Home » Random » Geek » Am I A Victim? – Reverse Social Engineering (Not Necessarily the IT Security Definition, But Close)

Am I A Victim? – Reverse Social Engineering (Not Necessarily the IT Security Definition, But Close)

About a year or two ago, someone used my Gmail address to sign up for Facebook.

My GMail address had been my go-to spam email. (since I got my Google phone, it’s become my primary email and my domain email has fallen by the wayside. I still use it, but only for official/important emails).

I never wanted Facebook, or any other social media anything back then. When I got the confirmation email, I ignored it. I first thought it was nothing more than spam. Then I kept getting emails for friends requests and messages on Facebook. I decided to see if I could log in and delete the account. I know I didn’t have the password, but the “forgot password” option sent me the link (or password, I can’t remember anymore) to my Gmail and I was able to gain access to the account.

I logged in and started deleting all the info off the page. It offered to “import your friends from Gmail” and I was curious. So I clicked it. And O.M.G! I found friends I hadn’t had contact with in 20 years. I found friends from my high school. And they remembered me! WOW!

So, that’s how I got my Facebook account. And that was the last I heard about someone using my email address.

Or so I thought.

It started back up again about 9 months ago. I now have a Pandora account. I have a bunch of service accounts, online gaming accounts, and accounts for children’s education as well as gaming accounts. All of which I’ve changed the password to.

I started off deleting the accounts, but the person would re-sign up with MY email address over again. So, to stop that, I just kept the account, changed the password on it, and left it alone. Eventually, they will delete it. Hopefully, she’s re-registered with her PROPER email address.

I wonder, how many times does it take for someone to realize they are using the WRONG email address and to be more careful? Really. How long?

When I first got hired into IT Security field, I dealt with this thing called PKI, Public Key Infrastructure. It’s a neat little tool that places authentication and encryption on your email based off something called PGP (Pretty Good Privacy). No need to go into the details of it as most of you would be bored to tears. 🙂

At that time, it was only a pilot program. Now, it’s required for all military and government emails. So, when I got into this PKI program, I learned of an awesome website called ThinkGeek. They operated out of a small closet back then. But I got my “I READ YOUR EMAIL” T-shirt from them back in 2000 (they don’t sell it anymore, but other places do).

That T-shirt is so appropriate now.

So, now I have all these accounts, with my email address tied to them. Spam is at an all time high. Even Gmail’s spam filter can’t capture them all. It’s annoying and frustrating to say the least. I have to take time out of my life to go “fix” all these accounts so I don’t continue to deal with even more unwanted email that I DIDN’T SIGN UP FOR!

Last month became even more troublesome. There were continued emails from Microsoft Account Team. At first, I thought it was a phishing scam. I searched everywhere for something about it. Nothing.


It happened once or twice in two weeks. No big deal. But then, I kept getting them back to back, over and over again. I started to freak out about this time, because I just read a couple of articles on Kotaku about people hacking xBox Live accounts and selling them on the internet.

I’ve had 2-step security on my Gmail account ever since I noticed someone attempting to log into my Gmail account from another country….I’ve never lived in. This 2-step verification is relatively new for Microsoft but I’ve had it implemented for some time now.

I logged into http://account.live.com and the links were legitimate. I’ve been changing my Live password each time I got these emails. But they still kept coming.

I tested the 2-step verification process myself. When I went to the “Billing” menu, that’s when I would get the 2-step email verification. So, either someone has access to my account, regardless how many times I change my password, or someone set up their Live account with the wrong email address. My guess is the latter.

So friggin’ frustrating!!! This could very easily be considered cyber harassment.  Not in the sense of bullying. But the fact that I continually get emails like this, have to change the passwords, contact the service to have them stop sending me emails, change my password, all takes time away from what I need or want, to do.

So, now that I THINK I have this under control….for now…I get an email the other day, setting up yet another account for a service I don’t want. But this time, the account verification email sent me her full name, username, and password.

I went to change the password on this account, like I always do, and when I logged in, I found out her work email, mailing address, and phone number. I’m like WHOA! In the wrong hands, this could be absolutely dangerous. Identity theft, stalking, even death. You just don’t know what people will do with personal information like this.

Because I work in the IT Security field, I am naturally paranoid. I’m not worried so much for me, as I am for the person who’s too stupid to remember their own email address! If left un-addressed, what will I get next? What other information is she carelessly throwing around to other strangers out there? I shudder to think of the possibilities. 

I’m not mean. I’m not manipulative. I’m not a bad person. But I could ooooh soooo be one with this information.

I dubbed this “Reverse Social Engineering” because it is personal information freely given to someone else, but I didn’t ask for it. However, this is not the proper definition of Reverse Social Engineering. Symantec defines it as “when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around.”

This is hardly the case here. But it is appropriate. Like I said, it’s information, given freely, to an unsuspecting stranger–Me. But lucky for her, I’m not malicious.

Now I’m going back and forth with myself. Do I contact her? Or do I leave it alone? If I contact her, will she take it the wrong way? Will I be in the wrong? Would I be considered the stalker? The harasser? The cyberbully?

The use of a wrong email address is not a legal issue. Having someone else’s personal information is not illegal. It’s how you use it. I’ve been trying to locate any information of someone else having this type of problem, information regarding how to stop this, how to safely contact the individual to inform/educate her. I’m torn. I want to help her, but fear the reprisal if she takes it the wrong way.

What do I do? What would you do?



  1. Ping from Happy Lung Leavin’ Day 2015 | Caring for My Veteran:

    […] been a bad person, I could very easily have ruined a few people’s lives. But I’m not. (you can read about this here, in my article called Am I A Victim? – Reverse Social […]

  2. Ping from Angela Brown:

    Contacting the person and letting them know they are putting themselves into pretty sticky situations is a good idea.

  3. Ping from Cheyenne Campbell:

    I’m with Cheryl – I’d want to know and I’d be so grateful. She’s super lucky that the information happened to fall into the hands of such a kind and thoughtful person like yourself, because there are sadly so many people out there who would be tempted to misuse it. I can’t see how she would accuse you of doing anything wrong to get her info, since it seems clear she’s accidentally entering your address. Is changing *your* email address a possibility? I know what a huge pain that is, though.

  4. Ping from Heather Jacobs:

    I agree with Leigh. I wish there was more I could do to help out. Since I live in her region I’ll even call her! 🙂 This sucks because this is still such a new area for law enforcement and it shouldn’t be. The internet has been around how long? Hope this stops soon for you!

  5. Ping from M. Andrew Patterson (@DyadicEchoes):

    Wow. That is messed up. I would definitely let her know. It could be that her email address is very similar to yours. If you do contact her, try to avoid having any of your personal information attached to any correspondence. I’m wondering, as you probably are, is this a new type of phishing scam.

  6. Ping from Cheryl:

    I would contact her and tell her that she’s been using the wrong email address. Then I’d tell her that you’ve deleted the information, so she’s safe, but she should make sure she’s using the right address. Personally, if I were making that mistake, I would want to know. And I would be grateful for whoever told me, as well as embarrassed beyond belief.

  7. Ping from Leigh Caroline:

    You already know my opinion, but I’d send her a postcard or something saying “I got your address from one of the websites you’ve signed up for using my email address. Please be careful to only use your email address. I work in IT, and there are people out there who would do very bad things with the amount of information you put on those sites. Thanks!” 😛 Just be short and nice. You’ll be fine.

Leave a Reply

Your email address will not be published. Required fields are marked *

CommentLuv badge

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: