[RichHaynes]

I am currently looking after my mums account due to an ongoing issue with her email address. This means her account is registered to my email address but the contact number on the account belongs to her.

Because of this, I was surprised to receive two texts purporting to be from "EONNext" that arrived yesterday and today. They are allegedly in relation to smart meters which my mum is yet to get. My suspicion arose because the first text was addressed to a different person and the provided link is not a link to an EON Next website. The second text was correctly addressed to my mum but had the dubious link and if it was legitimate, surely it would have gone to my mums mobile.

I have taken the domain of the link (bsft.im) and it links to a marketing company, Blueshift, that appears to offer CRM solutions to companies like EON Next. Its a well polished website with social media links. That would make me presume the link might be legitimate if it wasn't for the incorrectly addressed first text and the fact I am receiving them at all. I am unable to get any WhoIs information about the domain in order to check it's legitimacy which has led me to ask the question here.

Can someone clarify if these texts are legitimate?

First text:
Hi (incorrect name), smart meters come with a free In-Home Display that can help you track and manage your energy usage more effectively. As part of your current tariff you agreed to have smart meters fitted. Click the link below to pick a date and time that suits you. http://bsft.im/z/(redacted)

Second text:
Hi (correct name), we're ready to fit your smart meter for free. Smart meters have many benefits for you and the environment and come with a free In-Home Display that can help you track and manage your energy usage more effectively. Click the link below to pick a date and time that suits you. http://bsft.im/z/(redacted)

[Andy65]

I've had texts from Eon-next with a link containing 'bsft' so I would say that they are genuine @RichHaynes. If you're in any doubt ignore them if your Mum isn't required to have Smart Meters as part of her tariff. In my text I did click the link as I had to have Smart Meters fitted or be put on another tariff, that's how I know that it was genuine.

Some companies now seem to use links in texts that are almost akin to shorthand, presumably to reduce the number of characters.

[Beki]

@RichHaynes Hey there, it's Beki here.
Yes it is a genuine text however I have no explanation to the other name being used except for human error - for which I apologise. The text messages are hand-typed and so there is a margin for error.

I will definitely pass on your feedback though about the link, because I can see exactly where the concern comes from. I'll let you know what they say if they get back to me. 😁

The smart meters will definitely help in that situation - one of the reasons I am such an advocate for them. I also wanted to check that your Mum is on the Priority Services Register?
The Priority Services Register is a free support service to help people in vulnerable situations. Energy suppliers and network operators offer it. Each keeps their own register. You can read more about it here.

[meldrewreborn]

If you really don't want the SMART meters just ignore these requests. They have plenty enough installations to be getting on with without your mum's.

[RichHaynes]

Glad to know it was genuine when you clicked it @Andy65. I'm a web developer so I get the principal of short URLs but there are also easy workarounds that would allow that URL to be hidden behind the eonnext.com domain. With all the phishing texts sent out, they really should be more careful.

However, it still doesn't explain why I got any texts at all as my number is not on the account. The only time they have had my number is when they have called me back after I contacted the call centre.

Also, what about the first text? If it was a genuine mistake, they should have sent a follow up text explaining as such. I also worry about what information I may see if I click on the first link. Will it reveal that person's details? If so then that is a serious data protection breach!
@meldrewreborn I will be getting my mum smart meters because I live 35 miles away and she really struggles to read the meters due to mobility issues. Having the meter send automatic readings will be a huge benefit for her. I'm just concerned because I've read about issues with smart meters for those who moved from both npower and Eon. With me not being nearby and without a vehicle, I need the switchover to be flawless.

[theunknowntech]

I have been able to verify that E.On Next is using Blueshift CRM. To help check the other stuff, I asked my friend Blastoise186 to do some digging into things. Blastoise has done some OSINT against the domains and come back to me just now.

He's been able to validate that the two domains share the same owner and there's no signals of suspicious activity ever having taken place against either of them. However, both of us do agree that it's not ideal for the text messages to show random unknown domains for this kind of message and Blastoise knows of MANY ways to abuse this sort of thing. For pretty obvious reasons, he doesn't want to share those details publicly but I'm sure you'd agree with him if you knew what they were.

Blastoise thinks these particular links are a sort of tracking link to allow the CRM to "see" whether you engaged with the message by clicking the link or not. They can also be used to personalise the content you see after clicking the link as well, but not everyone does that and it's more likely just going to a generic page with a UTM tracking code on the end of the URL.

However, his opinion is that it would have been more appropriate if the domain used wasn't some random generic one and was actually based on the E.On Next domain itself.

I will ask @Beki_EONNext and @HannahD_EONNext to stop by as this does raise some rather interesting points of feedback... And possibly more...
@RichHaynes if you do experience issues with the meter, feel free to call on my advice. I'm a dab hand at diagnostics and I have the ability to summon the moderators to dig deeper if needed. In your case, if your mother is already on E.On Next then the migration issues won't affect her.

[RichHaynes]

@theunknowntech @Beki_EONNext please raise this as a serious Data Protection breach. I have tried both links and they redirect to the eonnext domain (slightly ironic). The URL that I am redirected to reveals the account number. The webpage then reveals the address of the supplied property. The webpage does give the impression I am logged in but I can confirm there is no active logged in session (going to the eonnext homepage displays all the hallmarks of a logged out user). If you now couple this with the first names in the text messages, I now have three pieces of identifiable information about two individuals, one of which is a family member and the other is an unknown individual to me. I have not captured any data for the individual unknown to me apart from retaining the original text sent to me from your systems. I am performing this on mobile so I have not been able to check developer tools to see if any further data is revealed in the DOM. If you require any additional information such as text content, URLs or screenshots then please PM me so that I can provide these in a secure manner. This needs to be investigated as a matter of urgency to determine if anyone else has received erroneous texts.

[Beki]

@RichHaynes I will PM you now.

[RichHaynes]

@Beki_EONNext I have already registered my mum for Priority Services as she is of pensionable age.

My concern about the smart meters is that my mum is technologically illiterate. She struggles to understand the thermostat which has only two buttons on it and I wouldn't want her to be attempting to deal with a smart meter issue without me being there. I have read of people who have switched to eonnext from other providers who have had smart meter issues which I need to be sure will not happen for my mum. She has had her electric account moved from npower and her gas account moved from eon so she's more a double whammy and to me, that heightens the risk of problems. To highlight the issues we've already had, her gas account was invisible to us for over a month. And when that was corrected, her email account became blocked by your systems which means its now registered under my email address. Even these texts are bewildering as my number is not the number registered on her account. Its a bit of a mess and I cannot allow those issues to follow over to any smart meter installation. Luckily she is not required to have them so for the time being I will hold off on getting them installed.

[Beki]

@RichHaynes I think is going to require to me to have a deep look into the account as these sound like minor things, that have evolved into bigger things because they have not been addressed correctly.