back to article Sainsbury’s Bank insurance spam scam causes confusion

Numerous UK surfers were left confused on Monday after receiving email confirmations for insurance products with Sainsbury’s Bank that they never bought. People are receiving emails claiming they have started new policies for travel, home and car insurance from the UK supermarket giant’s banking business. El Reg learnt of the …

  1. Nick Kew Silver badge

    What's new?

    All sounds perfectly normal to me. I get lots of such acknowledgements, and usually the most immediate indication that it's bogus is never having done business with the organisation in question.

    Big-name online retailers like ebay and amazon seem to be regular favourites. Along with banks, airlines, etc.

  2. Anonymous Coward
    Anonymous Coward

    If these were 'thank you for buying a policy' emails they're not coming from marketing. Sounds like they're using live/historic data in a test system, which might raise questions about whether the email recipients' data is being lawfully & accurately processed, being retained for longer than required, what data the staff doing the testing have access to and where they are located.

    AC so you can't see which other big organisation doesn't think using live data in testing is a problem.

    1. Chris King Silver badge

      It's also not uncommon for companies to outsource e-mail marketing to third parties,who may turn out to be spammers, or who outsource to spammers themselves.

      Kelloggs made that mistake, but when I pointed out that I hadn't signed up for "My Special K" e-mails, they cleaned up their lists and I haven't had a single spam from them since.

      Saga, on the other hand, did not. They actually admitted to using the services of a well-known spammer-for-hire, and that they had "listwashed" me with said spammer-for-hire - which has since resulted in even more spam for pensions, equity release and funeral plans. Not to mention even more spam from Saga !

      An organisation that can't treat me with respect right now is NOT going to benefit from me in old age or death, that's for sure.

      1. Lee D Silver badge

        Which is why you buy a cheap domain and give every company a unique email.

        Abuse it, and it goes into the blacklist forever and it doesn't matter who they gave it out to.

        1. Doctor Syntax Silver badge

          "Which is why you buy a cheap domain and give every company a unique email."

          I do this. I gave PayPal their own address. I was surprised to receive a confirmation email from a vendor who I'd paid via PayPal and who hadn't asked for an address. Clearly PayPal are passing on my address to vendors. They seem to lack any concept that this is a bad idea if only to avoid being impersonated.

          They should make it clear to vendors that they can have the billing address (to check for fraudulent purchases) but if the vendor wants an email address for the customer they must ask for it themselves.

          1. Lee D Silver badge

            Or why doesn't Paypal follow eBay's lead (gosh, where would they have seen eBay's systems?) and even that of Amazon by providing contact by intermediary ebay/amazon user emails that forward to the user's real email?

            1. Anonymous Coward
              Anonymous Coward

              "[...] even that of Amazon by providing contact by intermediary ebay/amazon user emails that forward to the user's real email?"

              While there is the Amazon intermediary system - that does not explain why I get criminal spam using the address reserved for Amazon. There is usually a flurry of them soon after an Amazon marketplace purchase.

              1. frank ly Silver badge

                I remember signing up with Paypal, many years ago. Their explanation/blurb made the point that two items of information were needed to access the account: the signup email address and the password - so it's very secure. Imagine my surprise, and disgust, when eBay vendors (and spammers and phishers) started communicating with me via the unique Paypal login address that I'd created.

      2. VinceH Silver badge

        "It's also not uncommon for companies to outsource e-mail marketing to third parties,who may turn out to be spammers, or who outsource to spammers themselves."

        Indeed. I raised a complaint with Sage (and the ICO - with a typically useless outcome) several years ago when I received crap from them (through a third party) even though I had explicitly opted not to receive marketing stuff etc.

        Although I've not made any further comment on that blog (though IIRC I did comment on Twitter), a couple of years later a couple of spam emails and a virus have hit the unique-to-Sage address in question.

      3. Anonymous Coward
        Anonymous Coward

        Just take note

        That SAGA trade under a whole raft of different names. You might be aware of some but others???

        So far I've been spared the SAGA email and snailmail barrage even though I'm in my mid 60's.

      4. Doctor Syntax Silver badge

        "It's also not uncommon for companies to outsource e-mail marketing to third parties,who may turn out to be spammers"

        It's also not uncommon for companies to outsource e-mail marketing to third parties, who are spammers

        FTFY

        Unsolicited, bulk, commercial email. The definition of spam.

  3. Just Enough

    Obvious rule

    Never, ever, have real email addresses in your test systems. How often have I seen people ignore this, and end up having to offer embarrassed apologies to confused end-users?

    Best thing is to have obvious bad domains that will get bounced at the very first relay.

    Come to that, you shouldn't have any real data that connects to a real person in your test system

    1. Anonymous Coward
      Anonymous Coward

      Re: Obvious rule

      Also...

      On your test system, have your SMTP server set up to route ALL email to a single mailbox - your own. That way you know for sure what emails it will send out when it goes live.

    2. Lee D Silver badge

      Re: Obvious rule

      Not having real emails in the test system is probably the perfect way to hit on a problem when Mr Douchat-Cholmondley-Entráge III turns up on your email system and breaks it.

      Real data isn't the issue. Letting test systems actually send emails (rather than have them captured into, say, a bunch of PDF's to simlar) is the problem. At least put in a canary to stop email sending if a test email is included in the list, or similar.

      But without using real data, it's damn difficult to be sure that it's going to the right people, of the right kind of customer history, etc. I supposed you could anonymise the real data somewhat with a primitive ROT-13 kind of transformation to names / email but, still, you don't want to be sending out emails like that to real customers or even unfortunate anagrams of real customers. Block the emails on the test system until you are holding a list of what would have been sent to home, ideally in the form of a merged email or PDF that shows To: CC: BCC: etc. fields and the full content of the email.

      1. Anonymous Coward
        Anonymous Coward

        Re: Obvious rule

        At some point you have to test the actual email sending process. Then you have to send real emails to real people. This is unfamiliar territory for most programmers, it's always a rush job, there's no undo. Once you've done it a few times you'll never do it again, and the cycle of inexperience repeats.

        So shit happens. 9 times out of 10.

      2. Anonymous Coward
        Anonymous Coward

        Re: Obvious rule

        "Mr Douchat-Cholmondley-Entráge III "

        In the early days of web sites one page would not accept my company email address - which was formed from verbose X400-style fields The supplier said their web site developers hadn't expected an email address to be that long.

      3. Vic

        Re: Obvious rule

        Real data isn't the issue

        It is in this country. It is the processing of data contrary to the Second Principle of the Data Protection Act. That's an offence.

        Vic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019