Thames Water found itself in warm, er, water this week after a clunky migration effort left customers receiving emails that looked like a particularly sophisticated spear-phishing attack.
A Register reader got in touch after receiving an email purporting to be from the company and requesting that he re-register his online account. His original account number was shown, along with a big, colourful button inviting a click.
A classic spear-phishing tactic, compounded by the fact that that button did not go to
thameswater.co.uk, from where the email came, but rather
online-thameswater.co.uk, the homepage of which could well worry technical and non-technical users alike.
The email was genuine. The problem, according to a spokesperson for Thames Water, was that not all data had survived the migration from the company's 40-year-old billing system to something new and shiny.
The system, they said, was "being rolled out across our whole customer base. We need them to re-register their online account to ensure they can make the most of the new system and any future enhancements to it safely and securely."
Hence the very iffy-looking email: "We're sorry for any concern this has caused and always encourage our customers to contact us if they're ever unsure about any letters, emails, calls or visits they receive from us or anyone claiming to be from Thames Water."
The company has indeed, according to one Reg tipster, seen an uptick in calls from customers on the receiving end of what looks distressingly like a spear-phishing attack.
Speaking to The Register, ESET security specialist Jake Moore warned that cybercriminals had a knack for obtaining information like account numbers and told us "within the email there should never be a link to their website".
"When people want to double-check, the best way is to log in via a usual method rather than [via] a link in an email."
He went on to say that "there should be advice for their customers to head to the website via their own means such as a via Google search or even better, the genuine link that has been bookmarked by the customer."
"Many companies," he concluded, "want ease and convenience over anything else for their customers, but as more people become security-focused and risk-averse, such emails need to go above and beyond to show they are the genuine article or they will simply not get anywhere."
Of course, had the migration from the old billing system not required customers to re-register themselves, the missive would not have been needed.
"To think," observed an anonymous Register reader on the receiving end of Thames Water's emission, "it could all have been avoided with a bit of Perl." ®
Sponsored: Webcast: Ransomware has gone nuclear