Feeds

OK, so we paid a bill late, but did BT have to do this?

Just between us, they told everybody...

Security for virtualized datacentres

Opinion One of the pains of running a business is billing and cash collection, especially if your customers are big. It really doesn’t matter what you put on the quote or the invoice, they pretty much pay you when they feel like it, and 60 days is usually the quickest if you’re lucky. In effect, SMBs act in aggregate as an unwilling source of free cash for large enterprises, and there’s very little you can do about it.

But what about the other way around? When BT sends us an invoice, they want it paid within 14 days. And being principled about these things, the person that runs our accounts has dutifully sent a cheque on or about the due date for the past several years. For the latest BT invoice, though, what with holidays and other things going on, last month, they hadn’t paid the bill by the day it was due.

So what would you expect to happen? The usual routine when collecting money is to send some kind of reminder or call the accounts payable department and sweet-talk someone so your cheque gets cut in the not too distant future. You might therefore think that an obvious thing to do would be for BT to send an email to the registered contact person for the account.

What actually happened was on the day payment was due, in the words of my non-technical colleague “I have had this threatening message come up in my browser, and it won’t go away. I think I might have a virus”.

Here is what they saw (click to enlarge slightly):

Now you probably do as we do and drum into non-technical users that they should never click on links and buttons appearing in unsolicited messages or on anything that pops up unexpectedly, no matter how authentic things might look. And this seemed even more suspicious given the number of spam calls we get that start with the question “Can I speak with the person that looks after your BT account?”

Suspecting scam or spam, the user did the right thing and called BT to check what was going on. In the meantime, everyone else on the network had their internet connectivity blocked with the same persistent message appearing in their browser.

And remember, this was on the day the bill was due – it wasn’t even overdue yet!

As suspicious as it gets?

It was at this point that I entered, and took over the call to BT. The agent explained that this was BT’s way of reminding us to pay, and that the user should have known this was authentic because it had our customer reference in the top right hand corner. I have blanked out that reference on the above image because it is actually the login ID entered into the router to authenticate the DSL connection. The format is c999999@hg99.btclick.com, which is not going to be meaningful to a non-technical person. And as our user pointed out, a link labelled “Is this page authentic?” is probably as suspicious as it gets.

The BT agent told me to just click on the ‘Yes’ button and acknowledge the next message that pops up which highlights that payment has not been received, and that would remove the suspension. After that, everything was back to normal and the team here was back online.

Use of alerts that mimic malware behaviour is not helpful

As a result of this episode, I donned my industry analyst cap and contacted BT. As part of an extended conversation over the following couple of weeks with one of the senior managers responsible for ‘customer experience’, we discussed the following concerns:

Use of alerts that mimic malware behaviour is not helpful. Even if we accept this as a legitimate reminder mechanism, telling users that they can make an exception in the case of such messages from BT runs the risk of confusing them and encouraging assumptions to be made in other situations.

The indiscriminate nature of the reminders could easily cause embarrassment. The message pops up on the screen of every user that has a browser open on the local network. The business owner may not be comfortable having accounts-payable matters pushed into the face of every employee. And what if someone is sitting shoulder to shoulder with a customer when the threatening message appears?

The tactic appears to be quite heavy-handed, especially as the alert appears on the day payment is due. Such tactics for persistent, extreme late payers might arguably be more justifiable, but it seems excessive as a routine part of the cash collection process.

During my discussions with BT, I agreed not to publish any of the specific responses that were provided to me. What I can say is that time was taken within the BT team to understand my concerns and there appeared to be a will to do the ‘right thing’. I can’t say any more, other than that there is still a question-mark over what the ‘right thing’ translates to in terms of changes in policy or behaviour, if any. However, I agreed to provide the BT guys a link to this article so they can respond in their own words.

In the meantime, given that BT is in a unique position to use this kind of alerting mechanism, I would be interested in the views of Reg readers on things the BT customer experience team should think about as it further considers what’s appropriate in this area. ®

Bootnote

BT have been in touch with us, and given the following statement:

“As Dale Vile says at the end of his article we appreciated the feedback and were keen to understand the concerns, and we are changing a number of things as a result.

“The on screen reminder is only one of several reminder mechanisms we use with our non-direct debit customers including letters, emails and calls. It’s certainly not our intention to cause embarrassment or raise any security concerns and therefore we are changing the actual message and are making the procedures to validate it much simpler and effective.

"We would also like to make it clear that BT is committed to ensuring that all our dealings with suppliers – from selection and consultation, to recognition and payment – are conducted in accordance with the principles of fair and ethical trading – this is stated in our policy statement ‘The Way We Work’. We are also a signatory to the UK Government’s ‘Prompt Payment Code’.”

Choosing a cloud hosting partner with confidence

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.