Coffee Bean's “Spread The Froth” Promo: Password Phishing?

Friday, December 09, 2011 Stef dela Cruz 9 Comments

Have you received an email from Coffee Bean and Tea Leaf (CBTL) that looks like a phishing scam? I received an email from today saying that I may claim free coffee from any Coffee Bean and Tea Leaf branch once I register. The email contained a jpeg file, which I screencapped and posted below. However, as I started to register, the next page was asking for my email address – and, gasp, my email password. Is the promo from the Coffee Bean and Tea Leaf just another malicious phishing attempt?

CBTL password

I checked the email address that sent the message and it seemed legit, because it came from I clicked on the link and I was immediately led to this website:

I started to register and found it weird that it was asking for my birthday. As I was done filling in the fields with my answers, I was led to the next page. Now, that was the page that I found even weirder:

CBTL promo

As you can see, this promo from Coffee Bean and Tea Leaf called “Spread the Froth” is asking for both my email address and my email password! Apparently, the program wanted to import all my email contacts so that I can give them free coffee, too. However, I never share my email password anywhere – I don’t care if it’s for a free cup of coffee or a free car.

I immediately hit the brakes on my registration. However, I did see an option where you can manually input email addresses. I then opted for that. After I entered four email addresses, my registration was complete and I received a confirmation email with a coupon for free coffee:

coffee bean and tea leaf phishing

Perhaps this promo is legit. However, I give it a thumbs down because it asks for private information that not even your bank will ever ask for. Email passwords should never be requested, even when registration is necessary. Having to enter your email password should never have been an option for this promo.

UPDATE: Coffee Bean and Tea Leaf has replied to my email with an OFFICIAL STATEMENT regarding the status of Spread The Froth and the email password phishing issue! Click HERE to read the update.

Stef dela CruzAbout the blogger
Stef dela Cruz is a doctor and writer. She received the 2013 Award for Health Media from the Department of Health. She maintains a health column in Health.Care Magazine and contributes to The Manila Bulletin. Add her to your circles.


  1. I received the same email. full headers of email reveal a different email with IP address originating in Makati.

    Identity theft attempt.

  2. Thank you for posting this, as we appreciate your intention to protect your readers from phishing attempts. This is in fact a bona fide CBTL promotion. The website asks you to enter your email password so that your contacts can be accessed, but we do not save or otherwise keep a record of the passwords. This is similar to the "Import Contacts" feature of Yahoo Mail, where you can input your Gmail or Facebook password, and Yahoo will pull your contacts into your Yahoo Contacts. With this promotion, we do record the email addresses you enter, but the passwords pass "through" without being recorded. In order to assure you and the rest of our customers, we will be adding the following line to the "Treat all your friends" page: "CBTL uses your information for the sole purpose of importing your contacts. Passwords are not recorded. If you prefer not to enter your password, we invite you to enter the email addresses of your friends manually." I wanted to get this comment up quickly, but please expect an email from me shortly so that you can verify that this comment really came from The Coffee Bean and Tea Leaf. If you ever feel you or someone you know has been the victim of a phishing scam, please contact the company in question immediately. Thanks again for your vigilance in helping to keep the online community safe.

  3. Report the scam to the main website in the United states:

    They have contact information in the customer relations section in their website.

    I have grave suspicions as to the real objective of the local franchise owners.

  4. I know CBTL's PR agency and I've never experienced anything like this from them. They're actually very nice. This might be another entity entirely.

  5. Hi, Average Jane, nice to hear from you again! :)

    I've received an official statement from Coffee Bean. It's actually from their company. :) But it doesn't really justify the email password issue.

  6. Hi, Alexi of CBTL. Actually, it's not "similar to the 'Import Contacts' feature of Yahoo Mail", because doing that in Yahoo is secure, while doing that through a non-https protocol (such as through Coffee Bean's website) is not safe.

    It's also not the same in one other aspect: when you import contacts from one email to another, it's to keep a record of your contacts. When you use the "import contacts" function in Coffee Bean's promo, it's to send a promo email to everyone in your address book - including bosses, clients, professors, and other people who you would rather not send bulk emails to.

    I do hope you understand that. Again, thanks for the free coffee - but I hope there's a better way to promote CBTL than through this promo. It has too many holes.

  7. Hi there! Good thing I ran into this site as I also got the same emailer promo from CBTL. However, what really surprised me was they were asking for my password. However I read here that you can input your referrals manually. However a word of advice to CBTL, consumers will really be wary about them placing their passwords on any site that is why the way to 'spread the froth' should be modified in a way that they wont have to share very private information. :) p.s. I got my coupon though thanks CBTL! im about to claim my coffee!

  8. Haha good for you! And yes, it would be great if Coffee Bean could "spread the froth" without having to prompt passwords. Glad you have your free coffee coupon!