Someone tried to give me a PayPal account this morning. Someone in Germany, to be specific. I suspect they weren’t trying to give me their account, but made a mistake when setting it up.
That mistake is surprisingly common. Seeing as how the result would be my owning their PayPal account, I really don’t understand how they could make such a serious mistake. But as I said, it’s common.
It highlights something critical you need to know to keep your accounts safe.
Become a Patron of Ask Leo! and go ad-free!
Welcome to PayPal
Here’s the message I received:
That’s the German-language version of the “Welcome to PayPal” message that’s sent after you create a PayPal account. That it was in German, and the sending domain was “paypal.de”, led me to believe that the person attempting to create the account is in Germany.
Not only was it a welcome message, it was also an email-confirmation message. When I allowed Gmail to translate the message, that part was clear:
And yes, before you ask, I examined the email headers and verified that the message was legitimate and not a phishing attempt.
So, all I had to do was click.
Confirming the email address
If I click the confirmation link, I’ll be taken to the PayPal account, albeit in German.
I’ll probably be asked to log in, but I won’t know the password. That’s not a problem, though. I could just ask for a password reset using the email address on the account…
… my email address.
Once that arrived and I set a new password, the account would be in my control. If I wanted to, I could go in and change all the additional recovery information associated with the account to cement my ownership.
I wonder if it already has any money in it? Or if it’s linked to a bank account that does?
The error that caused all this is that the person attempted to open a PayPal account using the wrong email address — my email address instead of their own.
There are several ways this can happen.
The one that I can actually understand is a simple typo. If your email address is email@example.com and you accidentally type in firstname.lastname@example.org, that’s a completely different email address. It could be an unused address or it could belong to someone else. One thing’s for certain: it’s not your email address.
Another less common but equally understandable error is period confusion. On some email systems, email@example.com and firstname.lastname@example.org are two different email addresses. On other systems, they are treated exactly the same — periods are ignored. (It’s a feature… or so I’m told.)
As we’ll see in a moment, that might have played a role. However, there’s another mistake I see frequently that completely baffles me: email addresses that make no sense given the name. If your name is John Smith, it seems nonsensical to use that as your display name for an account whose email address is, say, email@example.com. I get why spammers do it (all the time), but I don’t get why “real” people do it.
And do it, they do.
My email address
One of my many email addresses is firstname.lastname@example.org. (Don’t bother sending email to it — direct email is ignored specifically because I don’t use it publicly at all. Use the contact form instead.)
The PayPal account was opened with a real name, which I’ve obscured above, and email@example.com as the email address.
There are at least two problems:
- Their real name had nothing to do with “ask leo”. Or “ask”. Or “leo”. In fact, ask.leo is about as far away from the person’s real name as it would be from “John Smith”. It makes absolutely no sense.
- firstname.lastname@example.org is exactly the same as email@example.com. It’s mine.
Unless this was a spammer going through a lot more work than I expect spammers to go through, I just don’t get it.
This isn’t about PayPal. This is about something much more important: using your email address.
The critically important lesson is simply this:
Always get your email address right!
That actually includes a number of things:
- Know what your email address is. Surprisingly, many do not, particularly in populations that are more mobile- than email-centric.
- Know you have access to it before using it. I suspect this might have been part of the scenario above: either using an email address with plans to create it next, or using it prior to confirming you can access it.
- Enter your email address correctly, every single time. This is why so many forms have you enter your email address twice: a lot of people don’t check. Don’t be those people: carefully enter your email address when you need to, and then carefully check that you got it right.
Above all: be careful!
If you get any of those items wrong, at best you won’t get whatever you are providing your email address for.
At worst, you’ll be giving that something — like a PayPal account — to someone else.
So, should I click?
When I posted this on Facebook, someone suggested that I confirm and then immediately close the account. My sense is that this opens a door to liability and risk I shouldn’t take. Worst case scenario, I suppose, is that it’s an intentional part of some elaborate scheme I don’t understand.
In my opinion, the only safe and ethical approach is to ignore the email completely. So that’s what I did. Once I realized the ramifications, I took the screenshots above and deleted the email. (As it’s legitimately from PayPal and the result of an apparent error, calling it “spam” would be inappropriate.)
The person trying to create this account will be unable to log in, or at least be unable to confirm the email address. Presumably they will eventually realize their error and deal with it.
But no, I’m not clicking it, and I’m certainly not going to take over their account.
Others, however, might not be so kind.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,