Monday, May 07, 2007

Email Addresses For Fun and Security

I was reading FatWallet finance forums one day a while back, and one of the regulars made a post mentioning that she created a unique email address for every online account she had. In other words, whenever it was time to open a new account of some kind — banking or shopping or whatever — she created an email addy to be associated with that account, and that account only.

I can be a pretty dense guy, so I didn't think much of her tactics at the time. This past weekend, though, I began to see the light.

Here, Phishy, Phishy ...

Here's what happened: My wife and I both have credit cards with Bank of America. She received an email PURPORTEDLY from BoA, informing her that online access to her credit-card account had been closed, and that she needed to follow the link in the email to re-input her account info and password, and ... well, you get the idea. Phishing. This was a nicely-built reproduction of BoA's emails, though. I'll give the creators credit for that. (Yes, we did report it to BoA.)

Anyway, it took a few minutes, but the first "dead giveaway" was that the suspect email was delivered to an email address of my wife's which was NOT associated with her Bank of America account. (I have little "groups of use" for our email addys, and this one wouldn't ever be used for financial accounts.)

Beauty of Unique Emails for Each Account

Suddenly I understood the wisdom in the FatWalleter's methods above: If all your online accounts have a unique email address associated with them, you'll be able to spot the phishing attempts pretty much instantly.

So, if you owned a domain (dirt cheap) like I have no game.com, and along with that domain came your ability to create about 50,000 email addresses, then when you opened an account with, say, HSBC, you could create and give them (and them only!) a contact email of "HSBC@ihavenogame.com" or some such. For Amazon, you'd have "amazon@ihavenogame.com" or something similar.

Then, whenever you received an email from "Bank Of America," but it was sent to your Gmail email address, well, you'd be the Smart Cookie who didn't give that phishing attempt a second thought, wouldn't you?

You needn't create actual mailboxes (with usernames and passwords and all that) for these emails — simple forwards should work fine. Nifty, huh?

Other benefits:

  • With "unique use" emails such as these, when you start getting spam at one of your addys, you'll know precisely which companies or other online entities either (1) sell their email lists to guys with names you couldn't pronounce if you wanted to; or (2) have had their data compromised. Not a bad thing to know, yes?

  • No more wondering which online registrations are associated with which email accounts. Once one of your unique-use addys becomes a spam magnet, you'll know which one to kill off, and you won't have to wonder which other businesses have that address listed as your contact point.

Labels: ,

— Posted by Michael @ 10:28 AM








2 Comments:
 

My father did this 40 years ago with magazine subscriptions. His name for his Reader's Digest subscription was "John R Smith", and for Consumer's Report, it was "John C Smith" and so on and so forth. So when he got offers/notices that weren't from the right publisher for that name, he just tossed them.

 

I use a different tactic. I never respond to any e-mails requesting personal information. Period.

I don't bother with multi e-mail accounts. I simply use one hotmail account, which I have set to only accept e-mails from users I allow. Any e-mail from another entity gets captured in the SPAM filter and I never see it. If I sign up at a new site / with a new institution, I go to my SPAM filter and fish out the first e-mail from them, and then allow the sender.

I receive no SPAM, ever.

This is the only e-mail I use with service providers / vendors.

I have another account for my blog correspondence, and a third for personal e-mails. AND of course, one for work...

** Comments Closed on this Post **