Friday, June 10, 2005

Chevrolet is Phishing?

Today I received e-mail from Chevrolet that began like this:

Recently some of our unsubscribe data
was deleted. Please help us update our
records to ensure that we have captured
your preferences correctly.

If you have previously unsubscribed from
Chevy email communications, please
unsubscribe again
http://www.imail.imrsvcs.com/UM/U.asp?...

I would never respond to such a message because it looks like phishing. There's no valid return address. The website they ask you to respond to is the mysterious imrsvcs.com rather than chevrolet.com. The entire premise of the message seems dubious and there's no way to verify the story.

It looks a spammer trying to verify my e-mail address so they can send me more junk mail. I wouldn't click the link and I'd make the same suggestion to everyone else. I've seen lots of e-mail from people claiming to be eBay asking me to log in to some non-ebay website before they cancel my account. Don't fall for it!

To Chevrolet and any other business that needs to send a message like this, I suggest you always direct recipients to a page at your main website and then redirect them if necessary. There's no other way to verify the authenticity of your e-mails. You should also get an e-mail signing certificate from a recognized authority (like Thawte) and digitally sign your message. I sign (almost) all of my e-mail. Why can't a company like General Motors do the same?

Out of curiosity, I went to whois.net and checked the ownership of imrsvcs.com. It turns out that it belongs to Electronic Data Systems Corporation who I happen to know is a major supplier of data services to GM, so this message is probably legitimate. Ironically, the whois record will take you to markmonitor.com that advertises EDS's Phishing Fraud Protection service of all things! That's pretty sad.

No comments:

Post a Comment