Going phishing in Woburn?

Booking a family holiday

Back in the middle of 2019 my extended family decided that to celebrate some significant birthdays we’d go to Center Parcs in Woburn in May 2019 for a long weekend. We booked some accommodation, restaurants etc.

All looked like it was going to turn out to be a great weekend – then in early 2020 Covid-19 came along and for us as well as for many others scuppered our plans.

How cancellation should work

On the news back at the start of lockdown we heard that Center Parcs had closed but it wasn’t clear whether it would re-open before May 2019 but it didn’t. For a while we wondered whether Center Parcs would cancel our booking or not – and whether they would communicate with us or not as their call centre wasn’t accepting incoming calls.

They did eventually email us in mid April 2020 about our booking to advise us that they were extending their closure period to 14th May which meant our booking had to be cancelled. The email we received is below.

Holiday Cancellation email from Center Parcs

This email is addressed to us by name rather than just a generic “Dear Guest”.

This was then followed around two weeks later by an email telling us how to request our refund for the original booking but didn’t cover activity, restaurant or spa bookings.

Second email about holiday cancellation from Center Parcs

Notice that this email addresses us by “Dear Guest” rather than the name of the guest.

This second email asked us to log into our Center Parcs account and provided a embedded link. Now I don’t like embedded links because they can be misleading but in this instance the embedded link takes us to https://www.centerparcs.co.uk/my-account/sign-in.html which is the location on the Center Parcs website you would expect to be taken to… it takes you there via a email tracking URL first but hey.

This page is HTTPS protected and the certificate is valid and thus all seems well. I’d have preferred Center Parcs to have published information informing us how they will be completing the refunds in order to make it easier to verify the legitimate method… more on that later.

To obtain our cancellations we logged into the account, filled in the required detail, and waited. Now all the money has been refunded except the activities, restaurant and spa bookings.

How cancellation shouldn’t work

All that was left now was the relatively small amount of money that needed refunding for the activities, restaurant and spa bookings. Eventually the email came about this too –

Third cancellation refund email from Center Parcs (or not?)

Again, this email is addressed to “Dear Guest” rather than the name of the guest.

This email comes from refund@centerparcs.co.uk rather than info@email.centerparcs.co.uk

But the embedded link this time takes us to https://centerparcs.mysecurepay.co.uk it then asks for us to enter the booking reference number, surname and to select the Center Parcs village from a dropdown list before moving onto pages for the amount, credit card details, and confirmation.

The “MySecurePay” website through which Center Parcs might be completing some refunds?

But how do I know if this is actually a phishing campaign or not?

What is Phishing?

Phishing is to send a cleverly crafted email that is designed to deceive you into thinking it’s from a legitimate business you may have engaged with – it probably looks like its sent from an email address associated with that business and it probably uses that business’ logo and probably provides a link to a website that seems to be for that business and again uses the business’ logo and some other details.

In all honesty at this point in time I haven’t completed any of the information on this webpage shown above because I can’t find anyway to verify that this email really was from Center Parcs or that Center Parcs owns the website.

Typical hall-marks of a phishing email are:

  • It asks you to provide your sensitive information via an email or a link in an email – say like booking details for a holiday and credit card information?

  • It doesn’t address you by name as they sender doesn’t actually know your name – say like addressing me as “Guest”

  • The sender email address doesn’t match the domain for the company – well in this instance this matches

  • Any links provided in the email do not point back to the business’ primary internet site – say like directing to third party site for you to enter your confidential information?

  • Purpose of the email is to get you to provide personal information and ideally information about your bank accounts or credit or debit cards – say like details of a holiday and credit card information?

  • Poor grammer and spelling – not really the case in this situation

  • Whole email is a link pushing you to a website – not really the case in this situation

Is the Center Parcs email a Phishing Email then?

On Center Parcs website they have the following information on their “FAQs and getting in touch” page:

https://www.centerparcs.co.uk/contact.html

Information from Center Parcs FAQ and Contact Us page.

The most recent email did come from refund@centerparcs.co.uk but email isn’t a secure communication method and its possible to receive emails that didn’t genuinely come from their purported source.

So in all honesty I don’t know. I think it probably did come from Center Parcs but I’m not willing to put my details into a third party website without feeling certain.

Did you contact Center Parcs then?

I tried to check whether Center Parcs use mysecurepay.co.uk for payment processing by looking in their privacy policy where usage of third parties for processing of personal data is supposed to be declared in line with GDPR but although it mentions payment provider websites in general it does not specify any particular provider. I have not been able to find any mention of mysecurepay.co.uk on the Center Parcs website.

Consequently on 30th June 2020 I emailed the data protection email address provided in the Center Parcs privacy policy asking them to clarify the situation. I’d love to hear back from Center Parcs but to date I have no reply – not even an acknowledgement of the email.

In conclusion – I would expect better than this from a large UK business – at least publish on your website how refunds will be processed and what site you are using to do this…

If you are reading this thinking “How do I protect myself from more blatant phishing attacks” and want to know more please contact us for an chat. If you work for Center Parcs and could help me clear this up – again please contact me… I’ll happy update this post to reflect what you do to resolve this issue.

Want to know more?

Why not subscribe to our FREE Newsletter to receive regular updates from us on ICT, technology and what we’ve been doing?