#5 – Amazon protects its brand from phishing attacks & Wikipedia doesn’t want any search results deleted
Subscribe: Google Play | iTunes | RSS
Come take a walk in a reputation wonderland as we tickle your eardrums with episode 5 of the Reputation Rainmakers podcast!
Each week, we’ll take a look at the most interesting reputation management stories, answer your questions, and share valuable ORM tactics. In this week’s episode:
- Erin Jones of Social Ink joins me as co-host.
- Amazon acts quickly to protect its reputation from phishing scams. What you can do to protect your reputation and why Google is one of the worst at some simple basics.
- We challenge Wikipedia’s opinion that no information should ever be deleted from the search results.
- And much more!
If you have a question you would like us to tackle, please leave a comment below or on my Facebook Page.
Transcript (forgive us for any typos):
Andy Beal: Welcome back to Reputation Rainmakers, we are on episode five, and it’s beginning to look a lot like Christmas. How’s it looking in your house, Erin?
Erin Jones: It’s looking a lot like a chaotic Christmas. We have two small children, so it looks like Christmas is everywhere right now.
Andy Beal: Are you doing elf on the shelf again this year?
Erin Jones: We are, and I am a glutton for punishment, so now I have two.
Andy Beal: Oh boy.
Erin Jones: It’s fun, but it’s … It can be a little bit of a handful when it’s midnight on a Tuesday and you sit bolt upright in bed realizing that that silly little elf hasn’t moved.
Andy Beal: I actually saw where people are actually setting themselves alarms on their iPhones to remind them to move the elf.
Erin Jones: I did that, a year or two ago, but my six year old now knows how to access my phone, and I’m terrified that she’ll find something and I don’t want to be the crusher of dreams just yet.
Andy Beal: Speaking of crushing of dreams around Christmas time, there’s a nasty phishing scam going on that’s involving a lot of big names, in particular Amazon. Why don’t you tell us about that story?
Erin Jones: Yes, I … Especially with the holidays coming up and this being a prime shopping time, I think this is a lot of online shoppers’ worst nightmare. People are getting an email after they place an Amazon order saying that their order is unable to be shipped, and if they don’t log in and update their payment information, their Amazon account will be cancelled.
I’m sure Amazon is not the only retailer that is having this happen, but it’s one of the biggest.
Andy Beal: Right, yeah, I think … I was looking around, PayPal with their scams, and then a lot of shipping companies like DHL and FedEx. There’s scam emails going out saying, “hey, we can’t deliver your package until you pay a fee or give us your credit card information to cover the shipping,” or something like that. A lot of times it’s just … It may be to try and get banking information, but other … A lot of times it’s just get you to click on a link so they can install some kind of Malware.
Erin Jones: Right, and I have been shopping online since online shopping was a thing. I consider myself a fairly savvy internet user, and I’ve seen pictures of this email and if you’re in a frenzy, trying to get somethings done and you’re already frazzled and this email pops up, it’s good. They did a good job on it. I think it’s probably going to take a lot of people.
Andy Beal: Amazon’s getting out in front of it and trying to warn the customers.
Erin Jones: They are. I did a search this morning for Amazon phishing scam, and the first probably six results are links back to Amazon helping people identify what may be a phishing scam, what to do if you think you may be a victim of a phishing scam, where to go to change your password.
A good tip that they have is that instead of clicking on a link in an email, close the email, type amazon dot com into your browser, and access your account more manually that way.
Andy Beal: That’s a good tip. Another one is to mouse over any link before you click on it and look in your browser to see, or the pop up information to see where is it actually going to take you? You definitely can’t go wrong if you just go to the browser and type in the URL manually.
Erin Jones: I’ve even seen some of these mouse over links that … They go to amazon dot amazon dot CO dot … If you don’t know what you’re looking at, I could absolutely see how it would look legit.
Andy Beal: Yeah. I mean, I think that some retailers and online businesses, they get kind of clever with their distribution of server traffic, so they end up creating these sub-domains or they create these URLs that they use specifically for email notifications. I’ve had legitimate emails where it will say something like … Maybe it’s from Google and it says googlemail dot com, and it’s legitimate, but I don’t know that because that looks kind of strange.
I think companies can kind of end up hurting themselves because they get kind of clever with their tracking and their distribution of server traffic.
Erin Jones: Absolutely. I think that people really need to be on top of things. One of the things that Amazon recommended … From what it looks like with this scam, you’re getting the email after you place an order, so they’re already in your email or somewhere watching whatever activity you have.
With the whole … This is a whole nother tangent, but with the whole internet of things where we have 30 or 40 devices in our home that have web access, getting in means that there’s access to a whole bunch more information than we used to put out there than in just our email.
I think changing passwords is a great place to start, but my guess would be you’ve got to start your email password … I don’t know how deep it goes, I’m not as technically competent in some of those things as I would like to be, but possibly looking at changing your wifi password, definitely your Amazon password.
Andy Beal: I think, as well … I don’t believe Amazon does this, but a lot of other companies do, and I think we’ll see this in maybe more with retailers is two step authentication. If you’re not familiar with that, basically you log in with your credentials and then the site will send you a number to your cell phone by text message, and if you don’t enter that correct number, then you’re not getting logged in even if you do know the username and password.
It’s a little bit inconvenient, tends to be that it makes it more hassle for me than it ever seems to for any kind of hacker, but certainly I have it set up on a number of different sites that I go to. I think we may see more retailers and companies looking at options like that to kind of take it upon themselves to protect their customers so that they’re kind of insisting. You can offer a discount … MailChimp, we do our email marketing, they offered a … I think it was just five dollars a month off or something like that, if we put in place the two step authentication. I’m like, “that’s great, it protects me and I get a discount,” but it protects the brand of MailChimp because now they’re less likely to get hacked if they’ve got more customers that are using this two step process.
Erin Jones: I think, for a retailer like Amazon, there’s a fine line between convenience and user privacy. I have done one click buying from my cell phone on Amazon, I love Amazon, I sometimes have four or five packages a day arrive from Amazon. If I had to authenticate with every order … I definitely appreciate that they’re looking out for my security, but at the same time I’m probably rolling my eyes every time I have to do it. I think it’s a hard balance for them between security and convenience for their users.
Andy Beal: That’s a good point. I think that this kind of demonstrates to anybody that has customers online, especially retailers, go ahead and put in place a page or an email now that explains how you’ll contact customers, what you will and won’t ever ask for, and just some advice on how to avoid being phished, because you’re … Amazon is doing this now, in the middle of this crisis, and it’s probably the last thing they wanted to do. I think that doing a better job, for any company, of actually pre-warning and educating customers is a good investment for your own reputation.
If you get hacked, even though your system was not compromised, even though this is not necessarily anything to do with Amazon’s servers, their information is completely secure, but who are people going to blame? They’re going to see the Amazon brand here, and so this is s a good move by Amazon to protect their brand.
Erin Jones: Definitely, because for people who do fall victim to this, their bank card gets shut off, their credit card gets shut off two weeks before Christmas when people are buying gifts and plane tickets and spending a lot more money than they normally spend. When you get cut off from that, it’s very frustrating.
I agree, the first place you’re going to be frustrated with is Amazon.
Andy Beal: You know who does a really bad job this? Surprisingly, it’s Google.
I put on Twitter, and I’ll put it in the notes for this episode, a screenshot of an email from Google with very important information about how I can update my notification settings, ironically enough. It was a legitimate email, but G mail’s own spam filter flagged it was potential spam because it looked like a spam message. How does Google not have in place a system to authenticate using the SPF record to authenticate that this is a legitimate email.
Then, to make matters worse, Google never uses the person’s name in the salutation. It’s always “hello” or “hi”, and one of the biggest tips for any online brand is to, at the very least, use the person’s name that they’ve used in their account. If I see something from my bank and it says “hi Andy,” I’m going to be a little bit suspicious because I’m probably more likely to use Andrew, and that’s probably what’s going to be in the salutation. Then if it just says “hi Andy” or just says “hello.”
I think that that’s another tip for brands is to kind of look for ways to highly customize and personalize the emails so that they’re more trustworthy, because spam is not necessarily going to have that information.
Erin Jones: Exactly, and we know Google has the technology.
Andy Beal: Right, what’s their excuse?
Erin Jones: If anybody should be doing it, it should be them. I noticed, sometimes when I get an email from Amazon, they’ll say, “did you like your laundry detergent?” They’ll name the exact product I purchased, so I do know it’s from them, because they know exactly what I bought when I bought it, and it makes me go, “oh, maybe I should order that again. That was a great reminder, thank you.”
Andy Beal: Hopefully this is helpful for those listening, either as a consumer or as a brand. I think there are some things we can do to protect ourselves as consumers, but I think as brands, we need to protect our reputation by showing that we care about security. That can be with things that … Two step authentication, or a better way of customizing and personalizing the engagement, but then also educating customers. Especially if you are likely to be phished or you have been phished.
I think PayPal does a pretty good job, because PayPal’s always … There’s always phishing emails relating to PayPal.
Hopefully this will be something that not too many folks will be victims of, especially this time of year. We’re all making lots of online orders and it’s easy to overlook and accidentally click on something because you’re worried that it’s going to be delayed and you’re not going to get that present for Uncle Billy.
Erin Jones: Right.
Andy Beal: All right, let’s move on. Let me ask you a question, Erin. If someone stole some private information from you, and then posted it to the web, do you think you should be able to have it removed?
Erin Jones: Absolutely.
Andy Beal: That’s what I think. Call me old fashioned, but if you steal information that I didn’t want put on the web, and then you publish it and it was private information, I should be a means to have it taken down.
Well, Catherine [Mayor 00:13:08], of Wikipedia, disagrees. She’s got an opinion piece in the Globe and Mail, a story about [Accustech 00:13:16] that sued another company for stealing trade secrets and then marketing their competitor product online. They got a court order that the product be removed, and also to have all mentions of this competing stolen propitiatory technology removed from Google. Which they did, they got a lot of the links removed, but not everything. So now, they’re effectively suing Google to have all remaining web content that mentions these stolen trade secrets and competing technology removed from the web.
Catherine, she thinks that is a threat against our ability to have things published and to see information that’s important to transparency, disclosure, and I just don’t see how that is something that should be on the web to start with, do you?
Erin Jones: No, I completely agree, and I feel like her post on it was a little bit … Maybe overblown and dramatic. Trying to get people to come to her side in more of a panic state. It was voiced as very “us versus them”, “giant versus the little guy”, when this is about corporate trade secrets. It’s not about this little guy.
Andy Beal: Right. It’s one thing for it … Removing negative news. We want reviews to be able to stay out there, we don’t want people to be able to remove negative customer complaints, but trade secrets is certainly one that I think should have a process for removal. Especially if a court agrees.
Defamation is another big one where … Potential customers come to us and they say they’re looking for reputation management, and I dig into this and find out that it’s highly likely that this is defamation, not just something negative. It’s actually truly something that is defamatory.
Fortunately, if … We have laws for that. If you get a court order, then Google’s generally going to take that information down. I think that there’s always going to be a case where there’s going to be information that should never have made it online that needs to be removed, and I don’t think the Internet’s going to be any worse off because of that.
Erin Jones: No, I agree. I think that her argument stating that it will be is a little bit skewed. I feel like something like trade secrets or personal information is kind of akin to sharing someone’s social security number online. This is their private information, and they have a right to keep it private.
Andy Beal: If you’re out there, and you’re looking at information on the internet that is defamatory or is a trade secret or was … Somebody broke confidentiality agreement in publishing it, then instead of hiring a reputation firm to try and bury that, the best step is really to get an attorney … We’d be happy to recommend one to you, we know a couple of good guys that do work in this space. Then sue the company or individual.
Now, you can’t just sue them because they say something like, “well, in my opinion, the product is not very good and isn’t worth the money that I paid for it.” That’s not defamation. If there’s something … An allegation that they make that is completely untrue and you can demonstrate has significantly and financially hurt you, then you can take that to the court and you can … If you prove that, you get a court order, and you can get the judge to issue a court order that says, “hey, Google, you have to have this removed from the web.”
Google has a form that you can submit that to, and they generally don’t fight it because it’s not their battle. Whereas they only tend to get involved if you kind of take it up with them and think that they’re manipulating the results or you’re not happy with something negative that they have in their index.
Something like defamation is certainly … It’s a lot easier, and probably cheaper at the long run, to go ahead and get that court order and just get it scrubbed from the web.
Erin Jones: Now, is this something that you would recommend? I know a lot of these court battles can be very lengthy. Do you recommend people work on the ORM side concurrently while they’re waiting for a verdict to come down? Or does that make their court case look not as strong?
Andy Beal: That’s a good question. No, that’s a great question. I think that every company and individual needs to be proactive with their reputation management anyway, right? It’s not a case of, “okay, yes you should also do reputation management while you are seeking an injunction or a court order.” It’s more of a case of, “you should be working on your reputation regardless.” That should be something that’s ongoing and not necessarily tied to a specific incident.
Unfortunately, a lot of people see it as … They don’t see is as a necessity. We have a lot of people that come to us that, if they had only invested a small portion of their budget in proactive reputation management, they could’ve either avoided whatever negative thing they’re battling now, or insulated themselves better, certainly in the search results as opposed to waiting now to do something where you’re up against content that may have even been around for a few months that’s attracted a lot of links and now you’re trying to fight it.
I think being proactive is the key here, but I think it would also … I don’t think it’s … I don’t think it jeopardizes or undermines your court case by actually strengthening your online reputation while you’re waiting to get that court order.
Erin Jones: I would definitely agree. Obviously, I’m a proponent of ongoing reputation management, but I feel like most people come looking for it when they’re already in crisis.
Andy Beal: That is true, and it’s been that way for a long time. We’re still not there yet, in terms of proactive reputation management building and creating positive content to protect you. I think, the more we see companies under fire and facing reputation attacks, I think the more we’re going to find companies … In particular, companies that will set aside a small part of their budget. Look at this as a … The bedrock, the foundation of everything else they do.
If you don’t have a strong reputation, everything else is going to be on a shaky foundation.
Erin Jones: Agreed.
Andy Beal: All right, well that’s our show for this week. As always, we keep it to about 20 minutes. Mostly because, even I can’t listen to a podcast longer than 20 minutes, so I don’t want to rob you of your attention.
We will be back next week with another show.
If you have any questions that you would like us to answer … They could be about a story that you’ve read, they could be about reputation repair, branding, building, whatever it is that you’re looking for. Or it could be about a quote unquote friend of yours. Please head to our Facebook page, which is forward slash Andy Beal ORM, or just leave a comment in the show notes, and we’ll definitely answer that for you. We love answering your questions, because it gets us thinking and challenges us, so please do that.
Erin, as always, thank you for joining me this week.
Erin Jones: Thank you so much for having me.
Andy Beal: My pleasure.
Thank you guys for listening, we hope you’ll tune in again next week for another episode of Reputation Rainmakers. Thanks a lot and bye bye.