 |
| Image from Pixabay |
During the autumn break, we wanted to get away for a bit with the whole family. Being as critical as we are, we embarked on an extensive search for a suitable house in a nice location. Eventually, we found what we were looking for on a booking site. Since we had booked there before, we thought we were all set. Things turned out differently.
The day after booking, I received eight messages within an hour and a half from
a company I had never heard of; let’s call it Don’tBookHere. The emails were
about my booking, with subjects like ‘payment failed’, ‘request for payment of
deposit’ and ‘activate your customer account’. And they also wanted a copy of
my passport. Although these messages all came through the booking site’s
messaging system, I was highly suspicious. As mentioned, we’re regular
customers there and have never been contacted by a third party before. The
payment was already settled, and the deposit is normally paid on-site.
Moreover, the deposit was a whopping seven hundred euros – exorbitantly high.
And there was more. The messages mentioned three different internet domains:
dontbookhere.eu, dontbookhere.be, and dontbookhere.es (Europe, Belgium, and
Spain). In addition to the name Don’tBookHere, the name Don’tInvestHere also
appeared. My suspicion escalated further.
Of course, I called the booking site. Long story short: the messages were
legitimate. The only incorrect part was the message saying I still had to pay
the rental amount. But I was reassured: I didn’t need to worry about that and
didn’t need to fear cancellation (which Don’tBookHere had threatened). They had
contacted the local landlord – which turned out to be Don’tBookHere – and
sorted it out.
Great, you might think, nothing to worry about. But I still had to do almost
everything mentioned in those messages. So, I had to create a customer account
with Don’tBookHere and check in each family member separately, including all
passports. Naturally, I didn’t just send the passports; first, I blacked out
various details, including the photos. Then I got feedback: we need the photo,
otherwise you can’t receive the key. Since that sounded plausible, I sent them
a new scan of my own passport with the photo visible. Incidentally, the man who
handed me the key had a copy of my passport with the photo blacked out. And he
enthusiastically asked if I was Patrick. It would have been very easy for a villain
to snatch the key right in front of me.
As long as legitimate companies keep doing things that criminals also do, it
remains difficult to make people aware of risks. You can’t simply say: if you
see this or that, it’s always a scam. No, you have to allow for false
positives: incorrect signals that something is wrong. So you have to explain:
look, if you see something like this, it could be a scam, but it doesn’t have
to be; ultimately, you have to decide whether you trust it or not. That sounds
much less convincing and often causes uncertainty rather than truly helping.
We see the same with phishing. We say: watch out, if an email doesn’t have a
personal greeting but starts with something like ‘Dear customer’ or ‘Hello!’
(or no greeting at all), then be careful. Because criminals sending phishing
emails usually only have your email address and don’t know your name. But just
now, I received a perfectly legitimate email in my private inbox that greeted
me with ‘Dear customer.’ Are these companies just too lazy to use my name? Or
does it involve high costs? I looked into it for you.
As for those costs: it depends. With a modern email system, the costs are
negligible. However, if you have an old, proprietary system where
personalization wasn’t built in, you need to modify the software, and that
costs money. Furthermore, many companies don’t have correct data. If they send
you an email with ‘Dear {customer name},’ or greet me as ‘Dear Mrs. Borsoi,’
that undermines customer trust. Cleaning up that data is laborious and
therefore expensive. There are also companies that deliberately choose a
generic greeting to reduce the impact if the email is intercepted (less data
leakage). In that case, the generic greeting is actually a privacy measure.
And yes, there are also companies that simply can’t be bothered to greet you
properly. My message to them: make an effort and help in the fight against
phishing!
And in the big bad world…
- booking sites are indeed being misused to scam people.
- your lost iPhone can still cause trouble.
- an open letter to the European Commission raises major privacy concerns about the Digital Omnibus.
- cybercrime took a heavy blow from Operation Endgame, coordinated by Europol.
- this company responded refreshingly to a ransomware attack.
- every now and then, a security update backfires.
- we want digital sovereignty, yet an American company acquires a Dutch cloud provider.
- ad blockers are important for your privacy.
- this spyware specifically targets Samsung Galaxy phones.
- DJs at Dutch broadcaster had to play music by hand after a cyberattack.
- governments use their spyware not only against top criminals and terrorists.
- no
wonder they managed to break into the Louvre. [DUTCH]
No comments:
Post a Comment