I’m not sure about you, but the user name for my email address is pretty run of the mill – a pseudo-advantage of claiming my “handle” early. Add to this the fact that my name is far from unique, and you can imagine that more frequently than not, some wayward emails will find their way into my inbox. And I’m not talking about Spam (which most reputable email services effectively control these days) but legitimate emails intended for a person who is not me, but shares the same surname, and initials of their first and middle names.
Over the past week, I have received several of these types of emails – one from a mail order wine company (I would have enjoyed receiving that package!), another from Office Depot and a third from Hewlett Packard – all for orders or actions taken by someone who has mistakenly used my email address to sign in to these online services. There is clearly a worrisome hacking component here – is my identity being compromised? Is someone charging things to my credit cards? However, it quickly occurs to me that what is happening is a case of mistaken emails – someone is inadvertently using my email address because for some reason they think it is their email address. We will put aside the fact that this person may not be the sharpest tool in the shed and did not pick up on the fact that no confirmation emails hit their Inbox or that they appear to have done this same mistake repeatedly across multiple accounts.
And it is not the only time this has happened – in the past, I’ve received emails about book clubs, school events, church events and other mildly entertaining topics. Whenever I receive these, my first and only thought is to connect with the person who shares my last name, to ask, beg, and implore them to update their email address in their account or with the friends. And I’ll get creative too – if there is a mobile number noted in the email, I’ll use my Google Voice phone number to text them and let them know I got their email by mistake. If it is clearly a personal email from an individual trying to reach the other person named “Clark”, I’ll respond with a quippy response and ask them to tell their friend to fix their email. All I want is to stop receiving email that is not mine. I don’t want to get any of this info – I don’t want to know about the bake sales, I don’t care about your orders from a Winery or Office Depot, and I dread the day I get an email with visuals that are, er, a little too revealing. :P
Of the emails I received this week, the one from Office Depot was the most concerning from a security and PII (Personally Identifiable Information) perspective. The email itself was highly informative, telling me all the items that this person had just ordered (which came to just under $500) but also revealing a lot of sensitive information that I could have used to socially engineer the account, including the intended recipient’s phone number, order number, customer number and a link to check the status of the order. Interesting, I thought.
Curious, I clicked through the “Check Order Status” link, which brought me to a page asking for the order number and the phone number, both of which I had for this account via the wayward email. After providing this info, I was taken to a page that proudly displayed the same order detailed in the email, but this page also included the person’s mailing address!! So now, with little to no effort, I had the phone number AND mailing address of this person. Wait, it gets better. There was a link on this page to “Re-Order” the initial order that was so nicely detailed on the page. So I went ahead and clicked through this link and was presented with a page itemizing a “Re-Order” of this $500 shipment. I could not have gotten too much further as I would have needed to be fully logged in to place the order, but for someone with ill intent, that could easily have been achieved.
You see, also on this page was a link to “Chat With Office Depot” customer service. Clicking through there, I was prompted for the customer number and email address in order to initiate a conversation with the Office Depot CSR. And whatta ya know, I had this information. A few seconds later, I’m chatting with the Office Depot CSR and I told them what the situation was – that I received this email in error, that I WAS NOT the account owner, and that they should check with the account owner to make sure they update their account email address. But I easily could have posed as the account owner in order to do things such as acquire or change a password (since my email address was mistakenly attached to the account) or check other sensitive information related to the account. The OD CSR couldn’t seem to wrap their heads around the situation that I WASN’T the account owner but was trying to fix this situation. After a few more minutes with the OD CSR, they realized the situation and in turn escalated it, and informed me that they would reach out to the account owner to update their information.
I did two things to reach out to the account owner – First, I texted the phone number via the Google Voice approach noted earlier (UPDATE: They finally responded via Google Voice Text saying they would update the info), and secondly, I printed out all of these emails and wrote a “snail mail” letter to this person (since I had their mailing address), telling them that they should really check their email credentials across all of their accounts to make sure that this sort of thing does not happen with anything more sensitive than an Office Depot account. So on the one hand, I feel good that I was able to get a hold of someone to inform them of this fairly significant error. Sure, I could have called the person directly but honestly, I didn’t want to do that…that is too freaky.
On the other hand, you have to be pretty worried that with a very simple error like an incorrect email address, I was able to find out so much information about this individual WITHOUT EVEN TRYING. Imagine what can happen when people who are intending to compromise your information try to get into your accounts! Take some time to really think through your approach to securing your accounts – no matter whether they are a bank, a credit card or an office supply store.
As a customer, the moral of the story is this:
- Check all your information to make sure it is correct when you log into a site
- Take the extra effort to use password services like LastPass or OnePassword to ensure you are using random, difficult passwords that are securely protected
- If a site or online service offers Two Factor Authentication, take advantage of it! It’s a little bit of a pain to get initially set up but after that, it is fairly transparent to you and it provides an extra level of security that goes a long long way towards preventing breaches
As a online product manager or marketer, the moral of the story is:
- Double and triple check the communication details of your customers to make sure their email address is correct.
- Make sure that the information you are revealing within an email communication does not provide an opportunity to breach an account.
- The email received from Office Depot should not have included anything more than the order number and a link to log in to get more details.
- The page that offered the ability to track the order should have been behind the log in or it should have prompted for a piece of information (like the account password) that was only known by the account holder before exposing any sensitive information.