Things started to get weird when Angela Scaletta received love notes intended for another woman.
For years, she’d been getting e-mails meant for other people. When she first chose an e-mail address, she simply combined her first and middle names, not realizing how many other people would be choosing something so similar.
Maybe those Angelas mistakenly wrote her e-mail address instead of theirs on forms. Maybe senders ignored a number tacked onto the end of the name, or a last initial. Either way, Scaletta, of Minneapolis, ended up being privy to information that wasn’t hers to see: copies of loan applications, health records, school information for other women’s children, even a job offer.
But when she got another Angela’s love letters, she decided to put a stop to it.
While phishing attempts and international political hacking get plenty of attention, there’s another cyber security problem that plagues a very specific segment of e-mail users: those who have common names or use common e-mail addresses.
They often end up with digital doppelgängers, and receive a barrage of sensitive e-mails meant for people with similar digital addresses. Everything from taxes to heartfelt love confessions is being sent into the Internet ether, only to land in the in-boxes of the wrong people.
For recipients of these missent communications, it’s more annoying than threatening. They aren’t any more vulnerable to identity theft than the rest of us. Yet the problem highlights e-mail’s fundamental flaw: It’s not secure.
“People just don’t understand how to use technology well, generally speaking,” said Eran Kahana, a cyber security attorney with the Minneapolis firm Maslon.
Though far faster and more convenient than addressing a paper envelope, e-mail should be treated with the same reverence, Kahana said. “You would think there would be a lot more care taken before you hit ‘send.’ ”
In an era when everyone from the president’s son to the head of a motion picture studio has their provocative, embarrassing and scandal-making private communications aired openly, technology watchers are questioning how long it will be until e-mail is fully replaced by more secure platforms.
Many businesses already are migrating to other platforms and apps, like Slack, an encryptable chat program. Other companies have their employees append confidentiality footers to their e-mail. But until something better comes along, people are being encouraged to watch what they send in an e-mail — and be careful about to whom they send it.
From mistake to malicious
People with common names are the most likely to end up getting errant mail. Even those who are adept at e-security are susceptible.
“My e-mail addresses are typically ‘mjohnson’ so I have experienced this firsthand on many occasions,” said Mike Johnson, who leads the security technologies graduate program at the University of Minnesota. “Divorce information, bankruptcy information, business communications — it happens a lot.”
Not much can be done about these cases of mistaken identity. And as far as internet safety issues are concerned, this one ranks low on most users’ and e-mail providers’ radars, experts say.
“It’s low on the totem pole,” said Kahana. “It can cause expensive problems, but it’s not high up.”
The bigger problem is when e-mail turns malicious.
Malware and ransomware taking over personal and business computers; security breaches that leak passwords or Social Security information; glitches that cause people to lose vast amounts of data are all more significant threats that users can take steps to avoid. And investing in software that keeps devices protected and backs up data tends to be a higher priority to users than making sure their e-mail address is one-of-a-kind.
Besides, Johnson said, there aren’t any programs available to the average user that alert you when a sensitive e-mail goes to the wrong person.
For the doppelgängers on the receiving end, reactions range from annoyance to amusement.
Matthew Vinge of St. Paul has been receiving updates from a Danish squash club almost every month since 2009.
“Honestly, I think I’ve never stopped it in part because it somehow (in a very silly way) validates my Scandinavian heritage,” he wrote in an e-mail. “However, I can’t help but think there’s another Vinge out there that is not getting their squash updates.”
Some people are finding creative solutions.
Amanda Johansen of St. Paul started a Facebook group for other Amanda Johansens to share their misdirected e-mails. More than two dozen of her digital doppelgängers joined.
“I started it because I noticed how many people had my name and I thought it would be a funny thing to see what they look like and where they live,” she said. “But then I started using it once I would get these random e-mails.”
Through her Facebook group, she located the rightful recipient of an e-mail that had detailed information on how to get through security at a Hollywood movie studio, she said.
Most typically, she receives marketing e-mails from Scandinavia (she has to use Google Translate to find the “unsubscribe” link). She often gets big box store coupons for an Amanda Johansen in New Jersey. The strangest incident was an e-mail full of a Swedish family’s photos from a vacation to Turkey.
Scaletta has opted for an even more proactive approach.
She went through the trouble of tracking down one of her doppelgängers in the United Kingdom, for whom she’d gotten scads of sensitive information. She found her phone number on one such document, called her and told her she had her income information, address and more.
Then there were the love notes from a man who was clearly looking for a different Angela with the same middle name. His somewhat poetic, slightly obsessive messages alarmed her enough to write back and let him know he had the wrong woman.
It only made things worse.
“I know now that you are not the friend I was looking for, as you have changed your name. ... ” he wrote, and continued to e-mail her every few days. Some of the messages came from his work address. His e-mails finally stopped when Scaletta tracked down and called his boss.
“I got one last e-mail ... saying something like, ‘I know what you did,’ and haven’t heard from him since.”
How to protect yourself (and others)
Double-check e-mail addresses before sending.
Avoid putting sensitive information into any e-mail. “I go by the adage, ‘Don’t put it in an e-mail if you wouldn’t want to see it in a newspaper,’ ” said Amanda Johansen of St. Paul. “My e-mails are really boring.”
Don’t share any information about health, employment, taxes, etc., via e-mail, advised Mike Johnson of the University of Minnesota’s Technology Leadership Institute. Any businesses that deal with personal information (your health insurer, employer) should use a password-protected online portal. If they don’t, don’t do business with them.
If you get sensitive information meant for someone else, Johnson advises you to respond to the person or company who sent the message to let them know they have the wrong address.
Make a keyboard shortcut in your phone for your own e-mail address, so when you are typing it into a form, it’ll always pop up correctly.
Before you hit “send,” think about what you’re sending, to whom, and why. Once an e-mail is out there, it can’t come back. “If it’s not a grocery list, I think about it one extra second and make sure I didn’t screw it up,” he said.