liv: cartoon of me with long plait, teapot and purple outfit (mini-me)
[personal profile] liv
I was a fairly early adopter of Gmail, back in the days when Google was the non-evil alternative to Microsoft. As a result I was able to snag an email address which is just my (common) first name plus initials. A consequence of this is that people quite frequently sign up to web services and mailing lists with my email address.

The other day I received one such email, acknowledging receipt of $500, welcoming me to a business service, and listing "my" details, including full name, address (in New York State), phone number, SSN and partially obfuscated credit card number. I'm not sure why I even opened the mail, I could tell it wasn't really intended for me. At this point I felt a bit sorry for my namesake, who had spent $500 on a service she wasn't going to get, and I was a bit concerned about all her personal details being shared with a total stranger (you would think that a competent business would verify the email address before emailing details; at least they didn't send out her password in the clear). I was also a bit unhappy at the prospect of receiving all this person's emails forever.

There was no unsubscribe link, presumably because the person had already positively opted in to receiving the emails. I went to the URL the email originated from (typing it manually, not clicking any links in the email). I saw a website that looked legitimate in the sense that I guessed it was actually selling the thing it was claiming to be selling, not just trying to install malware on my computer. But it looked pretty slimy in the sense that what it was selling was essentially some kind of multi-level marketing scheme. I could not find any useful contact details for said slimy company; the only way to contact them was through their members-only area. I tried their Twitter account, and as expected got no reply. While this was going on I received a whole bunch more emails from the company, which made me the more determined to get myself off their books.

So I tried calling the number listed in the person's details in the email. I already have a calling plan such that calls to the US are free, so it was just a nuisance, not expensive, to do this. To my surprise, it was a home number, not a business number. The person who answered made no attempt to find out who I was or what my business was, just informed me that the person I was asking for was out, would be back in an hour and would I like her cell number? So I called again an hour later, having considered what I would say to make myself sound convincing. I personally would be very suspicious if I received a call from a stranger in a foreign country claiming there had been a security breach and the foreigner had access to my personal details. In the event the person believed me straight away without needing any convincing, and was effusively grateful that I'd let her know, and promised me to get things fixed straight away.

A little later I received an email from the company with a slightly panicked tone and rather poor SpaG begging me to please delete the email with the personal details. Of course by this point they'd already sold my email address on to various even scummier "business" services, so my hope that I was going to avoid getting unwanted mailshots was in vain. But at least I helped the person whose email address is one letter away from mine to get what she paid for.

I was very aware that I could have been falling for a scam here. I mean, I get any number of emails which claim to be misaddressed, but are actually just mass-emailed spam. It is hard to describe exactly what made me think this one was a genuine mistake; partly that it addressed the recipient by name and her name was plausibly close to mine so that I could see how she might think my email address was hers. I took a risk in going to the website of a company I'd never heard of in response to an email that shouldn't really have come to me, and I'm not sure that typing in the URL was a lot safer than just following links. I made a judgement call that the company in question was a slimy but vaguely legitimate business, not the front end of a scam operation, partly because the website looked professionally done, partly because it seemed to have a pretty deep structure, not just a few pages. The people who answered the phone seemed to be legitimate, not stooges for a putative email scammer, on the basis that they didn't appear to be trying to get anything out of me. But I could have been wrong about any of those things, and maybe it would have been safer to just filter everything from this particular company to spam and not worry about the random stranger's potential loss of $500. [personal profile] flippac came up with even more elaborate examples for how it might be a set-up for scam than I could think of.

Of course, this poor lady might have been better off if she had just written off the $500, rather than getting embroiled in a nasty-looking MLM scheme. I am a bit shocked that she paid so much money for something which to me looks so obviously dodgy. But then again, both she and whoever answered the phone (housemate? maid? daughter?) were both totally naive and made no attempt at all to check, let alone verify, whether I was the helpful stranger I claimed to be. I seriously considered warning her away from the dodgy company, but concluded that probably the polite thing to do was to keep the conversation brief and to the point and not get into an argument with a total stranger about whether her financial decisions are sound. And you know, maybe this "business network" is actually a real thing and not just a thinly disguised pyramid scheme, I could be over-cynical as well as being too naive.

I did think, I've been on the internet 20 years now, and I've picked up quite a good body of knowledge about what is or isn't trustworthy. Plenty of people don't have that, of course. And I am not at all saying I could never be taken in; I see the obvious scams but I'm as liable as the next person to fall for a sophisticated one. There's an aphorism that you have to be greedy to be conned, and I'm not sure that's entirely true of me, I'm much more likely to be hooked by a sob-story than by Nigerian spam or anything else that promises me money. I think I partly felt sorry for this lady because we have similar names, so I felt a sense of connection. I was also reminded just how weak data protection laws and financial regulation are in the US compared to what I'm used to in Europe; I'm pretty certain you wouldn't be allowed to run that kind of MLM over here and a company could get into serious trouble for sending out identifying details to the wrong email address.

The other issue is that there are plenty of supposedly legitimate companies are doing their very best to break my carefully honed instincts for how to be secure. They want me to share my email address book so that they can spam all my friends and get them to sign up to whatever service as well as me. They allow me to verify using publicly available information like my mother's maiden name, or let me use totally insecure details to recover a password without any real check on whether the account the password belongs to is actually mine. All these years I've been making sure I don't give out my real email address to people or organizations I don't trust, but Google want to change that paradigm so anyone who knows my name can email me. And that's not even touching on how they want to broadcast my full name to all and sundry, undoing all those years of careful teaching not to tell strangers your real name.

Banks, which ought to be the most secure, are just the worst. [personal profile] karen2205 has it absolutely right, they should not in any way be training people to give out lots of identifying and possibly secret information to strangers who phone them from numbers that can't be verified. They don't allow you to check contact details provided by a cold-caller before you get back to them. They've pretty much already broken any sense I might have had about how to avoid giving my credit card details to dodgy online businesses, because even the most respectable, legitimate businesses now redirect you to a new, unrecognizable URL in a frame when it comes to the payment part of the transaction. And most companies routinely save credit card numbers, sometimes including PINs and verification numbers, at least by default, you have to find the tiny print and uncheck the tiny box to prevent this.

So in that sense it's not surprising that people like my American namesake fall for scams. Because real businesses are increasingly employing scammer tactics, so how do you tell? I suppose the theory is that it's ok for them to trick you, through social engineering, through dodgy phone or FB apps, through making it impossible to use their service in any sort of secure way. Because they wouldn't do anything harmful once they have access to your real name and all your contact details and lots of your financial details. Even if that's true it provides very little protection when the database of a mostly legit company gets hacked, and besides, they're training everybody that the only way you can interact with commerce at all is to be completely naive.

I have no particular suggestions for how to fix this, but I'm annoyed.
From:
Anonymous
OpenID
Identity URL: 
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

 
Links will be displayed as unclickable URLs to help prevent spam.

Soundbite

Miscellaneous. Eclectic. Random. Perhaps markedly literate, or at least suffering from the compulsion to read any text that presents itself, including cereal boxes.

Top topics

April 2017

S M T W T F S
      1
2345 678
9101112131415
161718 19 202122
23242526272829
30      

Expand Cut Tags

No cut tags

Subscription Filters