But nothing, nothing will ever top the mental lapses responsible for this email I just received:
Internal Revenue Service <firstname.lastname@example.org> Date: Mon, Jan 26, 2009 at 9:46 AM To: DClinton@gmail.com Dear Dianne Clinton, Your Stimulus Payment request has beed submited. A Stimulus Payment can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. Stimulus Payment request issuer: Name: Dianne Clinton Address: [redacted] City: [redacted] State: [redacted] Postal Code: [redacted] Phone: [redacted] Date of birth: [redacted]/ [redacted] (mmddyyyy) Social Security Number: [redacted] Mother name: [redacted] Credit card Number: [redacted] Credit card expiration: [redacted]/ [redacted] (mm/yyyy) CVV: [redacted] Note: For security reasons, we recorded your ip-address, the date and time. Deliberate wrong inputs are criminally pursued. IP: [redacted] Date: Mon Jan 26, 2009 6:46 pm Regards, Internal Revenue Service
Yes, every single one of those [redacted] fields was filled out completely. Social security #, credit card #, mother's maiden name. The works. An identity thief could clear out her accounts and bankrupt her by morning.
Want to know the saddest part?
It was an identity thief. (The grammar and spelling errors were a bit of a dead giveaway. Besides, I can't imagine the real IRS would be so stupid as to send your private details back to you over plain-text email.)
A ten-second perusal of the address headers showed that, not-surprisingly, this message did not originate from irs.gov.
Rather, the mail originated from this site: (And needless to say, don't you go filling it out!)
This woman was the victim of a phishing scam; she probably thought she was entering her very personal data into a legitimate United States government website, and she may never realize how wrong she was. She didn't notice the lack of https, or that the domain was ieaf.es, a known IRS phishing site, hosted on a Spanish top-level domain.
I will submit the site to the various phish-tracking websites and make the appropriate notifications at work. That said, I'm on the fence about trying to contact her directly. Morally it would be the right thing to do. However, in this litigious era, it might be exactly the wrong thing to do. Needless to say the email itself will be permanently deleted from my inbox.
This whole episode makes me very, very sad.