Who’s sending spam to your bread and butter?

Most reputable companies refuse to send unsolicited bulk e-mails, but their sub-contractors may be less scrupulous, says Dave Brunswick

Being in the business of e-mail security, I am very protective about my e-mail address. In fact, I actively use three different addresses. One is exclusively for business. The second is just for family, friends and online purchases. I am scrupulous about ticking the “do not send me marketing information” and “do not pass my e-mail address to third parties” boxes on any Web pages.

The third e-mail address I use is a Hotmail address. I use this whenever I have to give an e-mail address to anyone or any organisation I don’t fully trust. I get lots of spam in this account, but that’s fine because I never look at this account except when I am expecting something.

Towards the end of last year, I started receiving unsolicited e-mail in my home account. I think I know from which organisation it escaped, but can’t prove it. The upshot is that my home e-mail address is now being

sold on an “opt-in” list around the US. The mails started off advertising various US products, but then I received a marketing e-mail from Lloyds TSB, advertising its new credit card. This annoyed me for a number of reasons:

  • I am an existing Lloyds TSB credit card customer, but I know that it doesn’t have my e-mail address from any legitimate source as I do not do business with it online.
  • The e-mail was sent from a US company, and links went through its website. There was no e-mail address or Web link directly to Lloyds TSB.
  • Once I accessed the site, it immediately started prompting for sensitive information such as bank account details.

As the bank was advertising a new credit card, it had registered a domain specifically for the purpose. Only because I know my way around was I able to check that createacard.co.uk was indeed a domain owned and registered by Lloyds TSB. Anyone, claiming to be Lloyds TSB, could have sent me the e-mail and set up a spoof site to capture my personal details.

I complained to a number of general addresses at Lloyds TSB, but got no response. I decided that the only way to get action was to go to the top, e-mailing the chief executive directly. This was surprisingly easy, and has proved to be a generally successful way to embarrass marketing departments that don’t do their homework properly.

At Lloyds TSB, someone from the chief executive’s office contacted me. Several days and e-mails later I was contacted by the privacy manager of ConsumerBaseUSA, also known as yesmail, also known as MosaicDataSolutions, which performed the marketing for Lloyds TSB. I was assured by Lloyds TSB that it was using a legitimate provider, and that I must have opted in to receive the mail.

ConsumerBaseUSA informed me from whom it had bought my information. I tracked this back to an individual called Pesach Latin, from a company called Adspyre. When I e-mailed Latin, he accused me of issuing death threats, and stalking and harassing his staff. He refused to tell me where he had got my address, and also said he didn’t know why he was talking to me, as he could just get his legal people to “blow smoke up my ass”. Of course, I copied these e-mails to Lloyds TSB and MosaicDataSolutions.

I think at this point Lloyds TSB realised it had made some major errors in its online marketing as I was contacted by the credit card and ATM director, who apologised profusely, promised never to use this agency again for marketing and also promised to review approval processes in future.

I recently had a similar experience with Marbles (HFC Bank). I took the same approach (e-mail the chief executive) and was contacted by the group marketing director. In this case, Marbles is providing commission to partners for leads. It claims to have a strict code of practice regarding how partners can generate leads, and this specifically excludes bulk e-mail.

Obviously, one partner had chosen to ignore this completely. HFC Bank has assured me that it has now terminated the relationship with the partner responsible.

The lessons for marketers in all this are:

  • Don’t take anyone else’s word about the authenticity of supposedly “opt-in” lists.
  • If you are going to send bulk e-mail (and personally I would rather you didn’t!) at least make sure that it is verifiably associated with your organisation, particularly if you are a financial organisation wanting to avoid potential fraud.
  • Think carefully about paying partners to generate leads. You don’t know what they are going to do to whom on your behalf.
  • Steer clear of any online marketing company registered in Florida (particularly Boca Raton – see spamhaus.org).

Finally, I am currently embroiled in a dispute with Egg, of which I am a customer. While I expect to have an e-mail relationship with Egg for certain things, such as informing me when my statement is ready, I made sure to tick the “do not send me marketing mail” box. Egg has, in my opinion, violated this by informing me about its “What’s in it for me?” marketing campaign.

Egg claims this is not marketing but a “service update”, which had been approved by its lawyers. I am now in contact with the Banking Code Standards Board, which has indicated it does violate the code. I have also contacted the Office of the Information Commissioner, which believes Egg may be in violation of section 11 of the Data Protection Act.

Dave Brunswick is technical director of online security specialist Tumbleweed Communications UK