Thursday, March 2, 2017

At what point does it become okay to say that British Telecom and Yahoo are knowingly profiting from fraud?

If you are against fraud but then find out that you're unwittingly profiting from it... and you could take steps to sever your connection to that fraud immediately... but you choose not to do so... and days - even weeks later - you're still profiting from that fraud... well then, at some point, isn't it fair to reach the conclusion that you're just, y’know, knowingly profiting from fraud?

And if that's the case, in what way are you, y'know, against fraud?

Marissa Mayer May 2014 (cropped)
Marissa Mayer, CEO of Yahoo, who profit from fraud
Photo used under CC licence.
Attrib: By Yahoo from Sunnyvale, California, USA
Gavin Patterson at Chatham House 2016
Gavin Patterson, CEO of BT, who profit from fraud.
Photo used under CC licence, attribution: By Chatham House






















At this point, I guess I ought to say that this blog post probably won't make a lot of sense unless you've read my post from a couple of days ago. It's long so I recommend making a cup of tea before you start, but it details how I frequently see BT and Yahoo carrying ads for fraud on their networks and how those ads continue to appear on their networks, often for days after they're reported.

By the way, when I say "fraud" I don't mean "things I don't like" or "products that I think don't work, grrr" I mean actual, criminal, steal-your-money, fraud.

Sometimes, weeks after they've acknowledged an ad is fraudulent, identical ads leading to the very same websites will still be appearing on their networks.

This seems to me to be negligent on their behalf. And as I've been corresponding with the two companies about it since July last year - and with particular frequency throughout February - I don't really see how either entity could claim to be ignorant of their role in enabling these scams to prosper.

This morning, I emailed Michael Todd (Executive Level Technical Complaints, BT), Gavin Patterson (CEO, BT) and Charles Stewart (PR Manager, Public Policy, Yahoo) the following few questions:

Question 1: Every time you run one of these ads, you expose your customers to the risk of fraud. Are ads subject to any kind of editorial review before they are accepted on to your network?

Question 2: If ads are subject to editorial review - how did these ads pass? Even allowing for human error, initially - how is it that ads you have been made aware of, continue to get through?

Question 3: It is now abundantly clear that, even after a month of pushing, Yahoo is a) unable to remove ads quickly and b) unable or unwilling to adequately block ads. In which case, do you agree that continuing to run ads through this system means you are now aware that fraudulent ads can and will get through and won't be removed promptly, exposing your customers to harm?

Question 4: BT's CEO has made it very clear that BT people should turn down business when it would force the company to compromise their principles. Does this compromise your principles? Or is there an acceptable amount of fraud that you are happy to expose your customers to?

They seem kind of shy of answering straight questions and have previously expressed a desire for me to not publicise the contents of our interactions thus far... but I don't think these are complicated questions - and I don't think there's anything here for companies of this scale to shy away from.

If they come back to me, I'll let you know what they say.

20 comments:

Unknown said...

Nice and subtle David 😂😂👍

rileysaplank said...

From my own experience I'd say that Yahoo have a lax attitude towards fraud. I have a yahoo e-mail account which I used to use as my main e-mail until, about ten years ago, I started getting replies to e-mails I hadn't sent. After getting in touch with Yahoo about this their response was someone was able to recreate my yahoo e-mail header and send out e-mails as if they'd been sent from my address and there was nothing they could do to stop it happening. I stopped using Yahoo pretty much immediately on receiving that reply.

Anonymous said...

Email spoofing is a problem that yahoo would not be able to solve, you can make an email look like it came from anywhere if you know how. It's not limited by the provider you use and is no more difficult to make it look like it came from your current account than it would from your yahoo one.
It's the equivalent of someone using your address on the "return to:" section of a parcel and you complaining to your landlord.

Pete Arthur said...

Go get em, Dave.
I'm a retired BT engineer, and we used to pride ourselves on the fact that we were the 'established' telephone company in Britain. We once got a circular from management which more or less said 'Because of how we operate and the way OFTEL (now OFFCOM) regulations apply to us, we can never be the cheapest, so it behoves us to be the best' We, as engineers, believed we were, and ALWAYS tried to put our customers first. Alas, that now seems to be a thing of the past, and the companies priorities seem to be Profit, Shareholders, Customers and Staff bringing up the rear. When I first started, it was still Post Office Telephones, everyone was motivated and morale was great. We were in a job that you could turn into a career. Now sadly, the guys I talk to seem to be doing the job until they find something better. Your blogs show a horrible decline in what was once a great company.

scottishpoetkrk said...

I am expecting a found poem to appear

Unknown said...

If you sign in with a Yahoo account (https://gemini.yahoo.com/) you could setup ads linking to your own blog Dave. Would be interesting to see how easy it is to get them approved or if any approval is needed. You can set a very low daily budget.

@rileysaplank that goes for any email service. I could send an email out pretending to be from you whatever your email provider is, there are extra security checks that confirm if an address is likely be genuine (spf & dkim). Not really Yahoo's fault.

fallingbeam said...

To be clear, this situation happens to pretty much all phone companies (when fraudsters call your phone number, or route you to premium rate numbers) and all mobile companies (when fraudsters send "I am a Nigerian Prince" SMS). Telecoms are in a position to profit from fraud, and almost all do at some point. And the response of those companies is to have dedicated fraud teams whose job is to actively police the environment to make sure it doesn't happen - because they right view the damage to their reputation from press coverage to be much worse than losing that revenue, and spending the money on fraud professionals (whom I used to teach/educate).

Companies make a business decision about these things - what does it do to the business case if we have to vet every single ad, which is expensive. Having a fraud team that reacts/recommends preventative actions, is usually cheaper.

I absolutely hear Pete Arthur above, but monopoly telecoms has a bad history of justifying consumer price increases simply because costs have gone up - a feedback loop that justifies inflating costs to justify price increases. This is how telecoms costs got so expensive, and what a free market environment has managed to make ridiculously cheap.

That said, I've never met a telecom that didn't prize their reputation more than the cost of a couple of fraud professionals to handle this proactively, and it's a little troubling that BT (who already have a fraud team), aren't willing to put resources on a known open sore, that is at constant risk of damaging their brand.

Rob Glysen said...

Get em dave, my phone subs are up this month and I've a good mind to leave BT and cite your reasons for leaving them. Plus everyone else is cheaper.

FameAsser said...

This is amazing.

Just read both blog posts and it's genuinely brilliant! I can't wait to see if you get a reply.

I am expecting that one day you will just log into your account and not be able to access any emails anymore. Haha

Anonymous said...

So you email the PR manager for Yahoo, the CEO of BT, and some guy in a technical team who is probably just trying to fix people's technical faults and is just trying to do his job?

I don't disagree with your stance I do disagree with naming the guy who is likely not going to be anywhere near commercial decision makers or able to answer your queries... Yeah that's it Dave you show'em

Unknown said...

Nowadays, SPF can be used to ensure that mail purporting to be from an @yourcompany.com address is rejected if the mail server doing the sending doesn't match the SPF server details in your company.com's DNS records.

Dave Gorman said...

@anonymous: re naming people. Michael Todd is one of the gatekeepers to the CEO email. Initially I emailed Gavin Patterson. Michael Todd was the man who replied. It's his team that replies on Gavin's behalf. It was him who old me that our email chain was for my private use and initiated the contact from Yahoo's PR.

Anonymous said...

Do you remember the dialer scams from 2003ish? There is evidence that BT profited from those scams. My friend worked in their call centres at the time.
This was the period when Broadband was starting to become available in some areas. Most people were still on dial up connections. The customer would get a virus or malware on their computer which would change the telephone that the computer dialled to a premium rate number operated by the scammer. The dialer would take every opportunity to ring the number. Many customers had quarterly bills so this could be going on for 3 months before the customer received a bill. They would call customer services to complain that they had calls on their bill that they did not recognise. For a long time BT maintained the call charges and made customers pay them . The approach was that the customer is responsible for the use of the phone, and the equipment they connect to it.

However this activity was really easy to spot. The computers modem was calling destinations such as Sao Time, Tuvalu, over and over again. I forget how this ended, but for a long time BT knew about these scams, but still maintained the customer had to pay for the calls that had been made from their line. According to the article here..

https://www.google.co.uk/amp/s/amp.theguardian.com/money/2004/jul/03/scamsandfraud.jobsandmoney

..telephone providers were instructing customers to contact the company operating the premium rate numbers. They didn't seem to take responsibility themselves. Surely a telephone provider has a duty of care? How hard would it be to contact a customer and say "we noticed you made 34 calls in a row to an island in the middle of the pacific with a population of 9000 people" . eventually they did start doing this but I am sure thousands of customers did have to pay their bills, even though the telephone provider knew they were the victims of a scam. And of course, the telephone provider made their cut of the call costs too.

If you are asking, do BT knowingly make money from scams on the internet, this story suggests they did at that time

Anonymous said...

Also, my mum sent off for a free sample of face cream as endorsed by Victoria Beckham. In the small print she was signing up to pay £100 per month for this face cream and to cancel.she had to send the samples to the supplier in Greece. She's not a stupid person and we have taught her to be internet savvy, but the reason she trusted this website was because it was a banner advert in her Talk Talk email browser. She knows to avoid the dodgy sites but in her mind this was from Talk Talk.

Anonymous said...

Car manufacturers 'know' people will speed yet continue to supply cars that can do more than 20 mph, are they 'knowingly' contributing to and/or responsible for the speeding offence. They have the power to stop this by building much slower cars.

Steve @gargpit said...

Dave, BT/Yahoo only sell a space on their website/webmail form for an ad-flinger to fill with whatever they want and so BT/Yahoo have to contact the ad-flinger to strike an advert who may well then have to contact their local supplier and so on through several levels. This is why they have little control over what appears on their site.

Oh, and it is far, far worse than just ads for frauds with the high risk of malvertising causing your machine to become infected with nasty things.
See https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising

The only protection from these things is to Ad-Block and the simplest and leanest adblocker is uBlock Origin which is available in all the add on stores for the browsers. It also saves your data on your phone, blocking ads.

Anonymous said...

Indeed, SPF is great, but it wasn't common 10 years ago.

Jeremy Renals said...

I find a nice public tweet gets things moving. Are we past that stage yet?

Anonymous said...

If you are facing any issues related BT Yahoo Email you can contact BT Yahoo Email support phone number Toll Free Number +44-808-280-2972 which is available 24/7.

Dave Gorman said...

@Eliza Rose: yes, you can. And the fraudulent advert you're reporting will still be on their system for three or four days, potentially leading to their customers being fleeced. Getting in touch with them isn't my issue. Getting them to take seriously the fact that their system is being abused to advertise fraud and they have no system in place to weed it out promptly - that's my issue.