Many companies have no mechanism to deal with a common problem: when users open accounts using someone else's email address, either by accident or design. "I have had a barrage of account creation requests that will fail ... also a large number of invoices, warranty emails and so on for purchases, from furniture to electronics," a reader informed us.
Email is perhaps the nearest thing to a universal identity system for the internet, but if it is such a thing, it is much flawed. The problem is not only that email addresses are easily spoofed - mitigated by mechanisms like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) – but that they also lack any robust process by which organisations collect email details.
Best practice is to treat any claim to an email address as suspect until the user has verified their ownership via a key sent to that address, but this is by no means universally followed, as well as being vulnerable to a confused recipient inadvertently clicking a confirming link.
We know many of these problems first-hand. Gmail accounts that are commonly abused in this way, and journalists were among early adopters who got seemingly attractive email addresses like firstname.lastname@example.org, which seem prone to this misuse. Google has made it worse because it treats email addresses as identical irrespective of the presence or whereabouts of the dot, so email@example.com is identical to firstname.lastname@example.org or email@example.com, in that all are received by the same gmail account.
"Thank you for choosing Europcar," says an email received a few days ago by one of our team, for a booking in Rome that is unknown to the recipient – complete with a special "manage your booking" link that could presumably cause mayhem if clicked. They also got a record of every transaction made by a credit card used by a customer of First National Bank Texas, appointment reminders for a dentist in Wisconsin, USA, alerts from Experian for a credit record for a mystery person in the USA, and account statements for a security company in Carolina.
Catch 22: The PayPal version
Our reader has issues with internet banking giant PayPal, among others. It all started, he said, when "I received an email from a US company with a receipt for shipping of a phone."
This came to his Gmail address, though without the dot he habitually uses between first and second name. Since then he has received numerous emails which he thinks relate to the same person, including invoices and warranties.
"There are login requests to Etsty and a few others where it appears he is trying to sell things to pay for his new purchases and recently an authentication confirmation request to a finance management company followed by a credit notice email with attached pdf (promptly deleted for privacy reasons)," our reader told us.
An example email received from PayPal to an email recipient that has not knowingly opened an account. Points to note: this is not merely a verification email; it does seem to be really from PayPal according to the usual checks; and it cannot accept replies
"The most recent sign-up was to Paypal, so there are now 2 accounts linked to my email under 2 different aliases. Paypal's phone number does not work, the auto chat is useless and when you ask to speak to a person you get an apology 6 days later that they did not get back to you," he told us, though he does not think the person is actually able to log in to PayPal using this email address.
He then encountered a special PayPal version of Catch 22: "The Paypal message center gave me a number to ring. The number took me through the usual maze and then the automated message said they could not help over the phone and I had to use the message center."
One of the problems is that most such emails come from email addresses helpfully marked "do not reply." How then do you contact the company to inform them of their error? "It is always the same," he said. "I need to log in to contact support, which I refuse to do as I do not have rights to view his data … emails to support addresses are not responded to."
The simple solution is to delete all such emails without reading them, but there are troubling aspects to this approach. First, there is the good citizen aspect: one would think that (unless engaged in fraud attempts) all these bank accountholders or hirers of vehicles would prefer that their transaction details were not sent to an unknown third party.
Second, there is the worry that something underhand may be going on and that it is the beginning of an attempt at identity theft; or that some unpleasantness around unpaid invoices might ensue. Resolving the error is to the benefit of all parties.
We have, on occasion, had success with approaches to Twitter support accounts - which typically do not require a login before they will engage with you – or website chat agents; but it can be remarkably difficult to get the message through to the right person that no, you are not their customer, and could they please stop spamming you.
We asked PayPal for comment but while it has offered to investigate our reader's issue, the company has not come back with any general remarks on why this kind of thing is allowed to happen or what its non-customers should do when it does.
In the meantime, the message to web developers is: send just one verification email to customers setting up accounts, preferably complete with an option for "no this is not me"; and if there is no response, delete the email address and never send another one. ®