Feeds

OK, so we paid a bill late, but did BT have to do this?

Just between us, they told everybody...

Top three mobile application threats

Opinion One of the pains of running a business is billing and cash collection, especially if your customers are big. It really doesn’t matter what you put on the quote or the invoice, they pretty much pay you when they feel like it, and 60 days is usually the quickest if you’re lucky. In effect, SMBs act in aggregate as an unwilling source of free cash for large enterprises, and there’s very little you can do about it.

But what about the other way around? When BT sends us an invoice, they want it paid within 14 days. And being principled about these things, the person that runs our accounts has dutifully sent a cheque on or about the due date for the past several years. For the latest BT invoice, though, what with holidays and other things going on, last month, they hadn’t paid the bill by the day it was due.

So what would you expect to happen? The usual routine when collecting money is to send some kind of reminder or call the accounts payable department and sweet-talk someone so your cheque gets cut in the not too distant future. You might therefore think that an obvious thing to do would be for BT to send an email to the registered contact person for the account.

What actually happened was on the day payment was due, in the words of my non-technical colleague “I have had this threatening message come up in my browser, and it won’t go away. I think I might have a virus”.

Here is what they saw (click to enlarge slightly):

Now you probably do as we do and drum into non-technical users that they should never click on links and buttons appearing in unsolicited messages or on anything that pops up unexpectedly, no matter how authentic things might look. And this seemed even more suspicious given the number of spam calls we get that start with the question “Can I speak with the person that looks after your BT account?”

Suspecting scam or spam, the user did the right thing and called BT to check what was going on. In the meantime, everyone else on the network had their internet connectivity blocked with the same persistent message appearing in their browser.

And remember, this was on the day the bill was due – it wasn’t even overdue yet!

As suspicious as it gets?

It was at this point that I entered, and took over the call to BT. The agent explained that this was BT’s way of reminding us to pay, and that the user should have known this was authentic because it had our customer reference in the top right hand corner. I have blanked out that reference on the above image because it is actually the login ID entered into the router to authenticate the DSL connection. The format is c999999@hg99.btclick.com, which is not going to be meaningful to a non-technical person. And as our user pointed out, a link labelled “Is this page authentic?” is probably as suspicious as it gets.

The BT agent told me to just click on the ‘Yes’ button and acknowledge the next message that pops up which highlights that payment has not been received, and that would remove the suspension. After that, everything was back to normal and the team here was back online.

Use of alerts that mimic malware behaviour is not helpful

As a result of this episode, I donned my industry analyst cap and contacted BT. As part of an extended conversation over the following couple of weeks with one of the senior managers responsible for ‘customer experience’, we discussed the following concerns:

Use of alerts that mimic malware behaviour is not helpful. Even if we accept this as a legitimate reminder mechanism, telling users that they can make an exception in the case of such messages from BT runs the risk of confusing them and encouraging assumptions to be made in other situations.

The indiscriminate nature of the reminders could easily cause embarrassment. The message pops up on the screen of every user that has a browser open on the local network. The business owner may not be comfortable having accounts-payable matters pushed into the face of every employee. And what if someone is sitting shoulder to shoulder with a customer when the threatening message appears?

The tactic appears to be quite heavy-handed, especially as the alert appears on the day payment is due. Such tactics for persistent, extreme late payers might arguably be more justifiable, but it seems excessive as a routine part of the cash collection process.

During my discussions with BT, I agreed not to publish any of the specific responses that were provided to me. What I can say is that time was taken within the BT team to understand my concerns and there appeared to be a will to do the ‘right thing’. I can’t say any more, other than that there is still a question-mark over what the ‘right thing’ translates to in terms of changes in policy or behaviour, if any. However, I agreed to provide the BT guys a link to this article so they can respond in their own words.

In the meantime, given that BT is in a unique position to use this kind of alerting mechanism, I would be interested in the views of Reg readers on things the BT customer experience team should think about as it further considers what’s appropriate in this area. ®

Bootnote

BT have been in touch with us, and given the following statement:

“As Dale Vile says at the end of his article we appreciated the feedback and were keen to understand the concerns, and we are changing a number of things as a result.

“The on screen reminder is only one of several reminder mechanisms we use with our non-direct debit customers including letters, emails and calls. It’s certainly not our intention to cause embarrassment or raise any security concerns and therefore we are changing the actual message and are making the procedures to validate it much simpler and effective.

"We would also like to make it clear that BT is committed to ensuring that all our dealings with suppliers – from selection and consultation, to recognition and payment – are conducted in accordance with the principles of fair and ethical trading – this is stated in our policy statement ‘The Way We Work’. We are also a signatory to the UK Government’s ‘Prompt Payment Code’.”

High performance access to file storage

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Ex–Apple CEO John Sculley: Ousting Steve Jobs 'was a mistake'
Twenty-nine years later, post-Pepsi exec has flat-forehead moment
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.