A friend of mine has a relatively common first name and last name, and she regularly gets mail that is clearly not meant for her. She started a Facebook group for homonyms to help her route mail, and it now have a hundred members and have helped people get important documents.
At some point, they even organized an impersonation because someone needed to retrieve an official document and couldn’t be there in person. Another member nearby offered to go and get it. “Won’t you need my ID for that? — Oh, I have one with just the right name…”
My name isn’t super known, but it happened to be the same as that of a very big fish in the financial institution I worked for.
Thankfully these people were working mostly through physical meetings and calls, so no sensitive info was leaked, but I did get calendar invites to discuss the future of entire countries as an engineering intern.
I used the name a couple times to set up our internal meetings in the fancier upper floors, so we could have whiteboard discussions over a fancy hardwoods table. No one questioned the name appearing in the entrance display as the current user.
Not identical, but I once shared most of the first name as well as my last name with a VP of research at the company I worked for, and we were in the same technical field. My (much less impressive) publication record got confused with his frequently and I always wondered if it gave me a career boost.
>> My name isn’t super known, but it happened to be the same as that of a very big fish in the financial institution I worked for.
Same thing happened to me. My name in outlook was the right under a high up VP. Outlook auto correct would bring my name up at the top of the list so people would just hit enter and write their email.
Same thing, I was getting some emails I clearly should not have been viewing, with budgetary spreadsheets and names of people who were being considered for layoffs.
One of them I sent back to the VP and diplomatically explained the mixup. I didn't get any emails for a few months and wondered how they fixed the situation. I guess they gave the VP and underscore in his name instead of the normal firstname.lastname@company.com so now when I typed in my name, his came up first.
My deadname was not only owned by some other people in my industry, it was also used by someone else born in the same hospital, same ward on the same day, on the same morning as me. That was endlessly irritating.
Glad to see that after five years post abandoning it my contribution to the name is basically gone from the internet now.
>>it was also used by someone else born in the same hospital, same ward on the same day, on the same morning as me. That was endlessly irritating
How so? Other than a funny coincidence, how would that ever come up anywhere in anything unless you both lived in a tiny community where everyone knows each other. I just don't understand how someone born on the same day as you having the same name was "irritating".
An ex-gf of mine’s dad had the same name and birthday as a convict. Caused him plenty of trouble when crossing the border apparently.
Hopefully that’s not the case for GP
Used to work as a manager at a pizza place and we had a guy apply to deliver who had the same name as... their son.
Allegedly Jr. had a lengthy record including some drug offenses and something like a DUI / DWI. Naturally Sr. And Jr's records got crossed since they have the same First, Last, and Address, which caused Sr. many headaches including that we required a driving record check that would fail on a DUI / DWI.
>I just don't understand how someone born on the same day as you having the same name was "irritating".
Because, lacking a national identity number, the natural way to distinguish to people in a system when the name wouldn’t do is going to be age/birthdate or location.
Try it sometime... My name is somewhat common, but not even close to "John Smith" common... but even at about 1:20,000 or so I've seen a few conflicts just from my name. Another me was born the same day in the state I reside in... I've had a few things on my credit history get tangled up over it.
I've also met two others with the same name, purely coincidentally, not related. I worked on an access/security software team at a major bank (about 350k employees internationally at the time), I found 3 bugs just by being me. Since even SSN/Tax-Id varied, there were several ways to match identity and I had conflicts in a couple of them with other employees. Last Name + last-4 of tax/ssn/national-id (for whatever country the employee was in) was one of them. I don't recall the other two right now, been about 15 years.
Discuss it as in “there’s elections in Argentina, let’s see how we react to the change of administration”. Not as in “I will replace Argentina’s president”.
At least the titles/descriptions didn’t contain anything to consider pulling a Snowden about it.
OK thanks, but well, my comment was a bit tongue in cheek anyway. That nuance didn't survive the passage all the way from intended meaning to text interpretation it seems.
Yes, and the reason I've commonly heard for the bailout was that it is to help US based investors. That's a clear example of the US financial sector influencing foreign politics.
They discuss how to swing the elections with funds and think tanks in order to increase profits.
And if the outcomes of said election has a huge effect on foreign policy and geopolitics, AKA "national security", then the feds arrive and only talk to the big wigs.
Just because some people accidentally invite journalists into Signal meetings to discuss active bombing campaigns, doesn't mean everyone running a financial institution is vying to be named the next President of Argentina.
> You're being naive. This is exactly what they do.
You are being knee-jerk judgemental.
They didn't say those things don't happen, just that it didn't appear the comms they received by mistake looked like less sinister interactions with the political world.
I have a relatively rare name — I’ve actually never met anyone with my last name, never mind someone with my full name — and this happens to me regularly. Last week I got a job rejection from New Zealand post, for a while I was getting someone’s pay stub notifications from the US, etc.
I suspect it’s because I was the first to register the first.last@gmail.com address for my name. I guess it’s a bit like owning a simple noun .com domain.
I use my lastname [at] gmail (same as my HN username). Over the years, I’ve received all sorts of misdirected messages: medical, financial, support, even real estate documents. When it seems important, I do my best to contact the sender and let them know.
What I’ve learned is that “no-reply” email addresses can cause real harm in situations where it’s critical to reach an actual person.
My dad's first name is my last name so my last name @gmail is taken by him :)
But I have a relatively rare first name and even rarer last name due to my dad having a very rare first name, so I easily snagged first.last. Pretty sure to this day I've never even seen anyone with my dad's first name (or my last name).
Meanwhile, my coworkers name is literally Adam Smith and his usernames tend to be adamsmith2 or 3 or 4.
I once worked at a place that has two Brian Smiths who worked at desks across from each other. That was quite bizarre.
One place I worked, we had one guy with the same personal and family names of the (then) Director General of the BBC… working on a project with another guy who also shared both.
I am not the horror film director I share a name with.
> Over the years, I’ve received all sorts of misdirected messages […]
Looking at my text messages, surely these are a mix of serious business and the starts of scams. How unsavory to think that helping someone could be a bad thing.
Absolutely... I've had the same issue (nickname is gmail name), and constantly amazed how many people don't "get" that you can't just claim any gmail address you like and start using it on websites anyway.
I've gotten student financial aid docs, various product mailing lists, order receipts etc... it's amazing how many places take an email address and just start spamming without any validation at all.
I have lastname.firstname@gmail.com because first.last was already taken.
Just curious, do gmail accounts ever expire? Will I ever get the chance to snag the other one? Or does it forever belong to my nemesis and life-long enemy?
Even if your google account is deleted, the email address is NOT recycled because it can be used to impersonate people - maybe the previous owner still has physical/digital accounts linked to that old email. As far as I know most services do this - an email address once registered is never released again.
Yea I own first.last@gmail.com for my name too and I get emails for who I think is the same person fairly often. Like job stuff, professional education emails, etc. I used to reply to them saying wrong person but have given up...the guy must not care about not getting these emails...
My first name is very uncommon and my last name is very common.
I am on the other side of this problem and was surprised because it is very easy to contact me. When the other person with my name forwarded the emails, it was all careless and unwanted recruiter mail. Someone goes into work, types first.last@gmail, and hits send without doing one Google search. Incredible.
I'm in the same boat, except my first and last name are fairly common.
My gmail account is not my primary email address, and to be honest I don't know if I could manage making it my primary because of the amount of rubbish I get.
I recently wanted to introduce someone to our internal recruiters to a person with a long, uniqueish name. The recruiter was like: they did respond with „I’m not interested“. But the person was like: I’ve never got a mail.
Turned out the whatever tool our recruiter used spit out „first.lastname@gmail.com“ even though the person in question doesn’t own that email.
I've gotten a wide enough variety of stuff (mortgage paperwork, homeowners insurance, game service accounts) that some of it has to be organically entered, but that is a good note. Crazy that any system would be set up that way, but HR tech is a clusterfuck.
I am lastname.firstname@gmail.com, but I wouldn't be surprised if something similar is happening in some instances.
I have met someone with my last name, if its not hyphenated, which mine is. My name is as unique as it gets with hyphenating. I never use my hyphenated name anywhere other than 100% legal stuff.
My address is the same. Someone with my name thinks their email address is firstlast@gmail.com
Its annoying especially since we have the same bank and they are not very good at paying their credit card on time. I therefore get their bank emails. Initially
It will always have me confused as weight wait. I don't have any balance on my credit card. Was this fraud?
I have pretty rare first and last name, but somehow have gotten random person's car service receipts (and reminders) from a service place in the US (I live in NZ).
There car has a lot of problems.
I got on twitter pretty early too, and just have a short first time as my @, and occasionally get DMs about getting my @, but no one wants to hand out cash for it. The most I've been offered is $50.
But most just expect me to give it for free.
I have a sufficiently uncommon last name to be able to figure out which branch of the family the misdirected emails are meant for. Was quite nice getting updates from the chip shop we used to get fish and chips from when we went to visit grandma, intended for someone who afaik I never met.
I had an Australian criminal defense attorney with my name, register the .au version of my personal domain.
I used to get very sensitive documents sent to me. A lot of juvenile cases. I suspect people could have gone to jail for sharing it.
It's really on the sender, to make sure, but it's still a nasty situation.
It eventually stopped. I think they ended up registering a different domain name. I used to diligently respond, when sent erroneous documents, but never got a reply. I destroyed them, but there's no telling where other copies might have gone.
> At some point, they even organized an impersonation because someone needed to retrieve an official document and couldn’t be there in person. Another member nearby offered to go and get it. “Won’t you need my ID for that? — Oh, I have one with just the right name…”
If it hypothetically was a crime, I wonder how often it would actually get prosecuted given someone used their real ID, showing the office failed to check anything other than a name known to have dupes, and/or given they had no intent to steal something and acted with knowledge and permission of the intended recipient, showing no malicious intent. I can imagine reasons those wouldn’t be considered a valid defense, but I guess it probably depends on what office & document & law we’re talking about.
My name is X and another person also named X tells me to gather their documents from the office. Other X also signs a paper for me that says I'm allowed to do this.
I ask the office clerk: "Hi, I'm here to retreive the documents for X". He checks my ID and gives me the documents without asking for written permission from the other X.
It's deception by omission, but there is no fraud. I was legally allowed to do this. It's also a win for everyone because it avoids complications.
So the story says. But what if they didn't? What if it turned out the person receiving the document from the person picking it up also wasn't the intended recipient. How would they know? And if so they'd be holding a document that they shouldn't have in the first place.
You could easily be a paw in an identity theft play like that.
There's no sense in quibbling over a vague and imprecise summary of the concept. Legally, fraud requires an injured party. In our scenario here, nobody was injured, so no fraud. Whether temporarily possessing a document to hand it to its intended recipient counts as "obtaining" is not really the pertinent question.
I suspect it may fall afoul of a law about making false statements to the government, but that's distinct from fraud.
That's obviously nonsense. Lying on a loan application is fraud, even if you don't get the loan. You're confusing criminal liability with civil liability, which does require damages.
That's debatable. If I let my friends impersonate me to use my zoo membership for free entrance, then were clearly defrauding the zoo (obviously that's not high stakes, but I dare someone to argue it's not). If one of a set of identical twins is better at math and takes all the math tests for their sibling, that's pretty clearly academic fraud, again pretty low stakes but fraud is still fraud
Key note because in case someone decides to go bad faith here, I think the gp comments use case of fraud is a positive thing (if a bit dangerous). Redefining a term just because you don't like the pejorative implications is not a positive thing, though.
There are so many things wrong with this thread. At least you make an effort, but the categorical dismissals are interesting as well and probably explain to some extent why so many hackers end up in trouble with the law.
It's pretty simple: they are deceiving the other party that the document was handed to the right person, the consequences of which range from 'meh' to spending 6 years behind bars.
Let's say this was a summons for a court case. Then the judge would believe the papers were served properly, when in fact they were never served. Permission doesn't enter into it here, it is wilful deception by two parties of a third. The same name should not normally be enough to get away with this but assuming the story is real (there are many reasons to doubt this, such as the ID matching the name, but nothing else) it all depends on who does the checking. In some cases you might not even go home without a small detour in case you are found out (for instance, because the person handing the document over is familiar with the real recipient).
So, jurisdiction matters, what that document was matters, whether the permission was granted in writing (procuration), who the counterparty was, what the value of the document was, whether the parties lived in the same state/province or country and whether or not the permission was communicated to the person passing the document to the wrong recipient (probably not) and lots of other factors besides, such as the person giving permission still evading some legal obligation, which - conveniently - the story doesn't relate (and which hinges on what that document was).
And that's before we get into the wilder options of the second person being social engineered because after all, the only way they could be sure that they were acting on behalf of the real recipient would be to check their identity, in person, and with someone who is able to do that in a way that is legally binding.
I think you are massively overestimating the legal follow-through of an administration with opening hours so tight and irational they would be scadalous at a lingerie show.
I'm Irish and have a common firstname.lastname@gmail.com
At some point the head of a national hospital thought he had that address and wasn't using his official email for everything, I got several emails that should not have been for me and some were quiet sensitive, I always emailed back the sender to let them know and eventually I emailed his secretary as it kept happening. I've also received purchase order confirmations from Australia, building contracts from Canada, HR emails from a university to which I had to confirm I had deleted the mail as letting them know led to GDPR investigation
I’m in the midst of a similar situation. My firstinitial.lastname email keeps getting very sensitive legal documents from law firms handling the case of someone who does not seem to know what their actual email address is. I called the firm and told them they needed to have an in-person meeting with their client and get a correct email address from them. That seemed to help for a few months. But now I’m getting emails again from a different law firm.
And I worked IT for legal firm, if we were not sending documents over email, we would get replaced by the client.
I spent 3 months on secure document transfer portal system, got scrapped after 4 months because clients wanted their forms as Word/PDF and they wanted them without hopping through any hoops.
Yes I know this was about wrong delivery address (person with same name, wrong account); the point is that email is not completely secure - certainly not for very sensitive (legal) content
Gmail can be fetched via IMAP and leave Gmail's infra entirely. And I don't think Google guarantees that their implementation stays fully on their own owned infra. It's a reasonable assumption but I'd never trust that for a security guarantee.
Email is not an end-to-end secure data protocol without the use of client side encryption/decryption like PGP/GPG, but even then, sender/receiver and time are all in the envelop metadata.
Probably because Law Firms arent necessarily computer security firms. Lots of people have terrible op sec. Additionally if you the recipient are on gmail it stops mattering, now Google knows your legal woes.
Exactly, I’d never use Gmail for anything sensitive. Even for just personal emails I use my own mailserver.
(And again, for truly sensitive stuff I don’t use email at all)
Sure even though, as most others, my server supports TLS, having your email not leave gmail at all may be slightly more secure.
Part of the point however was that when either server or receiver is using Gmail, your possibly confidential email content is still in Google’s hands. Using a personal server reduces that part of the attack surface. Still this does not mean I vacate my overall point that email in general is suboptimal from a secop standpoint.
Why’s that even relevant if the recipient is the wrong address? Email isn’t particularly secure anywhere, and gmail has forwarding and IMAP and aliases and other services that send emails outside of gmail. But sending sensitive documents to the wrong recipient, which was the topic that started this sub-thread, is a case where it does not matter how secure your servers are.
Sure it is, and your own comment above about gmail to gmail being fairly secure demonstrated that. Using a photocopier is intentional, and everyone knows what a photocopier is. Most people don’t know what IMAP is, and an email sender does not know if the recipient uses IMAP.
And this is still irrelevant to sending email to the wrong recipient, so I don’t know why you’re stuck on infra security.
Even if the law firm uses a Gmail account - which most of course don’t - Google still has access to your sensitive legal email content.
(And that’s apart from the meta data leaking)
if you attach documents by linking to a Google Drive document, sure.
if you attach documents 'inside' the mail (i.e. MIME encoded multipart) that is most definitely not secure.
1) you do not know how that mail gets delivered, not necessarily via servers that support encryption
2) you do not know how that mail, or the attachment, gets stored on the local machine
3) you do now know if the mail, or attachment, is sent to someone else
4) you cannot revoke the access to the document once the Need To Known stops
In our ISMS, sending Highly Sensitive data (ex: customer data) by attaching directly to a mail, is strictly not allowed by the IT charter. We explain it during an on-boarding meeting to all new staff members. And it's a fireable offense.
There are several people with my name at the company I work for. I frequently get email meant for someone else.
Worst was at another company where a person with the same name has just left, so they gave me that email address. Turned out he was subscribed to several Confluence pages for which I now received updates. But I didn't get his Confluence account, so I couldn't unsubscribe from those updates.
I have a canonical gmail address for what I thought was not such a common name pair. I get so much sensitive stuff. I used to email the sender but I have given up. One of them runs a business and the businesses that interact with his business just keep emailing me. Or stop for a couple of years, change personnel and start right back up.
Same here. My Google Account is something along the lines of jose86@gmail.com (a common hispanic first name + birth year; I'm German).
It's unusable. I have received full blown mortgage applications from couples in Mexico (including paystubs, tax forms, credit ratings, phone bills, passports). Mostly, these days, it's transaction notifications for a guy in Nigeria and phone bills for people in South America.
I have myname.wifename@gmail.com (we use it for bills, children activities, and other family stuff where you can't register more than one email address).
Neither of our names can be confused with a last name and yet I had multiple people writing to it incorrectly, including: as the email attached to a Diners credit card (I called Diners and they asked me what's the right one and "if I don't know the right one how do I know that it's wrong"), as the email for a school 400 km from home (another family must have had the same idea), once for some lawyer stuff (I then learnt that about 100 people in Italy do have my wife's name as a very uncommon last name), and lately as the recovery email for another Google account.
Your use case is why I bought my own domain name. My wife and I create shared aliases we can both send from. It’s made spousal ensuing with schools so much easier, etc.
I used to get email for an org that had a similar domain as me (they had an extra letter in the middle). Thankfully, not a very big org, I would just bounce addresses that got a lot of misdirected email and I think they shut down and that really solved the problem.
Still annoying, but not as bad as gmail. I just got an email, in Italian, about someone adding a passkey to their ebay account. No way to tell ebay it's not their address / it's not my account.
Similar boat (~25 years) and, while I've run into some sites/services that rejected my domain, I'm pretty sure it's happened fewer than 5 times, total.
YES! I have no idea if we're related, but imagine the surprise when you "first get internet at home", and my father and I decided to search our surname on Altavista, and we found foosball tables and tournaments!
> I'm Irish and have a common firstname.lastname@gmail.com
At the risk of nitpicking, @gmail.com email addresses use a dots don't matter policy [0] so really you have a common firstnamelastname@gmail.com and are free to add dots wherever you like.
Recently learned, to my surprise, that other major providers have not followed Google’s lead on this, so there are plenty of places dont.scam..me@ is a valid email (social engineering or typosquatting).
I did a similar thing during lockdown Covid era. Got online and rounded up everyone with the same name as me as we all decided not to tarnish the name, to build respect on the name, and each of us to excel in our fields. It was powerful. One’s a musician/DJ in buenos aries, the other a mechanical engineer for SpaceX, me - a software leader, another is a luthier making traditional folk instruments, and one is a writer across the pond in the EU.
A few years later Tina Fey did those commercials where she pulled in other Tina Feys and we all messaged the group like “Hey! They did it too!”. I’m sure many others did it. The world is so connected now that you should reach out and learn about your “alter-egos”.
Anyways, this reminded me of that and it’s nice to see other people have similar experiences being weird with, I guess themselves.
That is so incredibly smart. I have a very common gmail address (initial + last name) and literally hundreds of people use this mail address and I would love to resolve the countless issues I can witness from getting the mails alone, but I essentially have no chance at all.
It's ridiculous that the US still runs on name matching when you could just have a public Id number (unlike the SSN that everyone needs to pretend it's secret).
We still have to pretend SSNs are private until both law and common practice change. I expect that to be “functionally never”. Maybe within our lifetimes. Maybe.
My SSN is out there several times over at this point, thanks to breaches at phone companies, insurance companies, CRAs, ISPs, and the rest. I stopped tracking breaches that included the kind of info you’d need to impersonate me, about six years ago. The list was long and it seemed to be a pointless exercise by then.
I also have a mixed credit file with all major CRAs because of more than one person with the same name I have, one of whom lived in the same area.
Even if I didn’t have freezes everywhere, over the phone KBAs stopped working years ago even with my SSN.
The most American approach would be for SSNs to become a de facto universal ID number that you have to give everywhere, while still continuing to function as an unchangeable password to all your most important things.
I have a relatively uncommon first name (for my age group) but a very common surname. The first person I met with the same first name as me was when I was about 13 — they also had the same surname.
I once worked at a company whose lawyer shared the same first and last name. Rarely I would get an email and then a "please don't read that, delete immediately" afterwards.
I used to have a very common name (before getting married and took my wife's last name). Imagine that I have firstname.lastname@gmail and somebody was genius to take firstname.lastnam@gmail.
I felt this was so stupid, that i quickly lost any willingness to try to relay the emails to their original owner, as the other person had zero interest to change their address to be harder to mistype.
I have a similar username on a "social media" site as the founder's username. I would get hateful personal messages, requests for favors, begging for money, etc., constantly. At first I would respond to correct people, but after years and years I stopped. I just disable notifications for that site and never read my mailbox, personal messages, etc. This has been going on for about 19 years now.
The other end of the spectrum has its own problems too. My first and last names are both quite rare — deliberately so, thanks to my parents. That means when someone, say a potential employer, googles my name, it’s reasonable for them to assume every result they see is about me.
For a while, I actually liked that. It felt like having a unique identity online. Until one day I discovered someone else had created a YouTube channel under the exact same name. Presumably they happen to share this unusual combination legitimately — but the content on that channel wasn’t exactly what I’d want showing up when someone searches for me.
I tried to “correct the record” by setting up my own channel, just to add some better signals. But since YouTube isn’t my thing, my videos barely register, and Google still insists on showing the other person’s channel first.
My firstname / lastname isn’t common but if you google it you get a disbarred attorney with the same name. I’ve been asked on interviews about being disbarred; I know then that someone at the company is a sloppy “researcher”.
At some point, they even organized an impersonation because someone needed to retrieve an official document and couldn’t be there in person. Another member nearby offered to go and get it. “Won’t you need my ID for that? — Oh, I have one with just the right name…”