click Me” links in their HTML e-mail communications.

If they really want you to login to your account and do something, they will ask you to do just that, with something like: “Please login to your account“. Maybe they will provide you with the login URL, but not as a link. However more often than not as a member you will be expected to know the login URL, along with your username and password.

HTML & PLAIN TEXT DIFFERENCES …

Be sure you know how to tell an HTML e-mail from a plain text e-mail.

Hovering your mouse pointer over a link in an HTML e-mail will usually display a little pop-up window containing the real URL that the link is pointing to — regardless of what the link text itself says.

In other words, a link in an HTML e-mail can lie to you. The link text might say something like:

Please click on the link below:
http://twitter.com/account/name@yourdomain.com

But in fact the link will take you to: http://hackerbot.xxx/gotcha/

ON THE OTHER HAND…

With a plain text e-mail, what you see is what you get. So long as you recognise the URL as being valid it is safe to click on. But you still have to be careful that it’s not a carefully constructed look-alike.

ANOTHER ONE DOING THE ROUNDS…

…is a plain text e-mail with no links in it, but with an HTML file attached. The body text of the e-mail will read something like:

You have (8) messages from Microsoft Outlook.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.

While it makes a feeble attempt to appear to be Microsoft Outlook Support, that ain’t the case at all. The examples I’ve seen are actually from: Frillsdu64@recordonline.com.

EDUCATE YOUR PROVIDERS…

If you are a member of any legitimate service that is in the habit of putting “Click Me” links in their e-mail communications to you, PLEASE contact them and point out how dangerous this practice is. This is how the cyber crims grab your login credentials for their own nefarious purposes.

Related articles:

• Spam masquerading as Twitter e-mails lead to phishing, malware
• Twitter forcing some users to change password. Reported threat of phishing attacks

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

As regular readers will be aware my blog topics tend to be somewhat diverse, but I strive to stick to subjects that will be of interest to at least a good percentage of my readers. So I’m excusing this departure from the technical on the basis that quite a few of my subscribers are in business for themselves.

Not long after my earlier article on customer service, in which I pointed the finger somewhat accusingly at one particular company, I received an e-mail from a senior representative of that organization, requesting a telephone conversation.

Matt Meanchoff is Director of Global Support at Absolute Software Corporation, the company behind the “LoJack for Laptops” service that I castigated somewhat severely in this article for their lack of response to e-mail contacts.

I want to emphasize at the outset that Mr Meanchoff didn’t call to criticize my article or to offer excuses for the experience I had with his company. He wanted to explain what had happened and why, and he soon convinced me he was genuinely concerned to fix any problems that adversely impacted customer service.

This in my view is a commendable response and demonstrates a willingness to address problems of which they were unaware. After all, if we have problems with a company, what more can we wish for than that they listen and act?

Is your business making these mistakes?

Publishing an insight into our conversation could provide a timely lesson for other online businesses who are making similar customer service mistakes, possibly quite innocently and unknowingly.

Mr Meanchoff explained that the e-mail address I had used to contact his company was distributed into the company’s sales channel. He is adamant that his own area of responsibility, actual technical support of existing customers, has earned high praise from their customers. Mr Meanchoff came across as pleasant, credible, highly motivated and a believer in his company’s products and services, so I have no reason to doubt his claim in that regard.

He was quick to acknowledge that there was no excuse for the communications failures I had experienced, regardless of what internal department was responsible. He was obviously well aware that if prospects don’t become customers due to communications failures in the sales channel, then his support team never gets a chance to demonstrate their effectiveness.

Customer-friendly tips for every business

Speaking to Meanchoff I became convinced that Absolute Software wanted to address those shortcomings as soon as possible, and I made three suggestions which I believe should be implemented by any company doing business online:

• Turn off the sending of the “read receipts” in the e-mail client programs of all employees. This prevents your customers from receiving the obnoxious “deleted without being read” message. This is not disadvantageous to the customer so long as you also implement the next recommendation.

The actual location for this setting may vary according to your version of Microsoft Outlook, but a likely location is:
Tools –> Options –> Preferences –> Email Options –> Tracking Options
Then select either: “Never send a response” or “Ask me before sending a response”

• Set up an auto-responder to immediately notify a correspondent that their message has been received and that they will receive a reply within a certain time frame. Marketing experience dictates that a specific time-frame should be given. Simply stating “as soon as possible” is not really acceptable, and nor is a long time frame. If you can’t respond to customer inquiries within 24 hours then I suggest you need to take a long hard look at your support infrastructure. If you can do better than that then say so, but don’t promise a response within one hour if there is little likelihood you could always meet that commitment. And don’t just stop with an acknowledgment, go the extra yard. When someone fills out your online form to contact you they aren’t left with a copy of their own message to refer to at a later date. So have your auto-responder include a copy of their original message. Little things like that make a big difference. Oh, and be consistent. Australia’s largest ISP promises a one-day response on their contact web form, and the autoresponse e-mail says you’ll hear from them within two days!

• Finally, provide an escalation contact. Whenever I suggest this one to my clients the response is usually that they don’t want to publicly display an executive’s e-mail address because it will be abused. Well, yes, it probably will, but you don’t have to display it publicly. This information can be provided in the auto-responder message: “If you don’t hear from us within 12 hours or if you are not satisfied with our response please notify our customer service manager directly at escalation@company.com”.

So after speaking with Matt Meanchoff I’m satisfied that my unfortunate experience isn’t indicative of an uncaring corporate attitude, but due solely to weaknesses in the communications chain — weaknesses that they acknowledge and want to address now that they’re aware of them. Again, that’s a positive and commendable response.

Handling bad publicity

So what about those disparaging quotes from Amazon.com that I repeated in my earlier article?

I have no way of knowing whether or not those complaints were justified, but I’m obligated to repeat an example that Matt Meanchoff provided.

The “LoJack for Laptops” service relies on a stolen laptop being used again. Until the BIOS code is executed at system start-up no communications related to identification/recovery can take place. So if a laptop is stolen (say for malicious reasons rather than for use or profit) and dumped in a river, there is no possibility of recovery. Fortunately for the great majority of laptop owners most theft is for reuse or sale, ensuring that the machine will be switched on again and thus given the opportunity to communicate.

No matter the nature of your business or how great your product or how careful you are, you are always going to have an unhappy customer here and there. I’m sure you’ve heard the old saying that goes something like: “A satisfied customer tells one or two people; a dissatisfied customer tells everyone”. In other words, anger and frustration incite people to speak up, while the satisfied just go quietly about their business.

So if you have a genuinely good product and a lot of satisfied customers, you must take positive steps to counter the few noisy ones. People responsible for marketing and customer service need to be constantly on the lookout for comments about their product, whether good or bad. The good can often be used to your advantage, and the bad must be countered.

You cannot afford to ignore bad publicity and hope that it will just eventually fade away, because once published on the Internet it can always be found — days, months and even many years later. It will turn up in the search results of the very people you want to attract: targeted prospects who are searching specifically for what you offer.

Many professional Internet marketers retain inexpensive offshore contractors to continually search the Web for any mention of their product, their competition’s products, their marketing niche, and so on — anything they can use to give them a competitive edge or, if necessary, protect themselves from bad publicity. Mainstream businesses could learn a lot from the tactics employed by Internet marketers.

Absolute Software should have discovered those Amazon comments themselves when they were first posted. They would then have had the opportunity to contact the complainant’s directly and try to sort out their problems. At the very least they could request some of their many satisfied customers to post positive responses as a counter. This is well worth doing even if you have to offer your satisfied customers an incentive to do so. But if your customers aren’t prepared to speak up for you then they probably aren’t as “happy” as you’d like to believe!

Because the last thing a company wants is to have someone like me, having already had some bad experience, finding a site where 100% of the comments are disparaging. That just reinforces my original impression.

In contacting me, explaining the situation, acknowledging the shortcomings, Absolute Software has convinced me to take the next step and report on their recovery service and technology, something that, hopefully with their assistance, I’ll be doing in a future article.

So long as customer concerns — your concerns — are being addressed, I’m happy to investigate the practicalities of any product or service impartially.

Afterthought…

One last thing I just thought of.

While Absolute Software boasts a professional looking website with lots of resources available, one thing I wasn’t terribly impressed with was the fact that all the testimonials were apparently from law enforcement officers. Sure, it’s good to have people like that on side and saying so, but prospective users of the service will be looking for the experiences of actual existing customers. Law-enforcement is obviously going to have a different interaction with the company than will customers of the service.

I’m happy to report that what I missed the first time around was the Case Studies link.

What’s the difference between a case study and a testimonial? I suppose you could say that a testimonial is a customer experience told in the first person, whereas a case study is more likely to be a story told in the third person.

But regardless of the semantics, there are plenty of customer experience stories to be found — 41 of them in fact at the time of this writing. You can check out their case studies here.

Related articles:

• Is Customer Service Really the New Marketing?
• Ted Mininni: For Sale: Business Culture

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Something that really irks me is the way many communities enact legislation that effectively pays more attention to the rights of offenders than to those of their victims.

While I accept that a case could be made for protecting the identity of very young minors, for the most part I do not believe that justice is best served by concealing the identity of perpetrators based simply on age. And that goes double when junior criminals are punished with nothing more than a metaphorical slap on the wrist, all too often to smirk and reoffend.

But, you know, there is a corporate variation on the theme of letting offenders go free, unchallenged and unexposed, leaving them to prey on even more unsuspecting victims.

It’s not legally criminal, but maybe it should be.

The Customer Service Criminals

I’m talking about the inexcusably bad attitude that so many businesses have towards customer service. And if you try to follow up and press for a response to your concerns as a prospect or customer, quite often you will encounter an arrogance that permeates the organization from top to bottom.

Oh sure, they will get their just deserts eventually. Any business that continually neglects customer service and treats customers as an annoyance is, ultimately, doomed to fail. Unfortunately, because so many disgruntled customers and prospects will simply give up, walk away, and/or go elsewhere, the word doesn’t get out fast enough and these businesses survive a lot longer than they should, giving them time to upset even more “suckers”.

But because treating customers with contempt is not a crime, the only recourse we have is to enact our own retribution, and that is best done by speaking up and exposing the culprits — very specifically.

Unfortunately that’s something that is rarely done because of fear — fear that the offending business will sue complainants for saying nasty things about them. But so long as your complaints are legitimate and you can prove it, that shouldn’t be a concern.

I’ve always believed in naming names, both in giving credit where it’s due and in outing the villains, and I’ve got one of the latter for you today.

Naming names

You see,  ultimately for the benefit of my readers and members, I’ve been doing some research on the protection of laptops, and in particular in relation to theft prevention and recovery.

Some of my research involves sifting through companies that offer some practical and proven solution to the problem of laptop theft.

One product that came to my attention fairly early in my research had the catchy name of “LoJack For Laptops”. The first thing you need to know is that this is not the same company that offers LoJack car theft protection. “LoJack for Laptops” comes from a company called Absolute, who have licensed the Lojack name from the car theft recovery company. That was a smart marketing move because LoJack is a cool name and well-known, particularly in the USA.

Unfortunately for the reputation of the originators (the car theft people), they have put some prominent links on their site which will take you to “LoJack for Laptops” on the Absolute website. You’ll see in a moment why I say that’s “unfortunate” for them.

As I started to look around for pros, cons and opinions on “LoJack for Laptops” I found the usual swath of reviews that were obviously based on little more than the company’s own promotional material, but there were a few apparently more independent and worthy of closer study.

However, I’m not concerned here with the contents of reviews. Instead I’ll tell you my own personal experience and then refer you to some opinions by actual customers of “LoJack for Laptops”.

LoJack letdown

So anyway, I shot off an e-mail to an address published on the Absolute website. Some time later I received two delivery notifications. Apparently messages to that particular address are automatically redirected to 2 different employees. Good idea, you’d think. But here are the two delivery notifications I received back:

#1. From  : Geeta S.
Message    : Your message was read on Friday, January 08, 2010 2:06:27 AM (GMT-08:00) Pacific Time (US & Canada).

#2. From  : Nicole C.
Message    : Your message was deleted without being read on Friday, January 08, 2010 9:28:03 AM (GMT-08:00) Pacific Time (US & Canada).

Well, after a reasonable time I still hadn’t received a response from Geeta S, and “deleted without being read” is always a bit of a concern, so I tried again. This time essentially the same results, but a different recipient enters the picture:

#3. From  : Israel G.
Message    : Your message was read on Monday, January 11, 2010 8:59:04 AM (GMT-08:00) Pacific Time (US & Canada).

#4. From  : Nicole C.
Message    : Your message was deleted without being read on Monday, January 11, 2010 11:09:29 AM (GMT-08:00) Pacific Time (US & Canada).

It would seem that Nicole is a complete waste of space as far as a backup recipient of e-mails from the general public. Not that Geeta and Israel are any better if they’re going to read and not reply.

Who’s to blame?

Whenever I encounter situations like this my first thought is to wonder if the employer knows that he’s being let down by his own employees who are directly in the public eye. If I can find the e-mail address of a senior executive without spending too much time on it, I’ll pass on my concerns. Often I’ll get a response thanking me for bringing the problem to their attention, and that’s the end of it. If I don’t get a response from the executive then I know that the rot starts at the top.

And if I can’t find a reliable way to contact a senior executive, and I think it’s in the public interest, an article like this follows. And what follows the article is an e-mail containing a link to the article to every e-mail address I can find on the offenders website. One way or another the word is going to get back to someone who should care and who should take action.

OK, but what do actual customers think?

In case you think this is me just having a whinge about having my e-mails ignored, check out these statements from actual customers, which I found on the Amazon website.  There are comments from three different people, but one is primarily a technical support issue which is not directly relevant to this topic. You can read the originals by clicking here, but I’ll reproduce the other two statements in case they disappear from Amazon.

Do NOT ever purchse, waste of good $$$
July 30, 2009 By Amy J. Guest (Cincinnati, OH)

I am an IT consultant and in my life time have never come across and more disreputable company. I spent the money for 3 year protection, premium level. My laptop was stolen from an hotel in Florida, Feb. 09. Police report submitted with 2 hours of theft and reported to LoJack. I had to contact them 9x over the next 2 weeks with different paperwork, police reports, etc. One thing after another. After no luck finding the laptop after 30 days, they did not refund the $$, they extended it another 120 days. After the additional 3 months, they did not refund the $$. They wanted to extend it another 120 days. I contacted customer support and no refund will ever be coming. LoJac customer service rep: “The laptop is still trying to be located.” and the ever famous, “we reserve the right to keep looking for the laptop.” They never refund the money you spent even if the laptop is never recovered. After 6 months I realize the theives took my laptop, but I willing paid LoJact to take my $110. for absolutely nothing. Do NOT recommend. DO NOT BUY, EVER.

Largely a gimmick
April 6, 2009 By S. Black (Dallas, Texas United States)

I recently had a laptop stolen December of 2008. I was ready for my peace of mind experience that supposedly came with the purchase of this software. The good news is they can track when the laptop is used unless the thief is smart enough to disable it. It will ping the lojack server when the laptop comes online. However, you need to keep in mind that LoJack is only going to request your local detective do something about it. You have to ask yourself, “If the police know the phone# that is calling in are they going to act on it?” Their thinking is, “Even if we do we cannot make a case on who exactly is using it so why put any effort forth.” As a result, I had to really push to keep LoJack communicating with the detective and push the detective to look into it. There was very little will to follow through on either party. In addition, you have to fight to get your money-back gaurantee dollars. To this date I have received no money and no piece of mind.

Those statements are reproduced verbatim and unedited. I have not even corrected for spelling.

The point I want to make is that you don’t have to silently accept neglect. You do have a voice, and there are plenty of places you can make it heard, notably in forums and as comments to blog articles like this. Just be sure of your facts, because once it’s out there there’s no retraction on the Internet. It’s out there for good, and that’s a good thing.

Before you buy a product or commit to a service do your research, and pay particular attention to customer service. Send the vendor an e-mail before you buy to gauge the speed and value of their response.

Why on earth would you want to deal with a company that will likely return the response “Your message was deleted without being read” when you need help or information?

LoJack for Laptops? Not for me thanks. If a company can’t be bothered responding to a casual inquiry, it’s reasonable to assume that they won’t be there if ever I really need them — an assumption that seems to be supported by the customer statements reproduced above.

For laptop owners there are plenty of good alternatives, and I’ll be bringing some of them to your attention in future articles.

A final bit of advice for owners of businesses that trade online…

If you are genuinely concerned about providing quality customer service, provide also some way that dissatisfied customers can escalate their concerns to a responsible executive. Without such a backup your own staff could be killing your business and you’ll never know about it until it’s too late — or until somebody publishers an article like this.

What do YOU think?

Should we all try to be more proactive in condemning bad service online, and publicly expose the culprits? Is it OK to speak up and name names?

Related articles

• Customer Service Is More Than a Contact Form
• Be Careful with Automatic Confirmation Emails
• Don’t let inside sales break the law
• Nexus One’s Lousy Customer Support Shows Google’s Weakness [Google]

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

I had an e-mail from a friend today, concerned about the recent increase in spam finding its way into his business. He knew about ISP spam filters and wondered if his host’s filter had been “wound back” in any way.

The short answer is simply “no”, but for those experiencing a similar increase in annoyance a little elaboration may be a welcome.

This is a cyclical problem that you will see repeated many times in your online life. Very loosely and oversimplified, what happens is this:

Programmers come up with a reasonably effective spam filter with a low false positive rate. A false positive is a legitimate e-mail that the filter wrongly classified as spam. Obviously false positives are not acceptable, as they will often mean the loss of important communications that the addressee wants to receive, or at least would not object to if he ever did receive it.

Conversely, a false negative is spam that is incorrectly identified as “good” and thus slips past the filter, eventually making its way to the addressee’s inbox. This is the stuff that annoys everyone.

The key to understanding the fluctuations of this process is to appreciate that filters aren’t people. Filters are simply software that follows preprogrammed instructions. They cannot reason.

The biggest problem with ISP filters is that their results represent the programmer’s idea of what should be classified spam and what shouldn’t. The classification of a particular message as spam is often a personal assessment, and the ISPs filter doesn’t represent YOUR opinion. Consider the following three e-mails:

E-mail #1: An unsolicited advertisement for Viagra.
e-mail #2: An unsolicited Viagra joke from your best friend.
e-mail #3: A medical newsletter on contraindicators for Viagra.

Messages #2 and #3 are clearly not spam, while message #1 just as clearly is. I’m sure you can see the problem for a conventional spam filter. Easy for a person; very, very difficult for a piece of software.

With such filters, a fair bit of compromise is necessary. Making the filter too stringent results in an unacceptable increase in false positives. Make it too generous and there is a marked increase in the volume of spam getting through.

Now, getting back to my friend’s inquiry…

A professional spammer’s success depends on him being able to get as many messages as possible past as many filters as possible. We’re talking about potential revenue from literally tens of millions of “suckers”. Not exactly small change. So the big guys in this business have programmers and analysts working constantly to figure out ways to beat the filters and get their messages through to the end user.

Thus there’s a constant see-sawing battle as each side tries to outdo the other, and each has their period of being on top.

You can probably understand now why I’m not a big fan of ISP-based spam filters.

With some ISPs and some filters you can have a little bit of control over how the filter works, but not nearly enough for my liking. I’m in business and I can’t afford to lose correspondence through false positives. I want my filters to work my way and identify messages as “good” the way I would.

Yet at the same time I can’t spare the time to wade through an ocean of spam every day.

It may sound like a big ask, but it’s not an impossible wish-list.

The new member’s website (currently under development) has a complete module devoted to understanding and dealing with spam. And yes, I agree with you: who wants to read about spam? But a little time spent addressing the problem properly can save you an enormous amount of wasted time (money!) and frustration.

There are very viable, quite practical solutions – hardware & software – for both individuals and businesses of all sizes.

For now I’ll just leave you with the personal solution (software) I’ve used and recommended to Microsoft Outlook* users for years. It’s called SpamBayes and its quite free.

* Please be aware that Microsoft Outlook and
Outlook Express are NOT the same thing.

Unfortunately SpamBayes’ installation and configuration aren’t quite as friendly as some people might need, but until the new member’s website is open and you get access to the Spam Module, the recommendation is about the best I can do for you. The member’s Spam Module describes everything you need to know about SpamBayes in step-by-step detail, complete with illustrations and screen-shots, and including instructions for e-mail clients other than Microsoft Outlook.

Many businesses that have discovered the value and effectiveness of SpamBayes install it on all workstations as a final line of defence, even though they may have some sort of enterprise filter mechanism in front of the individual workstations.

SpamBayes: http://spambayes.sourceforge.net/windows.html

So to summarize, if you’re not prepared to take personal control of spam filtering, expect to see marked fluctuations in the volume of spam arriving at your computer’s inbox. Asking your ISP to “tighten up” things at his end will certainly reduce the spam volume, but expect to lose a lot of legitimate correspondence that you would prefer to receive.

If you would like to be informed about new developments regarding the upcoming Member’s Website just complete the form below. When it’s open to subscribers you’ll be amongst the first to know.

If you found this article useful please share it on your favorite social media network
(see buttons below)

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.