Phishers Switch Brand Bait to Coke and McDonald's

Bogus Web Sweepstakes Use Identities of Nonfinancial Companies

By Published on .

NEW YORK ( -- A November e-mail signed by a Hong Kong-based Coca-Cola sales and marketing manager promised a Mercedes-Benz ML Jeep convertible and a chance at $800,000 cash for entries submitted to a link in the e-mail. Another one in March from McDonald's Corp.
Gone Phishin
Hoaxes are now spreading to nonfinancial consumer brands as phishers latch on to well-known and trusted logos as bait, using promotions, giveaways and sweepstakes as lures.
point bug Gone Phishin' Chart
and JPMorgan Chase offered a 50% discount at McDonald's over 10 days, followed by a 30% discount thereafter if recipients signed up at a JPMorgan Chase-branded promotional site.

These offers didn't signify aggressive interactive-marketing efforts. They were "phishing" expeditions. And the first clue might have been that there is no such car as a Mercedes-Benz ML Jeep convertible.

Hijacking brands
Until recently, such bogus offers -- in which familiar brands are hijacked to dupe consumers into providing personal or financial information through links embedded in fake e-mails or web offers -- were limited to banking, online-retail and other transaction-based brands and targeted individual customer accounts. But the hoaxes are now spreading to nonfinancial consumer brands as phishers latch on to well-known and trusted logos as bait, using promotions, giveaways and sweepstakes as lures.

And that, coming at a time when marketers are relying more and more on interactive marketing to build one-on-one relationships with consumers, not only threatens to erode trust but also raises serious questions for marketers about liability and what action they should take -- or not take -- to thwart internet criminals who hijack their brands.

"That red Coke logo is a shiny lure to get you to go through the load-in on your inbox, open up and then click through," said John Roberts, VP-product, OpenDNS, a year-old domain-name-system service platform. "Anything which can take decades of brand promise and put it to use for criminal activity is going to be tried."

Telltale signs of phishing
A Coca-Cola spokeswoman said: "The Coke trademark is so widely known that people are trying to use e-mail scams with our trademark." The November spoof is the latest -- it followed four earlier scams the marketer has posted on its website. On the site, Coke explains that its name and trademark are used without permission and lists telltale signs of phishing, such as spelling errors and misused trademarks. "Overall, if it looks too good to be true, it probably is," the page says.

Since marketers are also victims in such scams, they tend not to be criminally liable, said Mari Frank, a lawyer and identity-theft expert who advises fraud victims. However, if a marketer is made aware of scams using its trademarks and doesn't act to protect consumers, it could be held responsible in court. "It's negligence," Ms. Frank said.

Companies that have protocols or "reasonable" practices in place to protect consumers set a precedent for others of like size or business. Industry experts recommend marketers avoid sending e-mails to customers requesting personal information, even as brands are doubling their interactive-marketing budgets and using e-mail promotions.

"If you're asking people to give their personal information via e-mail, you're just training people to do that for phishers," said Dave Jevans, a former marketer who is now chairman of the Anti-Phishing Working Group, an industry association that collects and provides information about phishing activity at

The group worked with the Federal Trade Commission to develop recommendations for companies on how to inform consumers about scams and how to avoid them. "Whether brands should be responsible is an open question," Mr. Jevans said.

Eroding consumer trust
Beyond possible legal repercussions, phishing scams can dent consumer trust in a marketer and damage brand reputation. "If [consumers] start getting e-mails and you don't do anything about it, they think your website has been hacked and that their personal information has been compromised," said Mr. Jevans, adding that consumers don't realize that phishers send information from websites around the world. "If it doesn't stop happening, you lose trust in your e-mails so your online marketing effectiveness plummets."

A free community site called, launched by OpenDNS in October, acts as a sort of neighborhood-watch group to curb internet fraud. Of the 17,260 suspected phishes submitted to the site in October, 9,347 were verified as scams. All of the top 10 brands falsely used in reported attacks were financial or account-driven brands. At the top of the list of targets were PayPal and eBay, with 1,493 and 1,210 validated scams, respectively. U.K.-based Oxford Information Systems names 482 companies used in internet and e-mail scams. Neither organization lists McDonald's or Coca-Cola as a target.

Few marketers beyond eBay and PayPal have developed strategies to prevent phishing, but that may have to change. "Perhaps consumer brand companies will need to follow in their footsteps in educating customers," Mr. Roberts said, adding: "It probably is going to be just a necessary part of connecting with their customers digitally."
In this article:
Most Popular