Aug 122017
 

The Hongkong and Shanghai Spamming Corporation.

Based on my various inboxes, it would appear that HSBC have recently become spammers – or it may be that they’ve been spammers for a while, and I’ve only just noticed it.

Before delving into the spam emails I’ve received from HSBC, I should explain why it’s possible they’ve been doing it for a while, and why I may not have noticed before. This is down to the way I have my mailboxes configured – and some recent changes I have made to them.

It has long been my policy that, in most cases, whenever I hand out an email address, that email address is unique to its recipient. I have an email address specifically and only used by Amazon, for example, one specifically and only used for my Twitter account, another specifically and only used for Netflix – and so on.

There are exceptions to this. One reason for such might be where there is some connection (or cross contamination might be a better term) between recipients; where a contact at one organisation might need to be able to identify me to another. Another class of exception is due to the fact that it has long been my policy to give unique addresses – but it hasn’t always been my policy; there was a time before it, when I was younger and more naive in my use of the internet. (And believe me, that was a very long time ago!)

In many cases, where that second exception has occurred, I have since changed the address used by the company, organisation, or website to whom I provided such an address, but not in all cases; I’ve been online a very long time – since around the end of 1995, in fact – and in all that time I may have lost track or forgotten some.

On top of all of that, I haven’t used my primary domain for these unique email addresses in many years. I did originally, but some time ago I migrated them to another domain – and since then I’ve migrated them to another domain again, and then to separate subdomains of that domain, based on the nature of whoever I’ve provided the address, to aid filtering.

And much more recently, I separated those subdomains out into their own mailboxes – so now, for example, anything financial (such as from banks and credit cards) should come to my ‘finance’ subdomain, and thence to my ‘Accounts’ mailbox, while anything to do with travel and holiday bookings should come to my ‘travel’ subdomain, and thence to my ‘Travel’ mailbox. There are several such subdomains and mailboxes, covering a number of specific ‘categories’ of email, as well as one ‘miscellaneous’  one, for anything that doesn’t fit in any of the others.

Despite the fact that I had some very effective filtering in place before, I still tended to ignore the contents of some of the folders the email was being filtered into and only concentrated on those folders I felt were more relevant, important, or interesting – but by using separate mailboxes, I can see the number of emails come it at the top level, so to speak, and I’m now noticing more when stuff appears in a mailbox when I’m not actually expecting something.

Which is why, on the 1st August, I noticed an email in my Accounts mailbox from HSBC entitled “Mr Hudd, you have until 31st August to apply for 0% credit card balance transfers for 18 months (2/9% fee applies, min £5)”.

HSBC spam email, offering 0% balance transfers

HSBC spam email, offering 0% balance transfers. (As an aside, it’s only now that I’ve uploaded this image I’ve noticed their mistake in the subject line. 2/9% fee – really? Should that perhaps be 2.9%?)

As soon as I spotted that email, I paid a visit to HSBC’s website and logged in – not to take them up on the offer, but to confirm what I suspected; that I was opted out of receiving any such emails.

I was, as this next image shows:

My HSBC marketing preferences, with nothing ticked. Because I don't want any marketing.

My HSBC marketing preferences, with nothing ticked. Because I don’t want any marketing.

I uploaded these images (as one, with both side by side) to Twitter, asking the people who run HSBC’s Twitter feed why I shouldn’t report them to the Information Commissioner’s Office. I didn’t get a satisfactory response, so an official complaint has been made – but of the responses I did get, one in particular stood out:

  • HSBC UK Help1st August 2017 – Apologies for any inconvenience cause Vince. The image coming through isn’t showing any preferences checked. ^BR

Whoever BR is, they didn’t understand the concept that no preferences checked/ticked means none of the marketing options are wanted – which was the whole point of posting the image: To show that none of the options are ticked, because no marketing is wanted. D’oh!

Anyway, as I said, the result of all this is that HSBC have now been reported to the Information Commissioner’s Office for spamming, having sent commercial emails to a customer who has specifically opted out of receiving such emails. This puts them in direct contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Ten days later, I received this:

HSBC's '3 security tips' email

HSBC’s ‘3 security tips’ email

On the face of it, this email looks as though it’s designed to make people think it isn’t marketing. After all, it says it’s offering three tips customers can employ to keep themselves safe and secure. The opening paragraph even states as much:

When it comes to banking, we all know how important security is. To help you stay protected here are three simple tips to bank even more securely.

In the past, I’ve reported Sage to the Information Commissioner’s Office for sending marketing emails against my wishes, one of which was offering a discount on something, and two of which were asking for participation in a survey. Despite my opinion that the latter two should also be treated as a contravention of the Regulations, the ICO disagreed and only contacted Sage about the other email.

With that in mind, and based on the opening paragraph of this HSBC email, it seems possible that the ICO would decide it isn’t a marketing communication – but before I make this official, let’s look in more detail, by looking further down at the email’s content:

The main content of HSBC's '3 security tips' email

The main content of HSBC’s ‘3 security tips’ email

Tip 1 talks about making sure customers dispose of old statements securely. They mean properly shredding (or even burning) them, so that no useful information is left for people to read if they happen to find them – but, importantly, doesn’t actually suggest doing any of that. Instead, it suggests switching to online statements.

If you follow the link (from which I’ve removed the tracking info), you’ll get to a page that lists the main benefits of switching to online statements. These apparently include that doing so is “Secure and reduces the risk of fraud” – but that’s debatable, especially given that those receiving online statements will receive an “Email notification as soon as they’re available” which will undoubtedly contain a link so that it’s convenient for customers to visit HSBC’s website to log-in. That, however, is an entirely different issue, so I shouldn’t get sidetracked by it!

The point is, this ‘tip’ is marketing in disguise – it may not be promoting something that customers can purchase from HSBC, but the bank benefits from customers receiving online statements because it reduces their paper and postage costs.

Tip 2 tells customers to always shield their PIN and not to share it with anyone – which is straightforward and sensible enough. However, it then suggests the PIN can be used less by using contactless payments, or a number of payment apps.

This tip, really, is just marketing for contactless payments and those apps.

And, finally, tip 3 advises customers to ensure their passwords are secure; it shouldn’t be written down and, like the PIN, shouldn’t be shared with anyone. And like the PIN tip, this is – of course – sensible enough.

Except that the tip then goes on to talk about TouchID and the HSBC Mobile Banking app. Once again, it’s an attempt at disguised marketing, to encourage take up use of the app and TouchID.

And, as with the first so-called Tip, the page linked to in the email for TouchID (again, tracking info removed) contains disputable information. It says:

Your fingerprint is an excellent security device.

No, it isn’t. At best it’s a reasonable – not excellent, and not foolproof – identification device. But, again, this is a separate issue, and I shouldn’t get sidetracked!

So all three so-called tips are really just marketing. Not something HSBC is expecting customers to (directly) pay for, but it’s still promoting something – and that’s what marketing is. This email is, in my opinion, very much another example of HSBC breaking the rules.

What I didn’t notice until just after spotting that email was that the previous day I had also received this one:

HSBC Business Banking email about switching to online statements

HSBC Business Banking email about switching to online statements

Why didn’t I notice it until after the one I received the following day?

Because of the email address it was sent to. I’ve been customer of HSBC for a long time (even longer than I’ve been using the internet!) – and when I first provided them with an email address, it was before I realised the benefits of providing unique addresses, as described above. This email, therefore, came to my primary email address – it didn’t end up in my ‘Accounts’ mailbox, and was placed down amongst a lot of email that I didn’t get around to dealing with as soon as it came in.

However, HSBC is very definitely one of those third parties where I have updated my address to match my various policies over the years – and by visiting the online banking and logging in, I was able to see that I was bang up to date with that. The email address set up for my business account is the same as for my personal account – so any correspondence should go to that address, and end up in my ‘Accounts’ mailbox.

So the first problem with this email is that it makes it look like HSBC Business could be using an out of date database, populated with out of date email addresses. That’s a very good start – and is perhaps something that the ICO needs to address irrespective of whether they consider it marketing.

Another point is that I am a sole trader – and HSBC knows this. Being a sole trader, even as a business I am still protected by the Privacy and Electronic Communications Regulations, which defines an ‘individual’ as:

a living individual and includes an unincorporated body of such individuals;

This means that, even as a business customer, I should have the means to opt out of marketing communications – so there should be a section behind my business account log-in through which I can opt out, or there should be some kind of ‘unsubscribe’ link in any marketing emails.

Upon checking, I can’t find anything to do with communications preferences behind my log-in.

And there is no sign of any means of unsubscribing from the email itself.

I should point out at this stage that this email is purely about making the switch from paper to digital statements – and nothing else – but I’ve explained above in respect of the first tip in the three tips email why I still consider it marketing. I recognise, however, that the Information Commissioner’s Office may hold a different view – but I won’t actually know until I formally make a complaint and see what the outcome is.

And, unfortunately, even when I have complained, it may still be that I won’t know what the outcome is – although I have received follow-ups from them in the past, I noticed that my acknowledgement from the ICO following the initial HSBC complaint states:

If you have reported receiving spam email – we will use the information you have provided to identify, investigate and take action against organisations that are not following the rules around direct marketing. We don’t respond to such concerns individually, so please note that we’re unlikely to contact you about this matter again, unless we need any further information to help with our investigations.

Well, that’s a bit of a bummer, then, isn’t it?

Still, as soon as hitting publish on this post, the two additional emails will be winging their way to the Information Commissioner’s Office. I won’t make them separate complaints, and instead refer to my initial complaint and ask that they be added to it – and include a link to this post so they can see my fuller views.

Before doing that, though, one last point – not about spamming, but about a crafty move on HSBC’s part.

Scrolling down the email leads to this:

Click here to switch to online statements

Click here to switch to online statements

In all fairness, the button does say to “Click here to switch” – and there’s an asterisk suggesting there’s a footnote that will be relevant – but I wonder how many people may have not scrolled down all the way, saw the button, and clicked it expecting to see more information about it before they had to confirm?

Scrolling down to the footnote makes it perfectly clear that clicking the button itself is how the switch is made:

Clicking the button is an instant switch

Clicking the button is an instant switch

But, much more annoying than that, it’s not just clicking the button that does it. The clickable area includes the white space to the right of the button, covering the full width of the body text.

I clicked in that white space to put the input focus in the email window, in order to scroll down, and a browser tab immediately launched showing this:

HSBC Business - you've made the switch, BWAHAHAHAHA!

HSBC Business – you’ve made the switch, BWAHAHAHAHA!

By clicking in that white space, not just on the button, I’ve unwittingly switched to online statements. Yes, I can log-in and revert (and I will) but that’s not the point. That’s a very deceptive move on HSBC’s part, in my book, even with the warning that clicking makes the switch.

VinceH