Company asking for my personal information to close fraudulent account
November 14, 2020 9:17 AM Subscribe
Someone used my email address to sign up for a financial account. Now the company wants my personal information to close the account. Obviously, I don't want to give it to them. What should I do next? Am I overthinking this, or should I just reset the password, log in and try to close the account myself?
Someone used my email address to sign up for a financial account. I didn't sign up for this account. I received 4 legit emails from the company, welcoming me and confirming a transaction and connection to a bank account (not mine). I checked the raw body of the emails, and the links do go back to the correct domain, so I'm assuming that this is not phishing.
I contacted their customer service department via their website, and have been corresponding with them over email. I'm using the email address in question to correspond with them. Now, they've asked for the last 4 digits of my SSN, phone number and date of birth, so they can tell if someone is using my info fraudulently, or if someone mistyped an email address.
I've refused to give them my information, but what should I do next? This company has had a recent security breach concerning their own customers' accounts. Since I haven't signed or consented to any agreements with them, I don't expect that they would keep my info secure.
(I'm not going to directly name this company, but it's named after a fictional outlaw who lives in the forest, has a band of cheery friends and is known for stealing from the rich, and giving to the poor.)
Someone used my email address to sign up for a financial account. I didn't sign up for this account. I received 4 legit emails from the company, welcoming me and confirming a transaction and connection to a bank account (not mine). I checked the raw body of the emails, and the links do go back to the correct domain, so I'm assuming that this is not phishing.
I contacted their customer service department via their website, and have been corresponding with them over email. I'm using the email address in question to correspond with them. Now, they've asked for the last 4 digits of my SSN, phone number and date of birth, so they can tell if someone is using my info fraudulently, or if someone mistyped an email address.
I've refused to give them my information, but what should I do next? This company has had a recent security breach concerning their own customers' accounts. Since I haven't signed or consented to any agreements with them, I don't expect that they would keep my info secure.
(I'm not going to directly name this company, but it's named after a fictional outlaw who lives in the forest, has a band of cheery friends and is known for stealing from the rich, and giving to the poor.)
This happens to me all the time. Find their Twitter support and DM them. The people who handle those requests seem to be more empowered to do things and quicker to understand the situation. But yes, if you don’t get anywhere then don’t give them your info. This is their problem and they are violating the privacy of one of their customers. It’s not your job to fix it. Log in and change the email address and forget this ever happened. Use a mailinator.com email account if you need to click an email link to confirm the address is real.
posted by caek at 10:26 AM on November 14, 2020 [1 favorite]
posted by caek at 10:26 AM on November 14, 2020 [1 favorite]
There's no way I'd give financial information like SSN / phone number / date of birth to any company - even ones that have a clear history of protecting customer data. However, logging into someone else's account is, at best, unethical, and at worst, illegal. You'd be accessing a personal account of another person, which isn't appropriate.
You can decide for yourself whether to reset the password, but don't log in with it. Resetting the password - potentially even creating a new password and not logging into the new account - is a reasonable consideration - it locks out the account for the opener, which forces them to solve it... not you.
I'd check my credit report. If the account is on your credit report, I'd dispute the entry. You don't need to provide personal information to do that. If the account isn't on my credit report, I'd ignore it. Completely. If the person or company tries to get a hold of you, simply respond something to the effect of, "this isn't my account and the account isn't my problem". It'll eventually take care of itself.
posted by saeculorum at 10:28 AM on November 14, 2020 [2 favorites]
You can decide for yourself whether to reset the password, but don't log in with it. Resetting the password - potentially even creating a new password and not logging into the new account - is a reasonable consideration - it locks out the account for the opener, which forces them to solve it... not you.
I'd check my credit report. If the account is on your credit report, I'd dispute the entry. You don't need to provide personal information to do that. If the account isn't on my credit report, I'd ignore it. Completely. If the person or company tries to get a hold of you, simply respond something to the effect of, "this isn't my account and the account isn't my problem". It'll eventually take care of itself.
posted by saeculorum at 10:28 AM on November 14, 2020 [2 favorites]
Would you rather know if your identity has been stolen or not? Your DOB and phone number are basically public information at this point (even if you think your phone number is private, it's almost guaranteed to have been correlated with you and put into various databases, some of which bad guys have access to). You can give them that information to see if it matches (or ask for the last digit of the phone number to see if it lines up with any that you've had before sending the full thing). The last 4 of your SSN are a little more private, but there's a very good chance that they or your full SSN have already been leaked.
If you can successfully execute a password reset and log in, you can possibly log in and see if the phone number listed in the system is yours without having to give it to them.
As far as what probably happened, I'm not familiar with their signup process, but there's two main reasons why someone would have used your e-mail address.
1. It's a typo. Is your e-mail something like jsmith3@gmail.com? If so, the typo narrative is fairly easy to believe. If it's iamauniqueshootingstar@mycustomdomain.io, it's a lot less likely.
2. Someone has or believes that they have access to your e-mail account, either by having the account information or access to one of your systems itself. There's slim reasons why someone trying to conduct fraud in your name would use your actual e-mail address while doing so unless they had one or the other of those. That said, there's foolish scammers out there too.
This company has had a recent security breach concerning their own customers' accounts.
Maybe. The official story is that a few thousand users were breached because either they reused passwords or had their personal systems compromised. Both narratives are extremely believable in the FI space, particularly with their user demographic. The failure on their part was that their antifraud detection didn't catch the suspicious activity earlier than it did.
posted by Candleman at 10:28 AM on November 14, 2020
If you can successfully execute a password reset and log in, you can possibly log in and see if the phone number listed in the system is yours without having to give it to them.
As far as what probably happened, I'm not familiar with their signup process, but there's two main reasons why someone would have used your e-mail address.
1. It's a typo. Is your e-mail something like jsmith3@gmail.com? If so, the typo narrative is fairly easy to believe. If it's iamauniqueshootingstar@mycustomdomain.io, it's a lot less likely.
2. Someone has or believes that they have access to your e-mail account, either by having the account information or access to one of your systems itself. There's slim reasons why someone trying to conduct fraud in your name would use your actual e-mail address while doing so unless they had one or the other of those. That said, there's foolish scammers out there too.
This company has had a recent security breach concerning their own customers' accounts.
Maybe. The official story is that a few thousand users were breached because either they reused passwords or had their personal systems compromised. Both narratives are extremely believable in the FI space, particularly with their user demographic. The failure on their part was that their antifraud detection didn't catch the suspicious activity earlier than it did.
posted by Candleman at 10:28 AM on November 14, 2020
Someone has or believes that they have access to your e-mail account
On that note, anonymous, if you haven't changed the password to your email account yet, please do so right away.
posted by DreamerFi at 11:02 AM on November 14, 2020 [2 favorites]
On that note, anonymous, if you haven't changed the password to your email account yet, please do so right away.
posted by DreamerFi at 11:02 AM on November 14, 2020 [2 favorites]
Why do they need your info to close that account?
It isn’t going to match the account.
The original account holder will find out their emails are not reaching them and will then use their own information to get access to their account.
posted by calgirl at 11:41 AM on November 14, 2020
It isn’t going to match the account.
The original account holder will find out their emails are not reaching them and will then use their own information to get access to their account.
posted by calgirl at 11:41 AM on November 14, 2020
Have you looked at their Wikipedia page? They have had numerous problems problems, suggesting their systems are thoroughly flawed. I would keep well away from them.
posted by TheRaven at 12:49 PM on November 14, 2020 [1 favorite]
posted by TheRaven at 12:49 PM on November 14, 2020 [1 favorite]
If you want to log into their account and cause a password reset, do so via a VPN so it’s harder to trace if anyone gets agitated. Many VPN providers have ways to ensure they don’t actually know who their customers are.
posted by aramaic at 5:51 PM on November 14, 2020 [2 favorites]
posted by aramaic at 5:51 PM on November 14, 2020 [2 favorites]
Now, they've asked for the last 4 digits of my SSN, phone number and date of birth, so they can tell if someone is using my info fraudulently, or if someone mistyped an email address.
Seems to me they should be able to tell you if someone's using your info with one of these pieces of information, not three. Maybe see if they'll tell you if the birth dates match.
posted by deludingmyself at 7:59 AM on November 15, 2020
Seems to me they should be able to tell you if someone's using your info with one of these pieces of information, not three. Maybe see if they'll tell you if the birth dates match.
posted by deludingmyself at 7:59 AM on November 15, 2020
Dear Financial Institution, someone has used my personal information to commit accidental or intentional fraud. I will not compound this privacy violation by providing additional personal data. It was your job to have collected and verified data when you opened the account. The account is invalid; you should make every effort to resolve the problem with your business resources. Sincerely, anonymous
posted by theora55 at 8:11 AM on November 15, 2020
posted by theora55 at 8:11 AM on November 15, 2020
« Older Help us create an easily cleanable cat spraying... | Could I lock myself out of getting immunity? Newer »
This thread is closed to new comments.
posted by insectosaurus at 9:49 AM on November 14, 2020 [1 favorite]