Phishing: Your Exhibitors May Be Doing It—and It’s Naughty

Post authored by Michael Godsey, Senior Vice President of Market Development at Experient

I just can’t seem to keep myself from writing titles that attempt to grab the reader’s attention. I guess it was beaten into my head during journalism classes in college. Anyhow, phishing is a new issue in our industry, and my experience has shown that most tradeshow organizers have no idea that it may be happening on their show floor. However, it’s probably not what you think, and it certainly doesn’t have anything to do with a lazy afternoon on your favorite body of water.


Unfortunately, we're not talking about this kind of fishing, but phishing is a serious issue for tradeshow organizers.

Before I talk about phishing, I want to tell you where it comes from. Over the last few years, many companies, including Experient, have launched mobile lead retrieval products for exhibitors. This is a major shift in lead retrieval strategy. In the past, the model had always been that an exhibitor would rent a device or two from a registration/lead vendor to put in their booth, and their salespeople would take turns collecting leads during the show. Today, an exhibitor can put lead retrieval in the hands of every salesperson in their booth at the same time by using lead retrieval apps on their smartphones. This allows them to collect leads not only on the show floor, but in sessions and at social functions as well. (By the way, our mobile lead retrieval is called SWAP and it’s the best—the best I tell you! But that isn’t the point.)

When we first launched a pilot of SWAP, we realized immediately that we had a new problem on our hands: phishing. Phishing is the process where exhibitors enter sequential ID numbers into their mobile lead devices to collect information on attendees that they never actually met. It starts with them putting in the ID number of a legitimate attendee in their booth, say 3156. Then a light bulb goes off in their head and they enter 3157, 3158, 3159, etc., to gain the contact information of other attendees. That is what we call “phishing” in the mobile lead retrieval business. For more information on a phishing attack, look here.

Traditional lead retrieval had the exhibitor renting a device that would read the attendee’s information from the barcode on their badge or from a mag stripe card, so phishing didn’t exist. But mobile technology sprang up quickly and entering the attendee’s ID number had to be an option. Why? Because the quality of the imager on cell phones varies greatly from device to device. On top of that, the exhibitor’s comfort level using their phone imager typically varies as well. As a result, almost all mobile phone lead retrieval systems in the industry today allow the exhibitor to type in the attendee ID number. Even if scanning is built into the app, entering the ID number manually will always be there as a backup.

In our pilot, we saw a few exhibitors putting thousands of leads into the program that they didn’t actually collect, and right away, we knew that it was a major problem. I’ll get to the resolution in a bit, and you need to make sure you check on this with whatever lead vendor you use, but first, I have to finish the story. Anyway, we had reports that would show us exhibitors who were putting in sequential ID numbers in real time. So as soon as I saw 50 sequential leads in a row, I knew they were phishing and grabbing attendee contact information for people they never talked to. I made the decision to personally call these exhibitors while they were phishing in their booth. I had dreams that I would call, they would be red-faced, immediately apologize and stop phishing, but unfortunately, it didn’t go down that way.

Mobile Phone

Make sure your exhibitors aren't being naughty with mobile lead retrieval and are collecting valid leads.

When I called them, I explained that we were monitoring the lead retrieval system and someone in their booth was collecting leads illegally by putting in sequential ID numbers. Their response: “No we’re not.” So I then tried to explain that it was nearly impossible in a show with over 50,000 attendees that 50 people would walk into their booth in sequential ID order. (The odds of each attendee being captured in sequential order are 50,000 to 1, and you would need to do that 50 times in a row. By the way, if you are curious about my math, don’t be. I asked my friend Tom to figure it out—he’s an actuary for an insurance company and spends his entire day working on statistics to predict when we will all die. He says he already knows when I’ll die, but he won’t tell me. In any case, I trust his math, and this feat is nearly impossible.) I then told the exhibitors that I looked at the data and saw that a sizeable portion of the attendees they collected weren’t even at the event. (We’re the registration company—we know things like that.) The response: “I don’t know what to tell you, but they were here.” I think you get my point.

Before we fully released our mobile lead retrieval product SWAP, we had to build in a way to make it impossible to phish. In our system, once an exhibitor puts in an ID number, our program immediately prompts them for the first letter of the attendee’s last name. To make it fast and easy, it automatically pops up a grid with eight incorrect letters and one that is correct. If they are actually meeting with the attendee, they simply read the name from the attendee’s badge, touch the screen on their phone once and go on their way. But if they are phishing, the attendee isn’t really there, so they guess incorrectly at the last name and stop. This failsafe has eliminated the issue.

The reason I’m writing this blog post is not to promote our product or approach. It is simply to make sure that show organizers check with their lead vendors immediately to make certain that they have a solution for phishing. We all know the importance of protecting the personal information of attendees. If your lead systems allow phishing, you can pretty much bet exhibitors will be building marketing databases full of attendees that didn’t give their permission to be contacted. That can lead to attendees getting overwhelmed with email marketing, and when they realize they didn’t visit the booths of the exhibitors who are contacting them, it quickly undermines their trust in the show organizer. It may even influence their decision of whether or not to attend future shows.

One last thing—if you’re a show organizer, I recommend that you ask for a list of the leads collected by each exhibitor, including ID number, and check the show data regularly. If you see an exhibitor collecting thousands of leads, and many are in sequential ID order, you know you have a major problem on your hands!

This entry was posted in Data and Technology, Event Design and tagged , , , , , , , , , , , . Bookmark the permalink.

4 Responses to Phishing: Your Exhibitors May Be Doing It—and It’s Naughty

  1. mike says:

    Great article! Thanks for sharing.

  2. Phishing and other terms for creating “cold call” lists will always exist. In this day and age, it is most likely that the vendor is going to email the person that they “caught” while Phishing, and that person will just delete the email.

    Sales people and companies that do business this way are annoying, but a part of life. Just think back to the days before caller id and email, and be glad that these people are easily filtered out of your life today!

  3. HJ Randall says:

    Good article! I wonder why anyone would do this as the objective, in my mind, is that we exhibitors are looking for *qualified* leads – quality over quantity. And my next comment is probably out of order, however, what I would like to know is how to discourage phishing from vendors? I am so tired of the cold calls and numerous e-mails from vendors wanting our business pre-shows – any way to make that stop? We are very very happy with our exhibit management company and I simply do not have time to respond to all these vendors.

  4. Phishing is not oriented only with the process of calling, it now spreads out via Internal emails, and SMS process also, It is really very smart process to hack the data, But there are some process available also to identify those, and ignore these types of spams,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.