Is Roku seriously asking people for their Social Security Number over Facebook??
Each winner must provide Administrator with a valid taxpayer identification number or social security number before any prize will be awarded.
The Roku Soundbar and sub-wolfer is being sold for $250? How does this exceed the $600 limit such that a 1099-MISC form is required?!
Even if the intention is for the giveaway to be completely legitimate, it seems like this could open up some people interested in Roku to having their SSN taken in a phishing style attack.
I don't see on the Facebook page or in the sweepstake rules that it explicitly says to expect the administrator of the sweepstake to contact from the Roku verified account.
Each potential winner will be notified by mail, email, or phone.
Uh. How? This information is not asked to be provided in the comment and several facebook users have figured out it is not wise to leave this information available to everyone in their profile. If the winning commenter is really selected at random by someone that was never required to make a purchase with Roku that the mail, email and phone are all unknown to Roku. Instead the notification would realistically be coming via Facebook Messenger which is not even listed as a notification method in the sweepstack rules. So, there may already be a deviation between what the rules say will be the method sweepstake communications.
Each potential prize winner may be required to sign and return an Affidavit of Eligibility, Liability and Publicity Release (“Affidavit”) and an I.R.S. Form W-9 as applicable (except where prohibited), which must be received by Administrator within seventy-two (72) hours of the time notice or attempted notice is sent, in order to claim a prize (if applicable).
A strict "act now" style requirement to supply sensitive information or the $250 offer will be lost forever! Do I need to go into any further detail how this wording is pure gold for someone going phishing?!
I am, of course, not going to spell out how exactly someone would launch a phishing attack based on how Roku is conducting and communicating with this sweepstake. That information can already easily be found.
To anyone that has worked for a company that performs phishing attack tests and avoidance training such as KnowBe4, the flaws with how this offer is being made should be clear. I could see why the OP is confused.
And despite the intention being legitimate, the method still increases risk to the participants and to Roku's brand.
Please do a better review on how to do these in the future.
