Why you shouldn't give your email address to retailers

This post is the second in a series about best practices to keeping your personal information safe.

I recently visited a local retailer and while I was purchasing something I glanced down on the counter and saw this:

I have seen many lists like this at various retailers.  Some of these lists are used for charity purposes, some for community events, but in this retailer’s case the list was for marketing purposes.  I don’t understand the logic of asking a customer to write down their name and email, to then have an employee try to read their messy handwriting and manually type it into their system, only to then leave the list on the counter for others to see.  And frankly, in today’s day and age – most POS systems enable direct entry of this information.

I found this quite interesting because the first name on this list is a very close friend of mine. I laughed and made a comment to the store clerk. I took a picture of the list (the sales clerk did not seem to care that I was taking a picture of client information), texted it to my friend and informed him of the potential dangers of leaving one’s name and email for others to see. Like many unsuspecting consumers, he asked me what could happen and I said “Give me 10 minutes”.  Off to work I went.

Step 1) Create Gmail account in the name of the retailer.

            “Location_name of retailer@gmail.com

Step 2) Go to company webpage and download pictures, logo and other company identifiers.

Step 3) Create email to my friend appearing to be from company.  I was armed with these facts:

  • Name and email address of customer
  • Store name and location
  • Approximate date range (within a few months of my visit to the store)

I often get phishing emails such as this from companies that I have never dealt with (specially banks in the U.S.).  I know to ignore those emails and delete them. In this situation, I would know that the people whose names are on the retailers’ list most likely shopped at the store recently and in all likelihood would not suspect it to be a fake email.  I obviously created the hyperlink with a funny name, however, most consumers would click on a link such as this if it closely matched the brand and URL.  With just a little more time and effort, a phishing email like this could be designed to pass for the real thing and look a lot more official. 

I returned to the store the very next day and talked to them about this.  They asked me what services I was trying to sell them, to which I said “None, I just think you should know by leaving this information for others to see, you are putting your customers and your brand name in jeopardy”. I showed them what I had done in 10 minutes’ time. They promptly took the book and hid it in a drawer. 

As consumers, we often provide this type of information without thinking through why its being requested, how its going to be used and how it will be protected. There is a dual responsibility here; first, on the consumer to ask why its being collected, for what purpose and whether it will be shared or sold and protected; the second is on business to ensure their employees, and systems, collect and safeguard this information properly to mitigate risk.