Strange e-mail from Qantas FF - and in my profile

[RooFlyer]

Got an e-mail today from qantas_frequent_flyer_mail @ qantas.com.au saying

The QantasClub & Frequent Flyer Service Centre

Dear Mr RooFlyer

To help keep you informed about important Frequent Flyer program news, changesto your membership status or the program terms and conditions, it’s importantwe have your current contact details. Recent correspondence sent to the mailingaddress in your Frequent Flyer profile was returned to us, so it may be thatthe contact information on your Profile is not up-to-date.

To update your contact details online, visit [direct link to my account] and goto Your Profile, or call the Frequent Flyer Service Centre on 13 12 11 withinAustralia, 0800 101 500 within New Zealand or +(61 2) 9433 2329 worldwide.

Update your address now at [direct link to my account]

Kind regards

The Frequent Flyer & Qantas Club Service Centre
qantas.com/frequentflyer

First thing - does that sound like a spam/phishing e-mail, or what?

I didn't click on the links but went manually into my profile and - I'm amazed - there is a message there that there is a problem with my mail address. But there's not a problem. The address is correct, and the same as its been for years. All my points are still there, so I'm having trouble seeing a massive hack attack.

I guess my local PO may have inadvertently returned some QFF mail; who knows?

But what an e-mail for QFF to send out. If they want me to read a message, my banks sends me an e-mail telling to go manually into my account and check for a message.

I've said it before and I'll say it again - Qantas' IT, or their IT oversight is pathetic. Little wonder they appear to thing that 4 digit passwords are still OK on FF accounts, if e-mails like this are also given the nod.

 

[jsd]

How do you know that the link in this email was a direct link to your account if you didn't click it? Normally any links in QFF emails are links to a specific page within the Frequent Flyer area but the website will throw up a login page first.

I personally don't have a problem with emails like this, if I was to potentially miss out on important communications by mail (like a new membership card for instance) I would like to be informed.

 

[RooFlyer]

I knew some-one would ask that . When I went into my account manually and saw that there was a message there, I did go back and click the link after inspecting it ( :shock: ). It took me straight into my account - by passing log-in. Something else I'm not impressed with.

I'm still not certain that I haven't been suckered, somewhere. On a second log-in, I changed my password number ...

Sure I want to get messages from QFF too, but not ones that look like phishing messages nor ones that contain direct links into my account.

Like I said -they could do what banks do - just tell you to check your account for a message.

 

[zig]

All sounds a bit odd to me.
Agree that they should not be providing links within the email.
I also am amazed that one lot of returned mail would have been followed up in this manner. The cynic in me tends to picture the work experience kid tossing returned mail into the recycling bin and moving onto the next task

 

[Mal]

Likely received by a neighbour, marked return to sender and posted back... Happens often!

Agree re the email, that is unprofessional when dealing with sensitive accounts like a Frequent Flyer account. Qantas needs a serious security review done of their FF system as there are numerous bad practices happening.

 

[Mr_Orange]

, I did go back and click the link after inspecting it ( :shock: ). It took me straight into my account - by passing log-in. Something else I'm not impressed with.

That could have been due to the cookie that was set on first log in not having timed out so the browser thought you were still logged in. I suspect if you had not logged in first and clicked the link, you would have been faced with the log in page.

 

[medhead]

Likely received by a neighbour, marked return to sender and posted back... Happens often!

that would really annoy me. We regularly get mail for the neighbour, it's a 5.78m walk to their letter box. No way I'm going to waste my time writing on the envelope and then taking it to a letterbox. I've even delivered letters to people 3 houses away or an address a couple of streets away.

But if it's addressed to my house for the wrong name = RTS

 

[bPeteb]

The email really had all of those words merged? Or it's just the copy and paste? Merged words and poor spelling or grammar always scream phishing to me.

 

[serfty]

That could have been due to the cookie that was set on first log in not having timed out so the browser thought you were still logged in. I suspect if you had not logged in first and clicked the link, you would have been faced with the log in page.

This is exactly what I was thinking.

Rooflyer, please make sure you are logged out of your Qantas.com account before clicking the link and see what happens.

Or, better yet, if you know someone else's QF credentials, log on to theirs and click the link.

 

[Danger]

A week ago my QF profile was showing a Qantas Frequent Flyer join 10 years prior to when I was born!

 

[DC3]

... First thing - does that sound like a spam/phishing e-mail, or what? ...

Delete. Delete. Delete.

 

[Stoopidsteve]

Delete. Delete. Delete.

Allons y! (said a VERY frequent flyer)

 

[RooFlyer]

Delete. Delete. Delete.

That was rather my point. I could well have deleted it, as it was a dead ringer phishing e-mail. But it wasn't - Qantas just decided to send me a suspicious looking e-mail.

And yes, after re opening my laptop the next day and clicking on the link it led me to a log in page, not directly into my account. My mistake. But it was still a silly e-mail to send and the subject of the email was still invalid. I am served by a small country Post Office, where they both know me well. Even mis addressed mail items will find me, but I guess a letter may have been put in some-one else's PO box ( we only have PO box delivery, no home delivery) and they may have RTS. But they would have had to walk 5m further to post it as opposed to giving it back to the PO

 

[Flying mermaid]

That could have been due to the cookie that was set on first log in not having timed out so the browser thought you were still logged in. I suspect if you had not logged in first and clicked the link, you would have been faced with the log in page.

Doesn't matter - security 101 is that you never provide links - you ask the person to independently go to their login and enter details. Plenty of phishing emails out there that will take you to a page that looks like a legit page and then capture your login and password. You just shouldn't do it.

 

[Mr_Orange]

Doesn't matter - security 101 is that you never provide links - you ask the person to independently go to their login and enter details. Plenty of phishing emails out there that will take you to a page that looks like a legit page and then capture your login and password. You just shouldn't do it.

A good point, well made.

 

[JohnK]

The prepare for your flight emails have links directly to your booking. It would appear that you are not automatically logged in to Qantas account but you can make changes to the booking.

It does raise a few issues.

 

[ozbeachbabe]

I didn't think spam emails specified your name ie "Dear Mr Roo Flyer" and instead used a more generic greeting/salutation.

I would not click on or use any link provided in an email to reset my password no matter how legitimate it looked.

 

[burmans]

I've certainly had spam emails where they somehow know my name (the LinkedIn breach maybe).

 

[RooFlyer]

Update.

I went to my account to check the details and as I mentioned, they were perfectly correct. There was no way I could get the error message in there removed without changing some details, none of which were wrong!

I reported the issue about e-mail security, PIN lack of security etc to Qantas Customer service e-mail. Surprisingly, I got a considered (ie not auto) reply. They pointed out that I was logged in when I clicked the link and went straight to my account (as established here). Rest of the reply was fairly bland; said to call a particular Qantas number when I got back to Australia to get the error message in my profile fixed.
I called the specified number today, and of course they said they couldn't do anything, but would "pass the message along".