Is Coffee Bean Phishing by Prompting Email Passwords?
Days ago, I shared my experience regarding Coffee Bean and Tea Leaf’s “Spread The Froth” campaign and how it asked for email passwords from a non-secure (non-https) web page. I asked if it was a phishing attempt and if, regardless of its legitimacy, passwords should be asked for in the first place. (Read the complete discussion HERE.)
I hope that Coffee Bean and Tea Leaf does not wash its hands regarding this issue. I don’t want to hear the three excuses below:
- “Our PR firm and marketing firm were responsible for it and we didn’t know they’d launch a promo that asks for email passwords, God forbid!”
- “…But the promo is entirely safe and all passwords are discarded immediately…”
- “There is always the option of manually entering email addresses instead of having to enter your email password.”
Sadly, the email I received from Coffee Bean used the two latter excuses in the list above.
I contacted Coffee Bean and received an official statement via email, the gist of which I’m sharing with everyone below:
Thank you for pointing these matters out. We would just want to clarify that prompting for passwords was never a requirement, as our customers have the option to enter email addresses manually. We'll be sure to make that a little more prominent on the site. We recommend that customers on WIFI with privacy concerns use enter their friends' addresses manually. Feel free to post this information on your blog so that people who want to avail of the promo know they can do so safely. :)
Spread the Froth to more friends! We would like to assure everyone that Spread the Froth is a legitimate and authorized promotional campaign by The Coffee Bean & Tea Leaf. Any requests that require participants to enter their email and password are solely for the purpose of importing the contacts list from email. Passwords are not recorded. Should you choose not to import your full email contacts list, participants may also manually input individual email addresses. The Spread The Froth campaign was conceptualized to provide loyal The Coffee Bean & Tea Leaf patrons an opportunity to try the newest innovation to hit the gourmet coffee industry, the CBTL Single Serve machine. For reference, you may visit The Coffee Bean & Tea Leaf website, www.coffeebean.com.ph and www.cbtl.com.ph.
Firstly, I’m relieved it’s a legitimate campaign. But let’s break down the statement above and find out why the promo may have good intentions that were poorly executed.
PROBLEMATIC STATEMENT #1:“(Coffee Bean) would just want to clarify that prompting for passwords was never a requirement, as our customers have the option to enter email addresses manually.”
MY REPLY: Yes, giving out your email password is not a requirement, but it’s smack in the middle of the page. People will be tempted to use it. (And, like I said, that’s excuse #3 on my list.)
PROBLEMATIC STATEMENT #2: “We recommend that customers on WIFI with privacy concerns use enter their friends' addresses manually.”
MY REPLY: How about this for a recommendation: I recommend that Coffee Bean remove the email password option completely because it means having to send out an email to all of our contacts which, by the way, is SPAM by definition. This also resolves the issue of the unnecessary prompting of passwords. All who agree, say aye!
PROBLEMATIC STATEMENT #3: “Any requests that require participants to enter their email and password are solely for the purpose of importing the contacts list from email.”
MY REPLY: Uh, isn’t that tantamount to sending out spam to everyone in our address books? Wikipedia defined spam emails as “the use of electronic messaging systems to send unsolicited bulk messages indiscriminately.” Right on, if you ask me.
Moreover, here are a few questions that may shed light on the value of what has been done:
QUESTION: Does free coffee justify the prompting of email passwords from a non-https website?
ANSWER: No. The prize, a free cup of coffee, is simply not worth the possibility of having your password transmitted through a non-secure connection. The risk-versus-benefit ratio is off-kilter.
QUESTION: Was it necessary to prompt email passwords in the first place?
ANSWER: No. There was an option to manually enter email addresses in lieu of importing contacts from your email. Since giving out passwords is not necessary and it’s very risky, it should NOT have been part of the promo.
No, there are no excuses. In this situation, asking for passwords is still not justified. Even if this promo is indeed legit, I do hope Coffee Bean finds other ways to share free coffee without having to ask (inappropriately) for access to our emails.
Lesson to everyone: NEVER give your password to anyone, any company, or any website. So what if it’s legit? Would you give a legit company access to the money in your bank account simply because they’re legit? Always practice caution, especially with emails that you’re using for PayPal and credit cards.
Dear Coffee Bean’s Marketing Department, I think you can do better when it comes to making sure that your loyal customers get the best not only in terms of coffee, but also in terms of safety issues online. I am thankful for the free coffee, but you have to admit, asking people for their email passwords was a bad judgment call. Based on the above breakdown of your statement, I hope I’ve made myself very clear.
This may not be an attempt by some hacker to use Coffee Bean and Tea Leaf for phishing, but what they’ve done is provide a rather unsafe way to promote their products AND to send out unsolicited promotional emails to everyone in our address books – which, by the way, is the very definition of spam. It’s definitely a convincing way to get people to surrender their email passwords.