‘Your business contact information is processed by Lusha Systems Inc.’

A few days ago, I received this text message:

The sender was simply a mysterious ‘Privacy’. Was this a genuine notification about some company having my data, was it plain spam, or was it even phishing?

The URL in the text redirects to https://www.lushaprivacy.com/opt-out-phone/ and goes straight to an opt-out form. But it’s not a straightforward opt-out: they not only want you to enter your phone number, they also want to verify it with a one-time code sent by text message.

The company Lusha is a US company selling business contacts. But their website is lusha.com – a different domain from lushaprivacy.com. Both of those domains show as registered by ‘Identity Protection Service’, with a PO box address in the UK (presumably belonging to the identity protection service). Neither of those domains is new. And the WHOIS details for luu.sh only show ‘REDACTED FOR PRIVACY’. Whoever owns these domains really wants to keep their details private (though I have no idea why a company would be allowed to keep their details private).

I had a look around online for other information about the text message. I noticed that when typing ‘your business contact’ (words from the mesage I received) in the search box Google, the first suggested message is about Lusha:

There are actually less than a page’s worth of results for “your business contact information is process by lusha” (in quotes). It suggests that there’s another factor causing that phrase to rank highly (such as lots of people searching for those words).

Among the search results for that phrase is their Trustpilot page, where plenty of people are complaining about their data being used by Lusha. Some say their details were scraped from LinkedIn.

One of the other search results is a thread on Reddit. Unfortunately, the original thread was deleted by the subreddit moderators (which makes little sense for a subreddit supposedly devoted to privacy).

There are also complaints on Twitter – including this tweet with a screenshot of the same message I received:

The French data protection body, CNIL, dismissed a case against Lusha (link in French). That case appears to have been related to browser extensions (but it bizarrely also mentions an app named ‘Cleaner Pro’). Similarly, complaints have been made in the UK, but no further action has been taken due to the company being based in the US.

Unfortunately, none of this information is enough to confirm that the text message I received is genuine. My impression is that it’s genuine, but I have no proof. And the opt-out process is a pretty risky one – particularly as you have to receive and enter a one-time code by text message when you don’t trust the other party. You have no way of verifying that the other party is, in fact, the one sending you the code – for all you know, they are doing something with your phone number elsewhere, and getting you to relay the code (especially if there’s nothing in the message to indicate who it’s from).

As it turns out, the opt-out form is actually an <iframe>, and the form itself is hosted by a company called OneTrust (who, it seems, are the ones that send the one-time code). The form looks similar to ones provided by OneTrust service called CookiePro. Regretfully, the text message sent by the Lusha opt-out form is in the default format mentioned in the previous link (and does not name Lusha):

Your Phone verification code is: XXXXXX. Don't share this code with anyone; our employees will never ask for the code.

While it is a bit more reassuring that that OneTrust (seemingly a reputable company providing data protection compliance software as a service) is involved here, I have no idea why they’d want to be involved in such a flawed process.

There are, at least, some alternative contact details at the bottom of the form. (Whether messages sent to them go anywhere useful is another matter.)