Energy giant ExxonMobil recently sent snail mail letters to its Plenti rewards card members stating that the points program was being replaced with a new one called Exxon Mobil Rewards+. Unfortunately, the letter includes a confusing toll free number and directs customers to a parked page that tries to foist Web browser extensions on visitors.
The mailer (the first page of which is screenshotted below) urges customers to visit exxonmobilrewardsplus[dot]com, to download its mobile app, and to call “1-888-REWARD+” with any questions. It may not be immediately obvious, but that “+” sign is actually the same thing as a zero on the telephone keypad (although I’m ashamed to say I had to look that up online to be sure). 
Anyone curious enough to guess at other ending numbers other than zero will wind up at a call center advertising “free” Caribbean (1) cruises or at a pricey adult chat service dubbed “America’s hottest talk line” (6).
Worse, visiting the company’s new rewards Web site in Google Chrome prompted my browser to run a “security check,” followed by a series of popups offering to install a Chrome extension called “Browsing Safely.”
That extension changes your default search engine to Yahoo and appears to redirect all searches through a domain called lastlog[dot]in, which seems to be affiliated with an Israeli online advertising network. After adding the Browsing Safely extension to Chrome using a virtual machine, my browser was redirected to Exxon.com.
The Google Chrome extension offered when I first visited exxonmobilrewardsplus-dot-com.
Many people on Twitter who expressed confusion about the mailer said they accidentally added an “e” to the end of “exxonmobil” and ended up getting bounced around to spammy-looking sites with ad redirects and dodgy download offers.
ExxonMobil corporate has not yet responded to requests for comment. But after about 10 minutes on hold listening to the same Muzak-like song, I was able to reach a customer service person at the confusing ExxonMobil Rewards+ phone number. That person said the Web site for the rewards program wasn’t going to be active until July 11.
“Currently the Web site is not available,” the representative said. “Please don’t try to download anything from it right now. It should be active and available next week.”
It always amazes me when major companies with oodles of cash (ExxonMobil made $20 billion last year) roll out new marketing initiatives without consulting professionals who help mitigate security and privacy issues for a living. It seems likely that happened in this case because anyone who knows a thing or two about security would strongly advise against instructing customers to visit a parked domain or one that isn’t yet fully under the company’s control.
Update, July 11, 11:36 a.m. ET: As several readers have observed in the comments below, it appears that ExxonMobil has registered a different domain for its new rewards program: https://exxonandmobilrewardsplus.com/welcome/home (note the inclusion of the word “and” between Exxon and Mobil). This domain is advertised as the official new rewards program domain via ExxonMobil’s corporate homepage, exxon.com (albeit via a redirect).
Classic browser hijacker app/extension !
My experience with these types of situations is there’s a big boss who has set some arbitrary deadline and can’t be told no and doesn’t understand the technical aspects and everyone just bites their nails and waits for the inevitable fallout.
And tries to avoid getting fired over that fallout.
Marge, you’re absolutely correct!! This happens more often than people realize.
Happens with government agencies, too. Idiots…
Hmm, my experience: nobody in marketing ever considered that they needed to consult “security” to market something. Security is usually the group making it harder for customers to signup without restrictions.
E.161 is the ITU standard that defines DTMF and touchtone keypads. Although the letters A-D appear as part of the standard as separate keys with their own tones, no letters or symbols are part of the standard. Traditionally, the ABC-2 DEF-3 etc mapping has been used, but + is a delimiter that really didn’t appear until cellphones – since the entire number string is sent at once, typing +4412344567 is what lets the phone know you mean to place an international call to the UK and not a US call to (441)-234-5678. Its placement on keypads varies, sometimes on 0, sometimes on *, probably sometimes someplace else, but it is not a “dialable” symbol and thus its use in an “alphabetic number” is a major mistake on the part of the marketing firm that came up with this. Many people will dial the wrong number, some will actually end up trying to dial the actual + sign, and the rest won’t know what to do.
Perfectly said.
Most of the big energy companies have mature IT and security governance programs. I would not like to be on the receiving end of the post mortem that Exxon will be executing on this terrible breach of those governance protocols.
Seems like this would fall afoul of European privacy regulations? Anyone planning action on that front?
I went to the registration site and got a virus.. what a mess
Big business privacy policy, “We Take Your Privacy and Security. Seriously” ™ Again.
AMEX is terminating the parent “Plenti” rewards program on July 10, which is probably what led to this rushed approach to pushing out a replacement.
Yeah, maybe. But this rewards plus has been active for months. It offered to link my plenti card with it to accumulate the plenti points. So I get having to scramble if the Amex program was killed off suddenly. But The rewards plus should have already had a web presence. Or a giant oil company should have been able to throw together something better and faster than this. There really isn’t any excuse.
Sorry – my statement was meant only as an explanation, not an excuse.
ExxonMobil’s Speedpass program has been active for months — not this new program. But agreed — they should have never promoted their new site / domain until it was actually up and ready for operation.
Reminds me of a few things that happened in another corporation. We called it “Ready, Fire, Aim”. Glad I’ve worked with enough techies to be extra careful. Thanks for explaining all this.
I think you mean Fire… Aim… Ready!
Procrastination, prioritization, and expert reporting saved the day at my household. My wife received the mailing this morning, opened it, gave it a quick look and set it aside for later review, other things were more important. Then Mr. Krebs’ bot sent an email about this article.
Thank-you for being so prompt with your reporting.
Anyone else notice that the registration website that goes live July 11 is to resister a card for discount program which ends July 10?
I called Plenti and they said the points will expire on July 9th! And yes, Mark, I noticed this program isn’t active until July 11th. So, doesn’t that mean we lose our points?
It is ridiculous to make such a mistake. It is not difficult to find out that: THEY dont own ExxonMobilrewardsplus.com(check the registrar of ExxonMobilrewardsplus.com and compare it with exxonmobil.com’s) .
There are only two opions at this moment:
1.They will need to pay a lot to buy this domain name in such a short time.
2. They will use another domain name, which belongs to them. And spend a lot to send the mail again.
Pretty sure, some one will be fired.
Well, Exxon outsources much of their marketing rewards programs. So the domain could easily be owned by someone else and still be officially representative of Exxon services. Which highlights the pitfalls associated with third parties.
It will be much more terrible if their third party partner treat their trademark like this.
This company has documented work processes for everything, and compliance is audited. Someone skipped a step or two. Serious consequences await.
They just bought the domain name exxonmobilrewardsplus.com.
Now the problem solved
“1-888-REWARD+” must mean plus frustration or plus malware.
Thanks for the article. I spent 20 months mutes no I must be an idiot
Thanks! I tried going to the site on an iPad to register and it did not look legit. Did a Google search on the address and found your article. I’ll wait a week.
Absolutely right on! Everything you’ve written is true.
Why the hell did’nt Ex Mob delay mailing till they knew what they were doing? Plenti had it down “pat”.
Such a basic fail for the marketers and IT folks. The BASIC rules for testing any major promotional program before launch are:
1) CALL the phone number from outside the office
2) ACCESS the web site URL from outside the office
If you don’t get your call center for #1 and your own website for #2, STOP what you are doing. Do not print the inserts or send the emails. Check and double-check. It’s not hard.
I’ve had more than one occasion to emergency register a new company domain when “someone” missed the typo in the marketing material or SEC PROXY filing. The proxy statement was especially fun because we had to get the person holding the typo’ed domain to let it go without sound too desperate or threatening a lawsuit and slowing down the effort….
Basic Indian H1B programmer error, typical from my experiences. These multinational companies want to save a few $ and this is what they get while giving US IT workers the boot.
Yep!
Agreed, but I wouldn’t point only at Indian programmers. Cheaper, less skilled employees come from a variety of countries where learning to read, appreciating consequences, and using toilets are still uncommon.
P.S. I suppose I should have written that more nicely. Mea Culpa, Me Paenitet.
Unable to register my Exxon mobil rewards plus card. What are you suggestions to activate this card. PLEASE advise.
Can not register my Exxon Mobil rewards plus card. Who do I call?
ummm… Who do you call? GhostBusters!!
call me in the morning honey …………
register a rewards card
Geez, I have emailed an IT friend to help me with this one and make sure my computer is not infected. Thank you for the article.
So glad I found this. I just received the mailer and also had the same website issues. I thought I was mistyping the URL. I work in marketing and this kind of blunder is mind boggling
Why in the world would they promote a website that has a virus? This is a disgrace and very telling of how Exxon Mobil operates. I will definitely be avoiding their gas stations at all costs.
yayayaya
I hate Exxon. I’ve always hated Exxon. I’ve hated Exxon since Richard Nixxon was in the White House.
Thanks for the info about the website not being up. I tried to get there too, and a bunch of “security” messages came up. Luckily, I did not get too far (to get any viruses, etc.), so I will try next week when the website hopefully will be ready to launch. I’ve enjoyed getting 10 cents off each gallon of fuel, so maybe Exxon will extend the promotion until their “rewards” program is fully functional.
Who cooked up this fiasco? Rex Tillerson?? Geez.
OK
It all looked legit. But it’s all about the points that will be lost.
Money
Maybe you’ll learn a painful, but useful lesson: points are not cash.
Points are a virtual currency. You can earn them and use them, but you don’t own them. They can be taken away. They can lose value instantly. There is never a guarantee of transferability with points.
You’re better off a program offering immediate discounts, rather than false promises of future rewards.
It didn’t surprise me much. ExxonMobil’s SpeedPass web site has been really amateurish since it went live and has never worked properly. Nearly every time I needed to update/switch my linked credit card it failed, and I had to call their customer service number numerous times over several days before I could get it completed correctly. For the budget they (theoretically) have, it’s laughable how unprofessional their online public image is — if they were smart enough, they’d be embarrassed. But, it appears they’re neither.