What happens when someone uses your email address to sign up for PayPal

  • What happens when someone uses your email address to sign up for PayPal

    Posted by Tia on 14 December 2020 at 12:41 am

    What happens when someone uses your email address to sign up for PayPal and more!

    Many companies have no mechanism to deal with a common problem: when users open accounts using someone else’s email address, either by accident or design. “I have had a barrage of account creation requests that will fail … also a large number of invoices, warranty emails and so on for purchases, from furniture to electronics,” my brother informed me.

    Email is perhaps the nearest thing to a universal identity system for the internet, but if it is such a thing, it is much flawed. The problem is not only that email addresses are easily spoofed – mitigated by mechanisms like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) – but that they also lack any robust process by which organisations collect email details.

    Best practice is to treat any claim to an email address as suspect until the user has verified their ownership via a key sent to that address, but this is by no means universally followed, as well as being vulnerable to a confused recipient inadvertently clicking a confirming link.

    I know many of these problems first-hand. Gmail accounts that are commonly abused in this way, and journalists were among early adopters who got seemingly attractive email addresses like forename.surname@gmail.com, which seem prone to this misuse.

    Google has made it worse because it treats email addresses as identical irrespective of the presence or whereabouts of the dot, so foo.bar@gmail.com is identical to foobar@gmail.com or f.oobar@gmail.com, in that all are received by the same gmail account.

    “Thank you for choosing Europcar,” says an email received a few days ago by one of our family members, for a booking in Rome that is unknown to the her – complete with a special “manage your booking” link that could presumably cause mayhem if clicked. She also got a record of every transaction made by a credit card used by a customer of First National Bank Texas, appointment reminders for a dentist in Wisconsin, USA, alerts from Experian for a credit record for a mystery person in the USA, and account statements for a security company in Carolina.

    Catch 22: The PayPal version

    My brother has issues with internet banking giant PayPal, among others. It all started, he said, when “I received an email from a US company with a receipt for shipping of a phone.”

    This came to his Gmail address, though without the dot he habitually uses between first and second name. Since then he has received numerous emails which he thinks relate to the same person, including invoices and warranties.

    “There are login requests to Etsty and a few others where it appears he is trying to sell things to pay for his new purchases and recently an authentication confirmation request to a finance management company followed by a credit notice email with attached pdf (promptly deleted for privacy reasons),” he told me.

    “The most recent sign-up was to Paypal, so there are now 2 accounts linked to his email under 2 different aliases. Paypal’s phone number does not work, the auto chat is useless and when you ask to speak to a person you get an apology 6 days later that they did not get back to you,” he told us, though he does not think the person is actually able to log in to PayPal using this email address.

    He then encountered a special PayPal version of Catch 22: “The Paypal message centre gave him a number to ring. The number took him through the usual maze and then the automated message said they could not help over the phone and He had to use the message center.”

    One of the problems is that most such emails come from email addresses helpfully marked “do not reply.” How then do you contact the company to inform them of their error? “It is always the same,” he said. “I need to log in to contact support, which I refuse to do as I do not have rights to view his data … emails to support addresses are not responded to.”

    The simple solution is to delete all such emails without reading them, but there are troubling aspects to this approach. First, there is the good citizen aspect: one would think that (unless engaged in fraud attempts) all these bank accountholders or hirers of vehicles would prefer that their transaction details were not sent to an unknown third party.

    Second, there is the worry that something underhand may be going on and that it is the beginning of an attempt at identity theft; or that some unpleasantness around unpaid invoices might ensue. Resolving the error is to the benefit of all parties.

    My husband and I have, on occasion, had success with approaches to Twitter support accounts – which typically do not require a login before they will engage with you – or website chat agents; but it can be remarkably difficult to get the message through to the right person that no, you are not their customer, and could they please stop spamming you.

    In the meantime, the message to web developers is: send just one verification email to customers setting up accounts, preferably complete with an option for “no this is not me”; and if there is no response, delete the email address and never send another one.

    Tia replied 4 years ago 1 Member · 0 Replies
  • 0 Replies

Sorry, there were no replies found.

Log in to reply.