Fitbit Sends Out Recall Notification That Resembles A Phishing Notice

051413_Force_popUpBanner_grey_oWhen the Fitbit Force was recalled back in March, it looked like it should have been the easiest recall in history. Once a customer removes the Bluetooth-enabled fitness-tracking wristbands from the packaging and syncs the device to a computer or smartphone, the company has the customer’s contact information and can easily drop them an e-mail. Six weeks later, that’s what the company has done…but many customers didn’t get the notice, as we learned yesterday. Why?

Depending on which cloud e-mail service or desktop client that an individual uses, it’s possible that customers overlooked the message entirely. Over on the Fitbit forums, some users reported that they received the message, but their computers flagged it as possible spam. The domain name on the message’s return address, Expertproductinquiry.com, belongs to Stericycle, a well-respected company in product recalls. (They’re the company handling the Gree dehumidifier recall.) That domain name leads to a generic front page for servers running the Microsoft Server operating system. The message is signed “Fitbit,” and doesn’t mention Stericycle anywhere.

Many systems flagged this message as suspicious because it had an attached Microsoft Word document: that’s a time-honored way to send dangerous macros and other badness through e-mail.

original

From: NoReply@expertproductinquiry.com (NoReply@expertproductinquiry.com)
Subject: Product Recall
Sent: March-20-14 7:36:18 PM

Dear Customer,

This e-mail is being sent to you because you are a registered user of
the Fitbit Force Activity-Tracking Wristband, which is being
voluntarily recalled by Fitbit, Inc. in cooperation with the U.S.
Consumer Product Safety Commission. Users can develop allergic
reactions to the stainless steel casing, materials used in the strap,
or adhesives used to assemble the product, resulting in redness,
rashes or blistering. Consumers should stop using the Fitbit Force
Activity-Tracking Wristband and return the product to Fitbit for a
full refund. Please open the attached document for the official press
release. For additional information regarding this product recall,
click here.

Sincerely,
Fitbit, Inc.

Company representatives on the forums say that this message was part of the company’s recall plan put together with the help of the Consumer Product Safety Commission. All registered Force users as of late February of 2014 received the message… but how many people assumed it was a phishing attempt instead of a legitimate communication from the company?

No recall announcement plan is perfect. That’s impossible. It just seems to us that there must be a better way to do this when a product, in order to operate correctly, has to be associated with a working e-mail address and must be connected to the Internet every few days. We just don’t want to see unknowing customers hurt when they buy a Force from a third party who is either ignorant of or disingenuous about the recall.