Unbelievable Mental Lapse

DeWitt Clinton
January 2009

I receive a fair bit of misaddressed mail at my gmail.com addresses. Sometimes it is the result of a typo on the part of the sender. But with surprising frequency it is the result of a real person accidentally entering my email address into a web form instead of their own. I've seen shipping confirmations, subscriptions to mailing lists, responses to job applications, new account notices on sites like Facebook and Twitter, etc. How someone could enter the wrong email address into one of these forms is beyond me.

But nothing, nothing will ever top the mental lapses responsible for this email I just received:

Internal Revenue Service <refunds@irs.gov>
Date: Mon, Jan 26, 2009 at 9:46 AM
To: DClinton@gmail.com
Dear Dianne Clinton,

Your Stimulus Payment request has beed submited.

A Stimulus Payment can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

Stimulus Payment request issuer:

Name: Dianne Clinton
Address: [redacted]
City:  [redacted]
State: [redacted]
Postal Code:  [redacted]
Phone: [redacted]
Date of birth:  [redacted]/ [redacted]  (mmddyyyy)
Social Security Number:  [redacted]
Mother name:  [redacted]
Credit card Number:  [redacted]
Credit card expiration:  [redacted]/ [redacted]  (mm/yyyy)
CVV:  [redacted]

Note: For security reasons, we recorded your ip-address, the date and
time.
Deliberate wrong inputs are criminally pursued.
IP:  [redacted]
Date: Mon Jan 26, 2009 6:46 pm

Regards,
Internal Revenue Service

Yes, every single one of those [redacted] fields was filled out completely. Social security #, credit card #, mother's maiden name. The works. An identity thief could clear out her accounts and bankrupt her by morning.

Want to know the saddest part?

It was an identity thief. (The grammar and spelling errors were a bit of a dead giveaway. Besides, I can't imagine the real IRS would be so stupid as to send your private details back to you over plain-text email.)

A ten-second perusal of the address headers showed that, not-surprisingly, this message did not originate from irs.gov.

Rather, the mail originated from this site: (And needless to say, don't you go filling it out!)

http://www.ieaf.es/bbdd/apps/news/stimulus.refund/stimulus.php

This woman was the victim of a phishing scam; she probably thought she was entering her very personal data into a legitimate United States government website, and she may never realize how wrong she was. She didn't notice the lack of https, or that the domain was ieaf.es, a known IRS phishing site, hosted on a Spanish top-level domain.

I will submit the site to the various phish-tracking websites and make the appropriate notifications at work. That said, I'm on the fence about trying to contact her directly. Morally it would be the right thing to do. However, in this litigious era, it might be exactly the wrong thing to do. Needless to say the email itself will be permanently deleted from my inbox.

This whole episode makes me very, very sad.