How to (Accidentally) Give Someone Else Your PayPal Account

Someone tried to give me a PayPal account this morning. Someone in Germany, to be specific. I suspect they weren’t trying to give me their account, but made a mistake when setting it up.

That mistake is surprisingly common. Seeing as how the result would be my owning their PayPal account, I really don’t understand how they could make such a serious mistake. But as I said, it’s common.

It highlights something critical you need to know to keep your accounts safe.

Become a Patron of Ask Leo! and go ad-free!

Welcome to PayPal

Here’s the message I received:

Welcome to Paypal (in German)

That’s the German-language version of the “Welcome to PayPal” message that’s sent after you create a PayPal account. That it was in German, and the sending domain was “paypal.de”, led me to believe that the person attempting to create the account is in Germany.

Not only was it a welcome message, it was also an email-confirmation message. When I allowed Gmail to translate the message, that part was clear:

Confirmation translated to English

And yes, before you ask, I examined the email headers and verified that the message was legitimate and not a phishing attempt.

So, all I had to do was click.

Should I?

Confirming the email address

If I click the confirmation link, I’ll be taken to the PayPal account, albeit in German.

I’ll probably be asked to log in, but I won’t know the password. That’s not a problem, though. I could just ask for a password reset using the email address on the account…

… my email address.

Once that arrived and I set a new password, the account would be in my control. If I wanted to, I could go in and change all the additional recovery information associated with the account to cement my ownership.

I wonder if it already has any money in it? Or if it’s linked to a bank account that does?

The mistake

The error that caused all this is that the person attempted to open a PayPal account using the wrong email address — my email address instead of their own.

There are several ways this can happen.

The one that I can actually understand is a simple typo. If your email address is johnsmith@randomisp.com and you accidentally type in johnsmoth@randomisp.com1, that’s a completely different email address. It could be an unused address or it could belong to someone else. One thing’s for certain: it’s not your email address.

Another less common but equally understandable error is period confusion. On some email systems, johnsmith@randomisp.com and john.smith@randomisp.com are two different email addresses. On other systems, they are treated exactly the same — periods are ignored. (It’s a feature… or so I’m told.)

As we’ll see in a moment, that might have played a role. However, there’s another mistake I see frequently that completely baffles me: email addresses that make no sense given the name. If your name is John Smith, it seems nonsensical to use that as your display name for an account whose email address is, say, maryjones@randomisp.com. I get why spammers do it (all the time), but I don’t get why “real” people do it.

And do it, they do.

My email address

One of my many email addresses is askleo@gmail.com. (Don’t bother sending email to it — direct email is ignored specifically because I don’t use it publicly at all. Use the contact form instead.)

The PayPal account was opened with a real name, which I’ve obscured above, and ask.leo@gmail.com as the email address.

There are at least two problems:

  • Their real name had nothing to do with “ask leo”. Or “ask”. Or “leo”. In fact, ask.leo is about as far away from the person’s real name as it would be from “John Smith”. It makes absolutely no sense.
  • ask.leo@gmail.com is exactly the same as askleo@gmail.com. It’s mine.

Unless this was a spammer going through a lot more work than I expect spammers to go through, I just don’t get it.

The lesson

This isn’t about PayPal. This is about something much more important: using your email address.

The critically important lesson is simply this:

Always get your email address right!

That actually includes a number of things:

  • Know what your email address is. Surprisingly, many do not, particularly in populations that are more mobile- than email-centric.
  • Know you have access to it before using it. I suspect this might have been part of the scenario above: either using an email address with plans to create it next, or using it prior to confirming you can access it.
  • Enter your email address correctly, every single time. This is why so many forms have you enter your email address twice: a lot of people don’t check. Don’t be those people: carefully enter your email address when you need to, and then carefully check that you got it right.

Above all: be careful!

If you get any of those items wrong, at best you won’t get whatever you are providing your email address for.

At worst, you’ll be giving that something — like a PayPal account — to someone else.

So, should I click?

When I posted this on Facebook, someone suggested that I confirm and then immediately close the account. My sense is that this opens a door to liability and risk I shouldn’t take. Worst case scenario, I suppose, is that it’s an intentional part of some elaborate scheme I don’t understand.

In my opinion, the only safe and ethical approach is to ignore the email completely. So that’s what I did. Once I realized the ramifications, I took the screenshots above and deleted the email. (As it’s legitimately from PayPal and the result of an apparent error, calling it “spam” would be inappropriate.)

The person trying to create this account will be unable to log in, or at least be unable to confirm the email address. Presumably they will eventually realize their error and deal with it.

But no, I’m not clicking it, and I’m certainly not going to take over their account.

Others, however, might not be so kind.

Podcast audio

Play

Video Narration

Footnotes & references

1: As I quite literally did while typing the intended “johnsmith” the first time.

25 comments on “How to (Accidentally) Give Someone Else Your PayPal Account”

  1. I’ve had this happen twice in the last few months. Like you I merely deleted the email in the hope that the true owner would detect the problem and take corrective action. Now hearing that it’s not just me I begin to think there is something here that is more than a mistake.

    Just a thought.

    Your opinion that it may be malicious may have merit.

  2. Happened to me at least 4 times. Two persons from France and two other from Canada used my GMail address when signing up for some cervices. They also gave my address to friends, students and colleagues.
    I politely answered those messages telling them that they got the wrong address and contact their friend though some other mean to get his actual address.
    The problem are those payment notifications e-mails from French mobile cervices that don’t offer any way to tell them about the error.

  3. Several years ago, someone used my email address to file their taxes using one of Intuit’s tax programs. I contacted Intuit, but no one did anything about it until the next year, when it happened again. It obviously wasn’t mine, since it was filed in a different country from the one I live in. So it does happen. I had a lawyer email me confidential information which she was trying to send to her personal account. Her account was {removed}@gmail.com and mine was {removed}@outlook.com. She was REALLY embarrassed when it happened a SECOND time several months later. So that would be another thing to watch–don’t get your domains mixed up!

    • That’s what happens to me. I have gabe101 at one of the bigger services and I routinely get confirmation emails from gaming sites. It’s just kids trying to sign up for these sites to play games and they’re using their dad’s email address but putting in the wrong domain.

  4. For entering my e-mail address I make myself copy it from e-mail app or file and paste it in. Then I get it right, and I know it’s right. If the confirmation e-mail is delayed there’s no wondering if I typed the e-mail address correctly.

  5. The person’s browser may have pre-filled the email address in the form field or offered a dropdown of previously-used addresses from which the wrong one was selected.

    Will

  6. Two thoughts come to mind on why this might have happened:

    1. The askleo email may have been stored on the clipboard for some reason (or auto-filled due to a previous email sent to that address) – perhaps this person tried to send you an email asking for help with paypal.

    2. This is a long con. Perhaps if you ventured down the rabbit hole you would eventually be asked for secondary account information (your own) to access the primary account funds (the german’s). The hope may be that the victim isn’t smart enough to change recovery options and the scammer retakes the account after a period of time to claim his bounty.

    Can’t help but assume something nefarious.

    • 1. Leo said that’s a no reply email address that he doesn’t give out or respond to.
      2. Something like that was my guess.

  7. Regarding entering my email address correctly, every time: I have my email address in a keyboard shortcut (I use AutoHotKey) which not only saves me typing, it also assures that I will not make a typo with it.

    • I like that idea. I’ve never had a problem getting my email address wrong because I stop and check all of my entries before sending but for many people this could save a lot of grief. I use LastPass for fills for this. It fills in everything including credit card information which saves a lot of time and errors. I even have a fake profile set up to fill in my throwaway email address for signing up for things.

  8. Related Question? In an email should I right-click to “download pictures” — e.g. from Ask Leo or from a marketing email. What happens when I do that?

  9. Wow. Something else to worry about.

    I already knew that I should be careful entering my email address. But what I learned from you today was to just ignore something like this. My tendency would be to contact Paypal to try to solve everyone’s problems, and the likely result would be – at best – wasting a lot of time and aggravation.

  10. Did it ever occur to you that they really, REALLY trust you, Leo? Like Lenard Nimoy to the generation before us, you’re our guru! XD

    Anyway, I get 2 or 3 of these mistakes per month. I have gabe101 at a dominant free email service and it’s routinely just kids trying to signup for gaming sites (probably got daddy’s email wrong). From time-to-time though I get a doozy like you just got. The best was an Amazon account! They put my email address as the secondary resource on the account. I have to admit, I was too curious so I clicked to confirm and then logged into the account. I was able to see their purchase history and several of their payment options (this is why websites only show the last 4 digits of your CC). I used the name of the primary email account and found her on facebook. She was the 15 year old daughter of a guy named Gabe. By this time I was feeling a little dirty by prying around into someone’s life and reported the mistake to Amazon. The next day the account was no longer accessible to me (yes, I couldn’t resist and checked to see if it was taken care of and it was).

    • Cannot understand how that Gaby’s daughter could make any purchase with wrong email. Obviously, she did not get confirmations in her email for her purchases.. She should have noticed something is wrong. Also, you – the real Gaby – did not receive confirmations from that account before, which is puzzling. In other words, this does not seem like an innocent mistake. What can we do? When I get wrong regular mail addressed to someone else, I write “wrong address” on envelope and leave it by the mail box. I realize this may not work with email because you do not want spammer to know that the mail they used is a valid email.

      • She would eventually realize that something is wrong but she would possibly have no idea as to why. As for the Gabe who wrote the comment, he only received one confirmation email because the girl only signed up to add that email address once. This one doesn’t have a strong indication of being spam.

  11. Best thing to do is never to type one’s email address. Just like for passwords. Use a password manager instead, and paste it. Or auto-type it.

    For high-security accounts, consider using a non-guessable address. Such as : name.surname.[random string of characters]@domain.com. Use your password manager’s password generator for the random bit. Not suitable for accounts where you might be asked for your email over the phone, of course…

    Oh, and thank you for the information regarding john.smith@{domain} being the same as (or different from) johnsmith@{domain}. That sort of information is surprisingly difficult to find.

    • A password manager is great for that. As for email addresses being the same address with or without the dots, that’s only true with some providers like Gmail and some others. But if you signed up for an account using that email address with the dot, it wouldn’t recognize that same email address without the dot. You’d have to log in with exactly the same form of the email address you used when you signed up for the account.

    • Remember, though, that john.smith being the same as johnsmith (or as I like to think of it: ask.leo == askleo) is not consistent among all email providers. Some treat them the same, some treat them differently. Best to avoid the period altogether when creating an email address.

Leave a reply: