Yesterday was a busy day for anti-fraud newsflow plus some good old fashioned web fear mongering. Don’t get me wrong – web fraud happens and needs to be combated but there is often something shrill and hysterical about the reporting of online fraud, especially in the UK. “Everyone PANIC!” would seem to summarise the editorial style of quite a few media channels. Before people lock up their PCs or throw them in the river, they should remember that they are significantly more likely to be a victim of crime and fraud when venturing into the real world than they are when venturing online.
There’s no doubt that education is key in battling web spam and other forms of online fraud and Get Safe Online in particular does a fantastic job of putting out clear, moderate and easy to understand information on how to take care of oneself online. Common sense recommendations include running regular updates for your browser and operating system, having up to date antivirus, antispyware and firewall software and not responding to unsolicited emails or giving away key personal and account information online. Often, sites like Get Safe Online recommend third party software vendors, such as AVG or McAffee.
Understandably, reputable online businesses recognise the challenge of building trust and at Arena we work very hard to address potential trust concerns of visitors, such as payment methods and checkout integrity, site security, quality / value / freshness of product, and data protection and privacy policies. After all, if we’re asking customers to hand over their money without ever having met us face to face, then they will need to be convinced that we are who we say we are and that we’ll deliver on our promises. We try as much as we can to be clear and transparent about what we do (posting to our blog regularly is part of that…I hope it’s clear that this post isn’t being written by a scammer in Eastern Europe!). The key is not to slip up as, as they say, “trust is hard to win and very easy to lose”. Once you have it, do your very best to hold on to it.
It’s therefore incredibly frustrating when a lot of hard work is potentially undone by a company that really should know better – MessageLabs (who were, incidentally, purchased for a whopping $700m by Symantec yesterday). To explain, last week we sent out one of our regular marketing emails to our subscriber base. So far so good. But soon after the send, we started receiving emails from concerned customers. They had received the following email from their mail client, Message Labs:
Subject: WARNING. Someone tried to send you a potential virus or unauthorised code
Body of email included the following: The MessageLabs Email Security System discovered a possible virus or unauthorised code (such as a Trojan) in an email sent to you.
Possible MalWare ‘Exploit/Phishing-paypal-1054′ found in ’7782603_2X_PM3_EMQ_MH__message.htm’. Heuristics score: 202
Now, I don’t know what you think, but if I received an email like that from my firewall supplier, I’d look very hard at any future communications from Arena and quite possibly unsubscribe immediately. After all, MessageLabs are a $700m company so they must be right, yeah? Surely, they wouldn’t send out an email that slams a genuine business’s legitimate, opt-in marketing activity so thunderously by mistake? Big boys like MessageLabs are bound to have complicated checks and balances in place to avoid accidentally torpedoing the legitimate marketing efforts of other organisations. A web security firm in particular would understand the importance of online reputation and the hard work that goes into building trust. And in any case, Arena has been sending regular marketing emails every other week for over two years, so no doubt MessageLabs would be able to use characteristics of our mail sends, such as previous send frequency, an unchanged IP address, subject lines etc etc to double check the validity of the send.
Nope. It was a complete, 100% misdiagnosis by MessageLabs, as they subsequently confirmed. We learnt that the reason that our email got hammered is that we put the word “PayPal” into the subject line yet we are not PayPal. Blimey. Sophisticated stuff. We had PayPal in our subject line to let our customers know that they could win £10k cash if they paid for any order with PayPal during PayPal’s very generous 10th birthday promotion.
Obviously, customers of large online companies and banks, such as PayPal, can be targeted by spoof emails. However, our marketing email prior to this email also had PayPal in the subject line and email body and there was no backlash. Also, I find it hard to understand how the word PayPal appearing in our mail can lead someone to imply we’re sending “viruses or unauthorised code”. A virus would typically be an attachment of some kind, not a word in a subject line. I feel bad for PayPal too – we get way way more fraud from people who pay with credit cards than we do from people who pay with PayPal. Fraud on orders paid with PayPal is virtually nil. We much prefer people to pay with PayPal.
One of the first emails we received was in fact from a MessageLabs sales rep (who’d previously bought from Arena and who’d therefore received the MessageLabs warning email direct). His mail:
Please remove me from all your mailing list right away as you are sending viruses.
I can assist you with possible solutions however I was unable to reach your IT department.
MessageLabs Anti-virus solution has a SLA of 100% protection from all known and unknown viruses, phishing, trojans and other forms of malware.http://www.messagelabs.co.uk/products/
Thank you
10/10 for being a pushy sales rep but frankly this mail was not terribly well received as you can imagine. You wouldn’t want this guy consoling you if you broke up with your partner. “I’m afraid you’ve been dumped but I’m a pimp – have you considered paying for sex?”. You’d then be even more upset when you found out that it was this guy that had caused the break up with your partner in the first place.
We also noted that, unlike the careful wording of the automated email sent by MessageLabs’ system, his email did not talk about “possible” viruses but came straight out and said “you are sending viruses” which was patently untrue. A rather terse email exchange followed, as you might expect, though not litigation as might have been the case with our American cousins (we’re too British for that).
In any case, I eventually spoke to the UK’s head of corporate sales who unsurprisingly was more reasonable and sort of / nearly / just about apologetic (although he too did suggest we bought their software, admittedly more tongue in cheek that his sales chasing colleague). He gave me some spiel about how great MessageLabs is and how they use complicated predictive algorithms to filter mail which all sounded good but didn’t stand up very well to “very nice, but it was just the word PayPal in the subject line that triggered this mess and you misdiagnosed it as a virus anyway”.
The frustrating thing about this is that MessageLabs has several million installed users in the UK, particularly in big, wealthy organisations, such as the government and banks etc. These are obviously valuable potential customers and exactly the kind of people we’d love to retain. Unfortunately we have no way of knowing how many such customers have now had their hard won trust in Arena dented or destroyed by MessageLabs’ misdiagnosis and there is no real way for us to fix this (bar writing this cathartic blog post!). The chap at MessageLabs said “Sorry” but it’s not going to make any difference. It’s clearly no coincidence that this email performed far worse than any other we’ve ever sent; it can realistically only be down to our MessageLabs mishap.
Maybe to add insult to injury MessageLabs will read this post and then use some of their freshly coined $700m to blast us right off the face of the earth and have done with it. Ah well, you live and learn. They didn’t do it on purpose but it certainly hurt. I guess no matter how careful you are, there will always factors beyond your control, coming from any and all directions, that might disrupt your business. The best laid plans of mice and men and all that…
Update: Following the post, we were featured on Mail on Sunday and other popular news channels. Read Mail on Sunday’s article on Arena Flowers here. The Register, one of the UK’s leading technology publishers picked up on our concerns and featured an article about Arena Flowers here. The article also featured on Softpedia, a leading technology related online publisher. Read the article on Arena Flowers here.
Something we learnt quite quickly after setting up Arena is that, if you run a business then it seems you’re fair game and people will make up outrageous claims to try and get money out of you. It may be down to the idea that “Well, they’re a company so they won’t bother wasting time refuting anything and they’ll just let their insurance pay up.” Or there’s the very real fact that insurance companies tend to want to “settle” in favour of the member of the public, all other things being equal. At Arena, we totally disagree with the “just pay out” attitude and will do what we can to make sure that spurious personal injury claims don’t get paid out as, at the end of the day, it’s a form of theft and it drives up costs for everyone, which eventually means customers. And no one wants that!
Recently we were on the receiving end of an attempted hustle by some fake wheel clampers. They’d immobilised one of our vans and were refusing to take the clamp off unless we paid £300 cash there and then. No credit cards allowed because of “possible fraud”. That set our own 
We are constantly surprised by the number of people who attempt to make fraudulent orders on our site. Fortunately for us, we have a series of sophisticated security checks which bring most of these to light before we send them out – it is a constant battle and one that we are determined to win, not only for ourselves but also to try to minimise the distress to people who have had their cards used for these transactions.