Random kindness
Jun. 16th, 2014 05:28 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
livI was a fairly early adopter of Gmail, back in the days when Google was the non-evil alternative to Microsoft. As a result I was able to snag an email address which is just my (common) first name plus initials. A consequence of this is that people quite frequently sign up to web services and mailing lists with my email address.
The other day I received one such email, acknowledging receipt of $500, welcoming me to a business service, and listing "my" details, including full name, address (in New York State), phone number, SSN and partially obfuscated credit card number. I'm not sure why I even opened the mail, I could tell it wasn't really intended for me. At this point I felt a bit sorry for my namesake, who had spent $500 on a service she wasn't going to get, and I was a bit concerned about all her personal details being shared with a total stranger (you would think that a competent business would verify the email address before emailing details; at least they didn't send out her password in the clear). I was also a bit unhappy at the prospect of receiving all this person's emails forever.
There was no unsubscribe link, presumably because the person had already positively opted in to receiving the emails. I went to the URL the email originated from (typing it manually, not clicking any links in the email). I saw a website that looked legitimate in the sense that I guessed it was actually selling the thing it was claiming to be selling, not just trying to install malware on my computer. But it looked pretty slimy in the sense that what it was selling was essentially some kind of multi-level marketing scheme. I could not find any useful contact details for said slimy company; the only way to contact them was through their members-only area. I tried their Twitter account, and as expected got no reply. While this was going on I received a whole bunch more emails from the company, which made me the more determined to get myself off their books.
So I tried calling the number listed in the person's details in the email. I already have a calling plan such that calls to the US are free, so it was just a nuisance, not expensive, to do this. To my surprise, it was a home number, not a business number. The person who answered made no attempt to find out who I was or what my business was, just informed me that the person I was asking for was out, would be back in an hour and would I like her cell number? So I called again an hour later, having considered what I would say to make myself sound convincing. I personally would be very suspicious if I received a call from a stranger in a foreign country claiming there had been a security breach and the foreigner had access to my personal details. In the event the person believed me straight away without needing any convincing, and was effusively grateful that I'd let her know, and promised me to get things fixed straight away.
A little later I received an email from the company with a slightly panicked tone and rather poor SpaG begging me to please delete the email with the personal details. Of course by this point they'd already sold my email address on to various even scummier "business" services, so my hope that I was going to avoid getting unwanted mailshots was in vain. But at least I helped the person whose email address is one letter away from mine to get what she paid for.
I was very aware that I could have been falling for a scam here. I mean, I get any number of emails which claim to be misaddressed, but are actually just mass-emailed spam. It is hard to describe exactly what made me think this one was a genuine mistake; partly that it addressed the recipient by name and her name was plausibly close to mine so that I could see how she might think my email address was hers. I took a risk in going to the website of a company I'd never heard of in response to an email that shouldn't really have come to me, and I'm not sure that typing in the URL was a lot safer than just following links. I made a judgement call that the company in question was a slimy but vaguely legitimate business, not the front end of a scam operation, partly because the website looked professionally done, partly because it seemed to have a pretty deep structure, not just a few pages. The people who answered the phone seemed to be legitimate, not stooges for a putative email scammer, on the basis that they didn't appear to be trying to get anything out of me. But I could have been wrong about any of those things, and maybe it would have been safer to just filter everything from this particular company to spam and not worry about the random stranger's potential loss of $500.flippac came up with even more elaborate examples for how it might be a set-up for scam than I could think of.
Of course, this poor lady might have been better off if she had just written off the $500, rather than getting embroiled in a nasty-looking MLM scheme. I am a bit shocked that she paid so much money for something which to me looks so obviously dodgy. But then again, both she and whoever answered the phone (housemate? maid? daughter?) were both totally naive and made no attempt at all to check, let alone verify, whether I was the helpful stranger I claimed to be. I seriously considered warning her away from the dodgy company, but concluded that probably the polite thing to do was to keep the conversation brief and to the point and not get into an argument with a total stranger about whether her financial decisions are sound. And you know, maybe this "business network" is actually a real thing and not just a thinly disguised pyramid scheme, I could be over-cynical as well as being too naive.
I did think, I've been on the internet 20 years now, and I've picked up quite a good body of knowledge about what is or isn't trustworthy. Plenty of people don't have that, of course. And I am not at all saying I could never be taken in; I see the obvious scams but I'm as liable as the next person to fall for a sophisticated one. There's an aphorism that you have to be greedy to be conned, and I'm not sure that's entirely true of me, I'm much more likely to be hooked by a sob-story than by Nigerian spam or anything else that promises me money. I think I partly felt sorry for this lady because we have similar names, so I felt a sense of connection. I was also reminded just how weak data protection laws and financial regulation are in the US compared to what I'm used to in Europe; I'm pretty certain you wouldn't be allowed to run that kind of MLM over here and a company could get into serious trouble for sending out identifying details to the wrong email address.
The other issue is that there are plenty of supposedly legitimate companies are doing their very best to break my carefully honed instincts for how to be secure. They want me to share my email address book so that they can spam all my friends and get them to sign up to whatever service as well as me. They allow me to verify using publicly available information like my mother's maiden name, or let me use totally insecure details to recover a password without any real check on whether the account the password belongs to is actually mine. All these years I've been making sure I don't give out my real email address to people or organizations I don't trust, but Google want to change that paradigm so anyone who knows my name can email me. And that's not even touching on how they want to broadcast my full name to all and sundry, undoing all those years of careful teaching not to tell strangers your real name.
Banks, which ought to be the most secure, are just the worst.karen2205 has it absolutely right, they should not in any way be training people to give out lots of identifying and possibly secret information to strangers who phone them from numbers that can't be verified. They don't allow you to check contact details provided by a cold-caller before you get back to them. They've pretty much already broken any sense I might have had about how to avoid giving my credit card details to dodgy online businesses, because even the most respectable, legitimate businesses now redirect you to a new, unrecognizable URL in a frame when it comes to the payment part of the transaction. And most companies routinely save credit card numbers, sometimes including PINs and verification numbers, at least by default, you have to find the tiny print and uncheck the tiny box to prevent this.
So in that sense it's not surprising that people like my American namesake fall for scams. Because real businesses are increasingly employing scammer tactics, so how do you tell? I suppose the theory is that it's ok for them to trick you, through social engineering, through dodgy phone or FB apps, through making it impossible to use their service in any sort of secure way. Because they wouldn't do anything harmful once they have access to your real name and all your contact details and lots of your financial details. Even if that's true it provides very little protection when the database of a mostly legit company gets hacked, and besides, they're training everybody that the only way you can interact with commerce at all is to be completely naive.
I have no particular suggestions for how to fix this, but I'm annoyed.
The other day I received one such email, acknowledging receipt of $500, welcoming me to a business service, and listing "my" details, including full name, address (in New York State), phone number, SSN and partially obfuscated credit card number. I'm not sure why I even opened the mail, I could tell it wasn't really intended for me. At this point I felt a bit sorry for my namesake, who had spent $500 on a service she wasn't going to get, and I was a bit concerned about all her personal details being shared with a total stranger (you would think that a competent business would verify the email address before emailing details; at least they didn't send out her password in the clear). I was also a bit unhappy at the prospect of receiving all this person's emails forever.
There was no unsubscribe link, presumably because the person had already positively opted in to receiving the emails. I went to the URL the email originated from (typing it manually, not clicking any links in the email). I saw a website that looked legitimate in the sense that I guessed it was actually selling the thing it was claiming to be selling, not just trying to install malware on my computer. But it looked pretty slimy in the sense that what it was selling was essentially some kind of multi-level marketing scheme. I could not find any useful contact details for said slimy company; the only way to contact them was through their members-only area. I tried their Twitter account, and as expected got no reply. While this was going on I received a whole bunch more emails from the company, which made me the more determined to get myself off their books.
So I tried calling the number listed in the person's details in the email. I already have a calling plan such that calls to the US are free, so it was just a nuisance, not expensive, to do this. To my surprise, it was a home number, not a business number. The person who answered made no attempt to find out who I was or what my business was, just informed me that the person I was asking for was out, would be back in an hour and would I like her cell number? So I called again an hour later, having considered what I would say to make myself sound convincing. I personally would be very suspicious if I received a call from a stranger in a foreign country claiming there had been a security breach and the foreigner had access to my personal details. In the event the person believed me straight away without needing any convincing, and was effusively grateful that I'd let her know, and promised me to get things fixed straight away.
A little later I received an email from the company with a slightly panicked tone and rather poor SpaG begging me to please delete the email with the personal details. Of course by this point they'd already sold my email address on to various even scummier "business" services, so my hope that I was going to avoid getting unwanted mailshots was in vain. But at least I helped the person whose email address is one letter away from mine to get what she paid for.
I was very aware that I could have been falling for a scam here. I mean, I get any number of emails which claim to be misaddressed, but are actually just mass-emailed spam. It is hard to describe exactly what made me think this one was a genuine mistake; partly that it addressed the recipient by name and her name was plausibly close to mine so that I could see how she might think my email address was hers. I took a risk in going to the website of a company I'd never heard of in response to an email that shouldn't really have come to me, and I'm not sure that typing in the URL was a lot safer than just following links. I made a judgement call that the company in question was a slimy but vaguely legitimate business, not the front end of a scam operation, partly because the website looked professionally done, partly because it seemed to have a pretty deep structure, not just a few pages. The people who answered the phone seemed to be legitimate, not stooges for a putative email scammer, on the basis that they didn't appear to be trying to get anything out of me. But I could have been wrong about any of those things, and maybe it would have been safer to just filter everything from this particular company to spam and not worry about the random stranger's potential loss of $500.
flippac came up with even more elaborate examples for how it might be a set-up for scam than I could think of.Of course, this poor lady might have been better off if she had just written off the $500, rather than getting embroiled in a nasty-looking MLM scheme. I am a bit shocked that she paid so much money for something which to me looks so obviously dodgy. But then again, both she and whoever answered the phone (housemate? maid? daughter?) were both totally naive and made no attempt at all to check, let alone verify, whether I was the helpful stranger I claimed to be. I seriously considered warning her away from the dodgy company, but concluded that probably the polite thing to do was to keep the conversation brief and to the point and not get into an argument with a total stranger about whether her financial decisions are sound. And you know, maybe this "business network" is actually a real thing and not just a thinly disguised pyramid scheme, I could be over-cynical as well as being too naive.
I did think, I've been on the internet 20 years now, and I've picked up quite a good body of knowledge about what is or isn't trustworthy. Plenty of people don't have that, of course. And I am not at all saying I could never be taken in; I see the obvious scams but I'm as liable as the next person to fall for a sophisticated one. There's an aphorism that you have to be greedy to be conned, and I'm not sure that's entirely true of me, I'm much more likely to be hooked by a sob-story than by Nigerian spam or anything else that promises me money. I think I partly felt sorry for this lady because we have similar names, so I felt a sense of connection. I was also reminded just how weak data protection laws and financial regulation are in the US compared to what I'm used to in Europe; I'm pretty certain you wouldn't be allowed to run that kind of MLM over here and a company could get into serious trouble for sending out identifying details to the wrong email address.
The other issue is that there are plenty of supposedly legitimate companies are doing their very best to break my carefully honed instincts for how to be secure. They want me to share my email address book so that they can spam all my friends and get them to sign up to whatever service as well as me. They allow me to verify using publicly available information like my mother's maiden name, or let me use totally insecure details to recover a password without any real check on whether the account the password belongs to is actually mine. All these years I've been making sure I don't give out my real email address to people or organizations I don't trust, but Google want to change that paradigm so anyone who knows my name can email me. And that's not even touching on how they want to broadcast my full name to all and sundry, undoing all those years of careful teaching not to tell strangers your real name.
Banks, which ought to be the most secure, are just the worst.
karen2205 has it absolutely right, they should not in any way be training people to give out lots of identifying and possibly secret information to strangers who phone them from numbers that can't be verified. They don't allow you to check contact details provided by a cold-caller before you get back to them. They've pretty much already broken any sense I might have had about how to avoid giving my credit card details to dodgy online businesses, because even the most respectable, legitimate businesses now redirect you to a new, unrecognizable URL in a frame when it comes to the payment part of the transaction. And most companies routinely save credit card numbers, sometimes including PINs and verification numbers, at least by default, you have to find the tiny print and uncheck the tiny box to prevent this.So in that sense it's not surprising that people like my American namesake fall for scams. Because real businesses are increasingly employing scammer tactics, so how do you tell? I suppose the theory is that it's ok for them to trick you, through social engineering, through dodgy phone or FB apps, through making it impossible to use their service in any sort of secure way. Because they wouldn't do anything harmful once they have access to your real name and all your contact details and lots of your financial details. Even if that's true it provides very little protection when the database of a mostly legit company gets hacked, and besides, they're training everybody that the only way you can interact with commerce at all is to be completely naive.
I have no particular suggestions for how to fix this, but I'm annoyed.
(no subject)
Date: 2014-06-16 05:22 pm (UTC)(Given the way my health care coverage works, writing a check would be significantly more complicated. But that's beyond the scope of this margin.)
(no subject)
Date: 2014-06-17 09:39 am (UTC)(no subject)
Date: 2014-06-17 02:46 pm (UTC)(no subject)
Date: 2014-06-17 05:09 am (UTC)I like this recent post about all the reasons we get fooled, particularly this bit: "Remember, you can be sensible 23 hours and 55 minutes a day, but a criminal only needs five bad minutes–One Slip–to raid your bank account."
(no subject)
Date: 2014-06-17 09:58 am (UTC)Maybe I should've used my full name in my Gmail address; my first name is common but my surname is rare. However I kind of wanted to have the ability to email random people I only expect to interact with once without giving them my full name. Google are very very keen on telling the whole internet my full, fairly uniquely identifying name, though, so it's probably a lost cause.
The getting fooled post is interesting, but I think he kind of goes back on himself about blaming the victim. I think I'm much more likely to fall for "help this person in trouble" scams than I am for "get rich quick" scams, and I don't think that's because I'm especially virtuous. Making Light had some good posts a while back with classifications of scam families and there are definitely definitely some that prey on people's good nature rather than their greed.
(no subject)
Date: 2014-06-17 10:19 am (UTC)(no subject)
Date: 2014-06-17 10:45 am (UTC)(no subject)
Date: 2014-06-17 10:28 am (UTC)But, businesses in general: You rang me! The onus for verification is on you!
(no subject)
Date: 2014-06-17 10:42 am (UTC)(no subject)
Date: 2014-06-17 10:52 am (UTC)I can't see it working on Halifax or such.
(no subject)
Date: 2014-06-17 11:17 am (UTC)(no subject)
Date: 2014-06-17 11:25 am (UTC)I'm most made extremely angry by wilful stupidity. Which in turn causes stubbornness. Which has made at least one policeman cry.
*ETA: To be completely fair, someone at the same call centre did gently walk my sister's friend through her drunken anguish at losing her new phone to the point where she could cancel the card that had been lost at the same time ("And did you lose anything else, love? Like maybe your purse?"). Luck of the draw.
(no subject)
Date: 2014-06-17 10:47 am (UTC)Sometimes this works, other times I get more emails for them because the sender doesn't realise that on gmail [first name]dot][initial] is the same as [firstnameinitial].
(no subject)
Date: 2014-06-17 11:16 am (UTC)The problem is that the actual person who gave my address instead of their own may well be innocent. But if they signed up to a company that's dodgy or bad at privacy, or forgot to uncheck the box saying "yes, please do send me lots of marketing forever", my email address has already been sold on by the time I get to do anything about it. And responding to the misaddressed email only provides evidence that my email address is real and checked by a human :-(
(no subject)
Date: 2014-06-17 11:18 am (UTC)Stuff like hospital appointments and did you want to rent the apartment furnished or unfurnished, I reply to sender.
(no subject)
Date: 2014-06-17 07:54 pm (UTC)(no subject)
Date: 2014-07-12 10:12 pm (UTC)Now, I wonder how much help I'd have had from the bank if my account had been emptied because I gave answers to a scammer..?