1. Perfect spam game
  2. Vendor redirection as modern art masterpiece
  3. Fun with third parties
  4. Know your integration partner
  5. Always color the BATNA red
  6. Is every successful business coned

Backstory: if you don’t live in NYC or westchester, Con Edison doesn’t deliver electricity or gas to your house, but if you do, it does.

Perfect spam game

Like most New Yorkers who move near summer, I only open emails that are in all caps. For example: TERMINATION NOTICE – ACTION NEEDED from ConEd-bill@emailconed.com.

Why don’t I open all my correspondence from coned? Because the relevant pieces are buried in nonsense:


My favorite thing about this is that the bills don’t come from coned.com; the spam does, the bills are from emailconed.com. Surviving web 2.0 has trained me to, when I see ‘criminals trying to scam you’ next to ‘bill is ready’ from different domains, to ignore both.

All caps, on the other hand, I still respond to.

Vendor redirection as modern art masterpiece

The TERMINATION NOTICE email is true art, and not just because of the all-caps and the possibly-fraudulent source domain, or the ‘Please do not reply to this email’ in the fine print.

It has a PDF attachment with some security features that I’ll go into later.

It also has a link to coned.com but it’s not directly to coned – they redirect via a third party at documentmailbox.com. What, you ask, happens if you type documentmailbox.com into a browser and go? Feast your eyes:


Fun with third parties

The billing homepage for my coned account defaults to one of several past addresses and welcomes me with a cheery ‘You owe $0!’.

On a dropdown, I found an address that is within 100 yards of my current address, but not exactly the same! We’re getting warmer.

Clicking a ‘pay now’ button on that page brought me to another trustworthy third party, billmatrix.com. Their homepage:


Just for fun I opened their privacy policy, and noticed that it references, another third party (fourth party?), customercenter.net. Their homepage was fun in a different way:


Know your integration partner

Excitingly, the billmatrix redirect was a form that wanted my coned account number & email address. coned, a company that I’m pretty sure operates a call center based in new york city, somehow couldn’t cough up $20k to build out an integration.

Type my account number? Where would I find that? Oh right, the PDF that coned emailed to me.

But when I tried to open it, I saw something I’ve never seen before:

PDF password

I didn’t even read the prompt, I just downloaded the thing and tried a different viewer, but after a while figured out what’s wrong. But wait – maybe there’s some kind of instruction in the email, something like:

For your security, when prompted, please enter the 5-digit zip code of the service address to open the attached file.

I’m trying to imagine an attacker who has access to my email account and can’t figure out my zip code.

The ‘password’ worked, I got my account number, typed it into the billmatrix form exactly, and – nothing. No such account. After some more debugging, I figured out that the form was clamping the account number – it takes exactly the right number of characters if you omit the hyphens.

Always color the BATNA red

And now the best part. I payed billmatrix, coned did instantly receive the billing confirmation and apply it to my account, I’m impressed (given that I was typing in my account number just 5 minutes ago). But something is still out of whack:


After jumping through every hoops, visiting like 5 websites if you include gmail and emailconed.com, and paying down my balance, it looks like my electricity will still be turned off.

And their website is slow!

Is every successful business coned

You don’t need to worry about your conversion funnel when you can turn people’s electricity off.

Coned still doesn’t have (as of a few months ago) a way to create an account online. When I called in, I asked the operator ‘you guys have a privacy policy, right’ and he was like ‘we won’t use your information in any way’. To which I asked ‘will you use it for accounting and payment services?’ and he said ‘of course’.

Everyone I know has had a bad experience with an institutional service provider, but I don’t want to use this article to ask why they’re so bad or what ways there are to disrupt them (both are a long list).

Every successful business that I’ve been on the inside of is, in some way, like coned – we screw up at least some of the time. What keeps our customers coming back (when they come back) isn’t that we have perfect execution, it’s that we’re providing something they can’t get from anyone else. Messing with us would deny them something as important as electricity.

Thanks, coned, for that reminder and for an entertaining and informative online bill pay experience. And if you smell gas, act fast.