A Plea for Email Verification
In October 2012, I decided to keep track of emails that were sent to me by mistake.
Like most people, I get large volumes of spam emails that offer inappropriate services, medications and (presumably) surgery. They range from the hilarious to the disturbing, but I rarely read them. The begging letters I also ignore, so if you ever lose your passport and wallet while traveling, it’s probably best not to email me. Sorry.
But spam is not my concern here. I’m more concerned about “honest mistakes”, not spam.
Here’s what happens: if your name is Jane Smith, it’s likely that someone else already has JSmith@gmail.com as an email address, and firstname.lastname@example.org… etc. If you have an easy to guess email address, you will receive email not intended for you. xkcd has a comic about it:
I have a relatively simple gmail address, the result of being early to the party. It’s cool, easy to remember and spell, easy to type. The first time I realized this could be a problem was in 2005, when someone sent me an e-card by mistake. I ignored it, no problem.
In 2007 I started receiving emails from someone in California who was going through a difficult divorce. He had “guessed” his ex-wife’s email… and chosen mine. He was angry because his ex was not replying to the emails he sent me, and there were difficulties with child custody. It reached a peak when he asked for my sons’ email addresses. I threatened to report him to AOL for sending spam, and he dropped it. Months later he emailed me (still confused about his wife’s email address) and said his account had been hacked. He seemed much calmer, and once he realized what had happened he apologized and the messages stopped. I was very glad the Pacific Ocean was between us. I hope he is doing better now.
I’ve been sent emails from parents organizing rides to soccer games, basketball coaching, and rosters for delivering food to grieving parishioners. I’ve been sent baby photos, holiday photos, and invitations to school fundraisers all over the US, messages to grandchildren and grandparents. I’ve been sent emails full of acronyms I don’t know that seem to be intended for military support groups. If it looks like an honest mistake, I reply and ask the person to check their email lists, they usually apologize and that’s the end of it.
A highlight was when the Buhler group sent me a detailed description of a system for a biomass disposal system for chicken manure. They apologized.
In 2013, someone used my email address by mistake for submitting poetry to the African American Review. The website helpfully sent me her password as well. I let them know, and asked them to be more careful next time. Looking through my misdirected mail, I see I had received an email with some photos from her a year previously … though it could have been a different person.
Three times I received emails from H&R Block with account details that could have given me access to someone’s tax information — as reported by Ars Technica last month.
Over the past year, more transactions are on-line, so I’ve received details about car rentals and flights, including personally-identifying information. AT&T sent me shipping information (including the phone number, name, address and delivery date) for someone’s iPhone. I couldn’t unsubscribe from the emails, so I took to Twitter. The fastest way to resolve these issues is Twitter. Kelley Morris ordered an iPhone from AT&T — identical to the unlocked one I ordered after talking with AT&T. So I tried:
But this didn’t quite work, and a month later I received the shipping details.
Worked the second time, so looks like @ATTCares but sometimes don’t follow up.
Here’s another example, this time from GM — I had already tried emailing the car dealership where the car was purchased, and although they tried to help, the emails kept coming:
Once I emailed GM, the messages finally stopped.
The latest set of messages was more of a concern. Over the past week, someone used my email address to apply for entry-level jobs in retail and fast-food. PriceRite included a link to a form where “I” could complete my job application:
Helpfully, the forgot username or password link took me to a page where I could have the information emailed to me:
Obviously, I didn’t go any further. But since everything needed to steal your identity is contained in a typical job application form (name, date of birth, address, SSN), you really don’t want this information to go to the wrong email address.
PriceRite is not the only offender here. The same person (I know her name from a different job application) also applied to TacoBell and BJ’s Wholesale Club. BigY sent me her username as well:
I replied to all four companies, asking them to remove my email address from her job application:
Unfortunately that seems to have failed:
We’ll see what happens next.
What to do?
Here’s my collected set of best practices for email.
Never try to guess an email address based on a person’s name. If your grandchild didn’t give you her email address, maybe she didn’t want you to email her.
Never make up an email address, or assume you’ll be able to sign up for it later. All the obvious ones are taken. If you don’t have an email address and the form needs one, choose something with a non-existent domain, not gmail.com.
If you’re fortunate enough to have an easy to remember email address, use two-factor authentication (or as Google calls it 2-Step Verification). It reduces the risk of your email being taken over by someone who is convinced they should have your email address.
Use a password manager like 1Password. It makes it easier to use strong, unique passwords for every site, including your email.
For software companies releasing email clients
Display full email addresses, so people don’t just see the person’s name. I’ve been bitten by this using Microsoft Outlook, and sent email to a distribution list because the “To” address was “John Smith <email@example.com>”.
For companies sending email
You get one opportunity to send an email to a unknown email address — it’s the “email verification” message. If the person doesn’t click on the link to verify the email, it’s probably an incorrect email address. If you don’t want to be named and shamed on Twitter, don’t send another email to the address.
It’s not difficult. Here’s an example from a few years back:
Twitter describes the process for your customer:
It’s not enough to rely on adding fine print to say “if you received this email in error, please delete it”. There needs to be an obvious and easy way to tell you the email address is wrong. You are wasting my time. Someone else is probably wondering why you didn’t get back to them.
Unsolicited email is spam.
Looking forward to when my “misdirected” email folder is quiet again.
I’m not holding my breath.