What (little) you can do about it.
For the record, those happen to me constantly.
I have theories about why it happens to most folks, and I have additional theories about why my situation might be . . . special.
I’ll share what I do so you can do the same.
Become a Patron of Ask Leo! and go ad-free!
Unexpected recovery requests
People sometimes enter your email address as their recovery or account address — usually by mistake. Sometimes it can be laziness or an attempt to annoy. There’s little that can be done about it, and fortunately, there’s no adverse impact on you. Ignore any messages related to it, or, if there’s an option to indicate that it’s not you, use that.
Reason #1: typos
I’m pretty convinced that the single biggest reason you and I get these account recovery emails for accounts that aren’t ours is that the actual account holder entered our email address as the recovery email by mistake. For example, if someone is attempting to enter “john@example.com”, but types “johan@example.com” by mistake, then if you’re Johan, you’ll be on the hook for those recovery emails.
I’m honestly shocked at how often people type their own email addresses incorrectly. If you’ve ever seen those forms where you have to type it in twice, this is why.
Any typo someone makes resulting in your email address being entered instead of what they intended will cause this.
I think it happens often.
Reason #2: avoidance
I theorize this scenario happens when a young person is creating an online account requiring an email address. They don’t have an email address, don’t want an email address, or don’t want to take the time to create an email address, so they enter one at random just to satisfy the sign-up process.
If the one they enter at random happens to be yours, you’ll get whatever notices are sent to it. Of course, when the person who created the account tries to recover it, you get the notices.
I think this happens most often to those who have “simple” email addresses — like firstname@popularservice.com.
Reason #3: mischief
This is where I’m “special”. Because I have a few publicly posted email addresses, I find that individuals like to try to sign me up for stuff1 or set me up as their recovery address.
Interestingly, I’ve also seen individuals — again, most likely kids — try to sign up for some online service using one of my email addresses. I’m not sure what they expect. I do know that when they lose their password and try to recover their account, it’s not going to work because I won’t act on the confirmation emails sent to my address.
What to do about it
There are two approaches to dealing with it all.
The first is simply to ignore it all. Literally — just delete the email messages relating to the misuse of your address and get on with your life. Mark them as spam, if you like. (I tend not to, unless they get repeatedly annoying, or are from sources I honestly consider to be spammers. DON’T mark as spam any notices from services you actually use, however, to ensure you get legitimate emails you might need in the future.)
If the actual account holder has difficulty regaining access to their account, that’s on them for not properly specifying an email address in their control when they set up the account.
No harm will come to you for simply ignoring email messages you’re not responsible for.
Occasionally, the email message requesting your action will include a link along the lines of “Not your account?” or similar. Clicking on that link will disassociate your email address from whatever account it was mistakenly associated with. Hopefully, it’ll also tell the account holder of their mistake.
There’s no prevention
There’s absolutely nothing preventing someone from entering your email address or mine into a form for account recovery, newsletter subscriptions, product orders or anything else. There’s no liability on our part; it’s just an annoyance when it happens.
This is why most services and email subscriptions have you confirm your email address before they accept it as valid. Ignore those you didn’t ask for, and you shouldn’t be bothered again.
Unfortunately, not all services take this extra confirmation step. Nonetheless, there’s nothing you can really do about it other than ignore, delete, or spam the messages that result.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: You can imagine the “stuff”.
This was happening to me and I did ignore it at first until it started becoming annoying. It was a video game maker and I’m not a gamer. One day I attempted to log in to the maker’s website but clicked that I forgot my password and they emailed me a link to create a new password. I then logged in and saw that the account was linked to the guy’s progress in the game, but he hadn’t played in over a year. I deleted all the data out of the account and then requested they delete the account. A month later I tried to log in and they said the account no longer existed. Problem solved.
Could a malicious actor send out “recovery spam” where the “not me” link downloads malware? Personally, I would never click any link in any errant recovery email.
They could indeed, and they do all the time. That’s why it’s critical to be certain it’s legit before clicking. When in doubt: don’t.
I get several of the kind of the «I’m lazy» kind on my Gmail account that I own since Gmail account creation was «on invitation only».
ALL of them seems to be by peoples who neglect to add the digits at the end of their account name.
Some are from France, other from all over Canada.
I recently fell victim to Bitcoin trading scams with 3 different companies and one company I was trying to get a loan from. It is about $9000 in total that I have invested with these companies. I reported the issue to the authorities, but they could not do anything about it since scam reports are often ignored. One of the officers who seemed to be really moved by my situation gave me an email (cyberpunk@programmer.net) and told me that someone who had previously fell in a crypto scam managed to get their investments through the help of the contact. I emailed them immediately and provided all the contact numbers, email addresses and websites that they use and also all the emails with the BTC Transaction details. After what seemed like the longest three days of my life, I had the location details of all three scammers and my money in full. I thought I should share for anyone else in need.