ContentI receive a fair bit of misaddressed mail at my gmail.com addresses. Sometimes it is the result of a typo on the part of the sender. But with surprising frequency it is the result of a real person accidentally entering my email address into a web form instead of their own. I’ve seen shipping confirmations, subscriptions to mailing lists, responses to job applications, new account notices on sites like Facebook and Twitter, etc. How someone could enter the wrong email address into one of these forms is beyond me.
But nothing, nothing will ever top the mental lapses responsible for this email I just received:
Internal Revenue Service <refunds@irs.gov> Date: Mon, Jan 26, 2009 at 9:46 AM To: DClinton@gmail.com Dear Dianne Clinton, Your Stimulus Payment request has beed submited. A Stimulus Payment can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Stimulus Payment request issuer: Name: Dianne Clinton Address: [redacted] City: [redacted] State: [redacted] Postal Code: [redacted] Phone: [redacted] Date of birth: [redacted]/ [redacted] (mmddyyyy) Social Security Number: [redacted] Mother name: [redacted] Credit card Number: [redacted] Credit card expiration: [redacted]/ [redacted] (mm/yyyy) CVV: [redacted] Note: For security reasons, we recorded your ip-address, the date and time. Deliberate wrong inputs are criminally pursued. IP: [redacted] Date: Mon Jan 26, 2009 6:46 pm Regards, Internal Revenue Service
Yes, every single one of those [redacted] fields was filled out completely. Social security #, credit card #, mother’s maiden name. The works. An identity thief could clear out her accounts and bankrupt her by morning.
Want to know the saddest part?
It was an identity thief. (The grammar and spelling errors were a bit of a dead giveaway. Besides, I can’t imagine the real IRS would be so stupid as to send your private details back to you over plain-text email.)
A ten-second perusal of the address headers showed that, not-surprisingly, this message did not originate from irs.gov.
Rather, the mail originated from this site: (And needless to say, don’t you go filling it out!)
http://www.ieaf.es/bbdd/apps/news/stimulus.refund/stimulus.php
This woman was the victim of a phishing scam; she probably thought she was entering her very personal data into a legitimate United States government website, and she may never realize how wrong she was. She didn’t notice the lack of https, or that the domain was ieaf.es, a known IRS phishing site, hosted on a Spanish top-level domain.
I will submit the site to the various phish-tracking websites and make the appropriate notifications at work. That said, I’m on the fence about trying to contact her directly. Morally it would be the right thing to do. However, in this litigious era, it might be exactly the wrong thing to do. Needless to say the email itself will be permanently deleted from my inbox.
This whole episode makes me very, very sad.
January 26th, 2009 at 1:41 pm
If I were you I would notify her and send her info on phishing scams. I would also let her know that you reported, the scam to phishing sites, and that she may want to contact the police and her bank to make sure that her info is safe.
That is scary.
January 26th, 2009 at 1:50 pm
the quick answer is gmail.
The uniformity of an interface makes it prone to mistake by maximizing the likehood of the mistake. If everyone has a different domain lucia@example.org and lucis@example.net have more chances to be detected as mistakes by the server. but if everyone is using a unique email service with millions of users, all the possible names are indeed likely. Then when someone makes a typo the mail indeed arrives somewhere instead of generating a “Sorry, No User Here”.
January 26th, 2009 at 2:14 pm
I’m the unfortunate owner of me.at.work, a gMail address made for SpreadFirefox.com and Bugzilla.Mozilla.org long ago. I still use it, and recently, two people with different names (but the same physical address) signed up for netflix AND colombia house with my e-mail. I actually tried to track down the people involved, but the address is a long-dead mailboxes etc type place.
I also get e-mail on my old isp (cableone) address, and after getting tired of seeing someone’s family pics I let them know that while my name was ‘thomas’ i was not ‘tammy’ or whomever they had my realname field set to (it wasn’t anywhere close).
The thing is, you’re right, they could easily say “HEY, YOU HACKED MY E-MAIL AND STOLE MY INFO, IM GONNA SUE YOU” and just cause a whole lotta grief. I don’t have a good answer for you, but perhaps letting the FBI (tips.fbi.gov) and IRS know directly so THEY can contact her and let her know that she was phished. Much better than contacting her yourself.
January 26th, 2009 at 2:21 pm
harsh! :S
That’s awful. I hate phishing with a passion.
January 26th, 2009 at 4:50 pm
DeWitt,
We’re still far away, it seems, from having basic understanding of the dangers of phishing. I sat in on a call once with an elderly woman who was surprised by an email she received from a company, and thankfully, called the company’s customer service department before doing anything about it. When she was told that she had received a “phishing”message, her response was something like:
“Fishing? No, the mail had nothing to do with fishing. I don’t fish, nor does my husband.”
I’m glad you shared it — perhaps it will spread around, and raise more people’s awareness of the perils of sharing your information with impersonators on the internet.
Claire
January 26th, 2009 at 5:03 pm
I’ve gotten two of these messages so far. My first reaction was that someone was trying to phish me, but there was no contact link or information what so ever. I e-mailed the IRS, before I realized the sent by was that ieaf.es domain. I’ve seen other bone headed things from the government in the past, so was a little surprised in this day and age, but not too much.
For instance my query to our state unemployment agency about their placement of the SSN on a post card got a reply “Don’t you trust your post office?”
January 27th, 2009 at 6:46 am
Just goes to show, phishing is a social problem. Technical solutions to social problems are often, erm, unsuccessful. Clearly what’s needed is more public education.
Re: Claire, “Fishing” is an excellent angle into the problem – why don’t we call phishing what it is for everyone else – attempted fraud? When someone has been phished, they have been defrauded of their personal information. When that information is used, it’s theft. Plain and simple.
So, how do we go about addressing the social issues and educating people? Phishing blacklists seem like a good start, since they’re fundamentally education, but what else can we do?
February 13th, 2009 at 5:02 am
I too get a fair bit of misdirected mail. The best has to be some very graphic images I received of the sender’s brand new, fresh off the operating table, boob job. She was quite embarrassed when I mailed back to compliment her on the doctor’s work :)