I received this email at 1:15 this morning:
When I saw it this morning, I was confused. I have never before received an email from “loyaltygateway.com”, and I was asleep at 1:15am, not placing an “order” to be confirmed by this email as its subject implies.
It sure looks like spam, right?
Well, it turns out it’s not, and there’s one little hint of legitimacy at the bottom of the email: “…please contact us at 1-800-980-USAA…”
I do indeed have a USAA cash-back credit card. However, I’ve had that card and been receiving cash back for eight months, and I’ve never before received an email like this one.
Let’s count the problems:
- The fact that it’s from USAA isn’t mentioned anywhere in the header of the email.
- The email was sent from from some random third-party domain I’ve never heard of before, not from usaa.com.
- The fact that it’s about cash back for a USAA credit card is never explicitly mentioned.
- Heck, the fact that it’s about cash back for any credit card is never explicitly mentioned.
- I have my account set up to automatically redeem cash back whenever its balance reaches $100, but there’s no indication in the email that this is what triggered this redemption. Instead, it says it’s for an “order” which I did not place.
This shockingly poorly designed email notification is just stupid and annoying in this particular case. However, generally speaking, emails like this aren’t just stupid and annoying, they’re dangerous, because they condition people to ignore the telltale signs of phishing and scam emails, making it more likely that they’ll think they’re real and fall prey to them.
Please do better, USAA.
I agree! So, did you send a copy of your BLOG post to USAA? I’m kinda ticked myself, thinking about sending them the link.
Yes, I did. They claim to have passed on my feedback to the appropriate people within the company, and for all I know they’re telling the truth.
I like a lot of things about USAA, but I can’t say they’re on the cutting edge when it comes to their internet technology. Their web site is a godawful mess with a terrible user experience and inadequate functionality, and they get many demerits out of the gate for having a crappy “PIN”-based two-factor authentication system instead of one that supports security keys and TOTP. Although I have to admit that in my experience that’s unfortunately true of most banks.
On the plus side, when you call them on the phone, you get to speak to someone in the United States who is actually empowered to solve your problem, not someone in an offshore call center who doesn’t have any authority and is barely understandable (to me, at least: I personally have a very hard time understanding people with strong accents, especially when I’m speaking to them over the phone rather than face-to-face).