5

I recently received e-mails from two services: Paytm and Uber. They both seem like legitimate services. However I have no idea why I received these e-mails or why somebody would want to create an account with my e-mail.

The first e-mail provided a link to remove my e-mail from the system. I was wary to put my e-mail in, but considering that it had a valid HTTPS certificate and seemed legit on Google, I went ahead and did it (and received another e-mail confirming this action.) I also sent an e-mail to support for the other service and have not heard back yet.

What I want to know is:

  1. Did I perform the right steps? Have I exposed myself to more risk by contacting these services?

  2. Should I be worried? It seems that my e-mail account hasn't been compromised. I know that sometimes, companies will tell you to ignore e-mails if the action was not taken by you. However, I'm concerned because these seem like services that are easy to sign up for, but hard to disassociate with. I also don't want somebody just doing stuff willy-nilly with my e-mail.

user83905
  • 51
  • 2
  • 2
    Less not forget, this could simply be an innocent mistake. With the sheer number of internet users and the restricted namespace for email addresses, particularly the common webmail services - typos and simple mistakes are bound to happen. – MrWhite Aug 20 '15 at 13:44
  • You may want to change your email password and even add 2FA just to be safe. – Neil Smithline Aug 20 '15 at 15:55

2 Answers2

3

I would have performed the same actions. Confirm the validity of the website, and request the account be removed.

I don't believe you've exposed yourself to more risk at all by contacting these services. The key to performing the above is to not actually click the link in the email. Go to the service's webpage separately where you can verify the certificate, and if everything checks out email their support team about the fraudulent account. This allows you to do your homework first without clicking on possible phishing links within emails.

You should always remove accounts that are linked to your email. Even if your account isn't compromised malicious actors could be using the appearance of your email to gain the trust of others.

As far as a compromised account; if you're worried then I would change your password for the account, and ensure it's a good one. 16 characters will various symbols and numbers. I would also turn on 2 Factor Authentication if your email service provides it. This will lock down the account, and help you manage who is logging in.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
1
  1. Did I perform the right steps? Have I exposed myself to more risk by contacting these services?

Yes and No. The fact the link you clicked on looked legit on Google with a valid certificate does not necessarily mean it is an innocuous one (you can set a certificate to your website and run any malicious script to target your visitors), and scammers use often phrases such as: please notify us ... click on this ... let us know (examples). So I wonder if, for example even if this is questionqble (Is the Web browser status bar always trustable?), you have hovered over the links you received (Before You Click That Link)?

  1. Should I be worried?

It all depends on how much careful you analysed the links and the steps, but also gathered additional information about the links you went through on Internet. But since very few attackers could invest to set a certificate on their website to use it for attacking others is rather awkward (for serious attacks, their anonymity is compromised by the certificate itself), so, even if it may sound contradictory to what I pointed in the paragraph above, you rather should not be worried about it that much from this perspective.

I also don't want somebody just doing stuff willy-nilly with my e-mail.

Unfortunately you can not stop that: any person who knows your email could play a game over your head (subscribing you somewhere), but you can reduce the risks: for example, craft radom email addresses to subscribe to social networks, to play online ... but do not publish every where your permanent email address (for example in the past I was used to publish my email address encoded on this website -to avoid my email being collected by some automated programs and used for spamming -: bXllbWFpbC5pc3RoaXNAZ21haWwuY29t). Your email has not to be compromised to be used by a nefarious person that way.

  • For the link I did click on, the certificate's organization matched the organization that appeared in google/wikipedia. For Uber, I did not click on any links. Interestingly enough, their company seems to be [swamped](https://en.wikipedia.org/wiki/Uber_%28company%29#Opposition) in [controversy](https://en.wikipedia.org/wiki/Legal_status_of_Uber%27s_service#United_States). – user83905 Aug 20 '15 at 12:23
  • If you have done what you said for the first link then you are definitely safe (as long as their website is not compromised to attack you by sending you that link). Yes, Uber is banned recently here in France @user83905 –  Aug 20 '15 at 12:26