Many marketing experts will tell you that you should get your own domain and set up a branded email ([email protected], for example). And they are right; many people see having a branded email as a sign of professionalism, and use it to decide who they want to do business with.
That is a good marketing and branding tip, but here’s a tech and security tip:
Never use that email address to set up an account – not on Amazon, not anywhere.
One of the lesser known technical facts about email is that there’s a standard setting in many email server platforms which enables mis-drected or mis-addressed messages to be forwarded to a default email address.
What this means is that if you use [email protected] on, say, your Amazon account, and then you let the domain registration for MySite.com expire, anyone who then registers the domain can start getting your emails, including account status emails. (It’s similar to someone registering your old phone number, and getting your calls.)
The new owner of that domain does not need to know what your old email account was; they just have to register the domain and set up a default email account.
This is in fact so easy that anyone with a minimum of technical skill can do it. All they need is a web hosting account which uses Cpanel, and an unregistered domain.
I know this because I like to register expired domains which used to belong to now-dead companies in the ebook and WordPress spheres. My original goal was SEO, but one day I decided to set up those domains on an email server just to see what happened.
I now get all sorts of emails via those old domains, including for Twitter accounts, Paypal, and what have you.
- For a while now I have been getting emails from Paypal related to an account which used to belong to the Dutch ereader company, Irex. (I can’t access that account due to the increased security, but still! )
- One WP theme developer put his own email address down as the admin email for all the sites which used his themes. Until I turned it off, I got hundreds of spam emails from all of those sites’ contact forms.
- I also now control the Twitter accounts created by several dead tech companies (it’s really easy to send password reset emails).
- The original inspiration for this post was a security confirmation email I got for someone’s Amazon Shopping account. Yes, I could access their Amazon account and order stuff if I wanted to. (This scares the shit out of me, too.)
Folks, I am never going to do anything bad with the email accounts I control, but the next guy may not be as ethical as I am.
This is why you should check to see if you have made the above mistake. Go into your accounts and replace any [email protected] email address with, say, a Gmail email address.
Then, once you’ve done that, you should also add extra security to any account where money is involved. This will protect your account in the case of a hack or leaked password.