[UPDATE: Official Statement] PSA: Do not Reply to Essential “Purchase Verification” Emails (Potential Credit Card/Identity Fraud), Emails Reportedly from Essential Phone Staff
Update: Andy Rubin, Essential CEO and Android creator, has released a statement confirming an error in Essential’s customer care function and personally apologizing for the mistake. He also offered one year of LifeLock for the impacted customers. You can read the complete statement here.
The Essential phones are now shipping to customers after a really long wait, but things are not looking good for some buyers. Last night, an email allegedly coming from their support team was seemingly chained to many customers. The email, which came from [email protected], asked for the customer’s photo ID or other identification papers (passport, driver’s license…), as they needed additional information for verifying the purchase. This has raised a lot of eyebrows, and some upset users considered it a phishing scam or a server hack because of the email’s appearance and odd wording. It reads as follows:
Our order review team requires additional verifying information to complete the processing of your recent order.
This verification is performed to protect against unauthorized use of your payment information and similar to what is conducted for in-person purchases.
Please provide an alternative email and phone number to confirm this purchase..
We would like to request a picture of a photo ID (e.g. driver’s license, state ID, passport) clearly showing your photo, signature and address. NOTE: the address on the ID should match the billing address listed on your recent order.
We apologize for the inconvenience and appreciate your cooperation. Once verified, we look forward to shipping your order.
Essential Products Customer Care
The email was first reported on Reddit, precisely on /r/Essential (and then crossposted to /r/Android), where it generated quite a bit of discussion. It was eventually settled on those subs that it could a security leak (someone getting a hold of Essential’s mailing list), a phishing attempt by an Essential employee or another person, or just a big mistake from a company employee. It was also later reported on /r/Android that both addresses at Essential were disabled. However, we are not 100% sure what happened here, as the email did apparently come from the official servers.
At this time we simply do not have enough information to determine if this was a hack, a third party phishing attempt, or a mistake from an employee setting up a mass email attempt to validate specific orders. Calling it a hack could invalidate the potential seriousness of this situation as some indications point to it being a genuine Essential email. Essential will need to be clear, transparent, and timely about what occurred here. However, their initial response to the situation arrived nearly 5 hours after the emails went out and it may be some time before we truly know what occurred.
We’re aware of & looking into a recent e-mail received by some customers. We’ve taken steps to mitigate & will update with more info soon.
— Essential (@essential) August 30, 2017
Either way, if you have bought one of these phones and you got one of these emails, do NOT respond to it until the company releases a proper official statement on the situation. You could be potentially putting your personal information in danger. We’re currently looking forward to an official statement from Essential on the matter beyond the tweet shown above. In the meantime, you can read both Reddit discussions here and here.