liv: cartoon of me with long plait, teapot and purple outfit (mini-me)
[personal profile] liv
I was a fairly early adopter of Gmail, back in the days when Google was the non-evil alternative to Microsoft. As a result I was able to snag an email address which is just my (common) first name plus initials. A consequence of this is that people quite frequently sign up to web services and mailing lists with my email address.

The other day I received one such email, acknowledging receipt of $500, welcoming me to a business service, and listing "my" details, including full name, address (in New York State), phone number, SSN and partially obfuscated credit card number. I'm not sure why I even opened the mail, I could tell it wasn't really intended for me. At this point I felt a bit sorry for my namesake, who had spent $500 on a service she wasn't going to get, and I was a bit concerned about all her personal details being shared with a total stranger (you would think that a competent business would verify the email address before emailing details; at least they didn't send out her password in the clear). I was also a bit unhappy at the prospect of receiving all this person's emails forever.

There was no unsubscribe link, presumably because the person had already positively opted in to receiving the emails. I went to the URL the email originated from (typing it manually, not clicking any links in the email). I saw a website that looked legitimate in the sense that I guessed it was actually selling the thing it was claiming to be selling, not just trying to install malware on my computer. But it looked pretty slimy in the sense that what it was selling was essentially some kind of multi-level marketing scheme. I could not find any useful contact details for said slimy company; the only way to contact them was through their members-only area. I tried their Twitter account, and as expected got no reply. While this was going on I received a whole bunch more emails from the company, which made me the more determined to get myself off their books.

So I tried calling the number listed in the person's details in the email. I already have a calling plan such that calls to the US are free, so it was just a nuisance, not expensive, to do this. To my surprise, it was a home number, not a business number. The person who answered made no attempt to find out who I was or what my business was, just informed me that the person I was asking for was out, would be back in an hour and would I like her cell number? So I called again an hour later, having considered what I would say to make myself sound convincing. I personally would be very suspicious if I received a call from a stranger in a foreign country claiming there had been a security breach and the foreigner had access to my personal details. In the event the person believed me straight away without needing any convincing, and was effusively grateful that I'd let her know, and promised me to get things fixed straight away.

A little later I received an email from the company with a slightly panicked tone and rather poor SpaG begging me to please delete the email with the personal details. Of course by this point they'd already sold my email address on to various even scummier "business" services, so my hope that I was going to avoid getting unwanted mailshots was in vain. But at least I helped the person whose email address is one letter away from mine to get what she paid for.

I was very aware that I could have been falling for a scam here. I mean, I get any number of emails which claim to be misaddressed, but are actually just mass-emailed spam. It is hard to describe exactly what made me think this one was a genuine mistake; partly that it addressed the recipient by name and her name was plausibly close to mine so that I could see how she might think my email address was hers. I took a risk in going to the website of a company I'd never heard of in response to an email that shouldn't really have come to me, and I'm not sure that typing in the URL was a lot safer than just following links. I made a judgement call that the company in question was a slimy but vaguely legitimate business, not the front end of a scam operation, partly because the website looked professionally done, partly because it seemed to have a pretty deep structure, not just a few pages. The people who answered the phone seemed to be legitimate, not stooges for a putative email scammer, on the basis that they didn't appear to be trying to get anything out of me. But I could have been wrong about any of those things, and maybe it would have been safer to just filter everything from this particular company to spam and not worry about the random stranger's potential loss of $500. [personal profile] flippac came up with even more elaborate examples for how it might be a set-up for scam than I could think of.

Of course, this poor lady might have been better off if she had just written off the $500, rather than getting embroiled in a nasty-looking MLM scheme. I am a bit shocked that she paid so much money for something which to me looks so obviously dodgy. But then again, both she and whoever answered the phone (housemate? maid? daughter?) were both totally naive and made no attempt at all to check, let alone verify, whether I was the helpful stranger I claimed to be. I seriously considered warning her away from the dodgy company, but concluded that probably the polite thing to do was to keep the conversation brief and to the point and not get into an argument with a total stranger about whether her financial decisions are sound. And you know, maybe this "business network" is actually a real thing and not just a thinly disguised pyramid scheme, I could be over-cynical as well as being too naive.

I did think, I've been on the internet 20 years now, and I've picked up quite a good body of knowledge about what is or isn't trustworthy. Plenty of people don't have that, of course. And I am not at all saying I could never be taken in; I see the obvious scams but I'm as liable as the next person to fall for a sophisticated one. There's an aphorism that you have to be greedy to be conned, and I'm not sure that's entirely true of me, I'm much more likely to be hooked by a sob-story than by Nigerian spam or anything else that promises me money. I think I partly felt sorry for this lady because we have similar names, so I felt a sense of connection. I was also reminded just how weak data protection laws and financial regulation are in the US compared to what I'm used to in Europe; I'm pretty certain you wouldn't be allowed to run that kind of MLM over here and a company could get into serious trouble for sending out identifying details to the wrong email address.

The other issue is that there are plenty of supposedly legitimate companies are doing their very best to break my carefully honed instincts for how to be secure. They want me to share my email address book so that they can spam all my friends and get them to sign up to whatever service as well as me. They allow me to verify using publicly available information like my mother's maiden name, or let me use totally insecure details to recover a password without any real check on whether the account the password belongs to is actually mine. All these years I've been making sure I don't give out my real email address to people or organizations I don't trust, but Google want to change that paradigm so anyone who knows my name can email me. And that's not even touching on how they want to broadcast my full name to all and sundry, undoing all those years of careful teaching not to tell strangers your real name.

Banks, which ought to be the most secure, are just the worst. [personal profile] karen2205 has it absolutely right, they should not in any way be training people to give out lots of identifying and possibly secret information to strangers who phone them from numbers that can't be verified. They don't allow you to check contact details provided by a cold-caller before you get back to them. They've pretty much already broken any sense I might have had about how to avoid giving my credit card details to dodgy online businesses, because even the most respectable, legitimate businesses now redirect you to a new, unrecognizable URL in a frame when it comes to the payment part of the transaction. And most companies routinely save credit card numbers, sometimes including PINs and verification numbers, at least by default, you have to find the tiny print and uncheck the tiny box to prevent this.

So in that sense it's not surprising that people like my American namesake fall for scams. Because real businesses are increasingly employing scammer tactics, so how do you tell? I suppose the theory is that it's ok for them to trick you, through social engineering, through dodgy phone or FB apps, through making it impossible to use their service in any sort of secure way. Because they wouldn't do anything harmful once they have access to your real name and all your contact details and lots of your financial details. Even if that's true it provides very little protection when the database of a mostly legit company gets hacked, and besides, they're training everybody that the only way you can interact with commerce at all is to be completely naive.

I have no particular suggestions for how to fix this, but I'm annoyed.

(no subject)

Date: 2014-06-16 05:22 pm (UTC)
redbird: closeup of me drinking tea (Default)
From: [personal profile] redbird
Connected to which: I get bills for certain medical stuff, including dental care, from organizations that want me to pay by mail, by sending them credit card information. But they want me to include the three-digit verification code, and (I tested this) will not process the payment if I leave that bit of the form blank. Even if I trusted them, I'm not putting that in the mail on a form that is being sent in a standard envelope to an address that is known to belong to an accounts receivable office. Which means doing less-convenient phone payments.

(Given the way my health care coverage works, writing a check would be significantly more complicated. But that's beyond the scope of this margin.)

(no subject)

Date: 2014-06-17 02:46 pm (UTC)
redbird: closeup of me drinking tea (Default)
From: [personal profile] redbird
It's particularly annoying because I found it out after we had already done business. (I probably wouldn't choose a medical practice on that basis, but "I'm not going back here" or "not recommending this doctor" is different from having a bill for past treatment.)

(no subject)

Date: 2014-06-17 05:09 am (UTC)
dafna: (Default)
From: [personal profile] dafna
I have an incredibly common name -- googling it gets you something like 8 million results and adding my middle name only gets you down to 2 million. Like you, I was a very early gmail adopter and so have a gmail address that is my full name. That means over the years I have gotten some hilarious misfires but the best was when someone signed up to their pharmacy's web site and I got all their medical info. (After I called the pharmacy they eventually changed it.)

I like this recent post about all the reasons we get fooled, particularly this bit: "Remember, you can be sensible 23 hours and 55 minutes a day, but a criminal only needs five bad minutes–One Slip–to raid your bank account."

(no subject)

Date: 2014-06-17 10:19 am (UTC)
dafna: (Default)
From: [personal profile] dafna
Yeah, there's a lot to be said for having a common name in the Google era in terms of the anonymity benefits. Ironically, my fannish name has a much more distinctive online presence than my real one.

(no subject)

Date: 2014-06-17 10:28 am (UTC)
marymac: Noser from Middleman (Default)
From: [personal profile] marymac
I've mostly trained my bank out of doing the 'We will phone you and demand your details before we tell you why' by dint of cheerfully telling them to make an appointment if they need to talk to me, I don't give out my details to randoms on the phone, and hanging up. Now they phone me from the branch number. Which is what they should have been doing to start with.

But, businesses in general: You rang me! The onus for verification is on you!

(no subject)

Date: 2014-06-17 10:52 am (UTC)
marymac: Noser from Middleman (Default)
From: [personal profile] marymac
I have an advantage in that it's an NI bank, who I've been with since babyhood, so while they are horrifyingly stuck in the 1950s in many respects (I lost my purse in Gatwick last summer, that was an adventure in abysmal customer service), I can at least train my branch, since they're the ones who phone me. It also helps that I am screamingly bloody minded, to be fair.

I can't see it working on Halifax or such.
Edited Date: 2014-06-17 10:53 am (UTC)

(no subject)

Date: 2014-06-17 11:25 am (UTC)
marymac: Noser from Middleman (Default)
From: [personal profile] marymac
The downside is that when you lose your purse, their one-and-only call centre's idea of helping is to shout at you for keeping your cashcard and debit card together and tell you they'll post you a new card in three days time*. Which...yeah, exactly as useful as you'd think.

I'm most made extremely angry by wilful stupidity. Which in turn causes stubbornness. Which has made at least one policeman cry.

*ETA: To be completely fair, someone at the same call centre did gently walk my sister's friend through her drunken anguish at losing her new phone to the point where she could cancel the card that had been lost at the same time ("And did you lose anything else, love? Like maybe your purse?"). Luck of the draw.
Edited Date: 2014-06-17 11:29 am (UTC)

(no subject)

Date: 2014-06-17 10:47 am (UTC)
ironed_orchid: pin up girl reading kant (Default)
From: [personal profile] ironed_orchid
Like you, I have first name plus initial, and get random emails. There have been a few cases where I've felt that not having the info in the email could screw up things someone in an unpleasant way, and usually I write a polite email back to the sender asking them to delete my address and contact the person by phone.

Sometimes this works, other times I get more emails for them because the sender doesn't realise that on gmail [first name]dot][initial] is the same as [firstnameinitial].

(no subject)

Date: 2014-06-17 11:18 am (UTC)
ironed_orchid: pin up girl reading kant (Default)
From: [personal profile] ironed_orchid
Yeah, when I get signed up to lists I look for an unsubscribe link, and if I can't find it easily, happily mark it as spam.

Stuff like hospital appointments and did you want to rent the apartment furnished or unfurnished, I reply to sender.

(no subject)

Date: 2014-06-17 07:54 pm (UTC)
forthwritten: stained glass spiral (Default)
From: [personal profile] forthwritten
My email address is the A.N.Other format and I get a few emails clearly not intended for me too - when someone sent a travel ticket to me I did try to contact the company, but otherwise I just delete them. Nothing terrible when it comes to personal information has come my way, but I did get a few weird ones about arranged marriages offering to swap bioinfo...

(no subject)

Date: 2014-07-12 10:12 pm (UTC)
alitalf: Skiing in the 3 Valleys, France, 2008 (Default)
From: [personal profile] alitalf
The opnly time I remember the bank phoning me, the person who phoned was quite angry that I would not tell them anything without proof of who *they* were. Later I discovered it actually had been the bank.

Now, I wonder how much help I'd have had from the bank if my account had been emptied because I gave answers to a scammer..?

Soundbite

Miscellaneous. Eclectic. Random. Perhaps markedly literate, or at least suffering from the compulsion to read any text that presents itself, including cereal boxes.

Page Summary

Top topics

September 2017

S M T W T F S
     12
345 6789
10111213141516
17 181920212223
24252627282930

Expand Cut Tags

No cut tags

Subscription Filters