Think Before You Send: TSA + Airline + ESP = Phishing ScareIn the last few weeks some airlines have begun to implement the Transportation Safety Administration’s Secure Flight Program. This program asks (eventually to be, requires) airlines to collect additional information from passengers, intended to reduce false hits against the No Fly List. In the world of email filtering, this is known as “eliminating false positives.”
The details collected are supposed to match the information that appears on the identification the passenger will present to airport security, and the airline must collect them before the boarding pass can be issued. Naturally, then, it makes sense to streamline the process for frequent flyers by asking them to include it with their frequent flyer account.
Unfortunately, the way some airlines are going about this is creating false positives of its own. The personal information on an ID is exactly the sort of thing that a phishing scammer would try to trick victims into divulging, and the email sent by one airline via its ESP set off red flags for email administrators on the SpamAssassin users’ discussion list.
The following are excerpts from the discussion. The names of the airline and the ESP have been obscured because the purpose of this post is not to blame or embarrass anyone (this is not the only such incident), but to emphasize how important it is to think about all the messages, both explicit and implicit, that you are sending to your subscribers every time you email.
The SpamAssassin list discussion begins with this:
not to be outdone by hackers and thieves, phishing for PPI, [airline] is sending out their own DKIM signed, SPF PASSED, from their own servers, their very own phishing email.
I called [airline]. they say the hold time is between 45 mins and 1 hour and 6 mins. (i wonder why). I called [ESP]. phone doesn’t even ring …
A responder continues:
I have no idea what the story is here but from what you say here, it’s not clear whether [ESP] is a legitimate marketing company that was hired by [airline].
Assuming [ESP] *is* legit, they could do a better job of reputation management.
Another responder:
I reckon its a scam.
[ESP] appears to be … “a … provider of on-demand marketing solutions …” – IOW they’re at best a UCE source.
The original poster finally concludes:
SUPPRIZE.. its legit folks.
[Airline] phone lines, and web site have been swamped by people all day calling to see if this was legit!
(however, its STILL AN INSECURE HTTP BASED FORM ON A PARTNER SITE, A PARTNER WHO IS A PERMISSION BASED EMAIL MARKETING COMPANY)
Bad, stupid, really stupid… go put your dunce cap on and sit in the corner.
I believe that this attempt violated the TSA’s privacy policies as well (asking a third party to collect information over a non ssl encrypted, non authenticated web site?)
Don’t be the marketer in the dunce cap. Think about what you’re saying, and how you’re saying it, and make sure you’re using the appropriate tools for what you want to accomplish.
