I had an interesting experience today. I got an email sent to my email@example.com address telling me that a direct debit to a specific bank account at a specific bank had been set up. My initial response is to complete ignore this as a phishing attempt. However, there were no links to grab my details and the email address from which the email was sent seemed accurate. A few minutes later I got another email addressed to the same account telling me that my account with a 'Groupon' type account had been set up.
I decided to explore, so went to the site and tried to log in, and of course it told me my password (which I made up on the spot) was wrong, and offered to send me a link to reset it. I agreed and within a couple of minutes I had reset the password and logged into the account. I was then able to see information about who owned it; it was a Phil Bxxxx (name excised to limit embarrassment). I went back through my emails searching for the name and had got an email from a mail order firm cancelling an order to the person with the same name, only this gave me his address. It was the matter of a couple of moments to check this, find out that he runs some websites which linked by name to the Groupon type site, and it also gave me his phone number.
I now had his name, address, phone number, details of his bank, and part of his account number. That's a pretty long way down the road to being able to impersonate him. So I rang him up. I explained who I was, and how I had got as much of his information as I had, and what was going on please? This is where it gets really insane. He's a tech guy who works for a particular company which I won't name, and he was responsible for setting up systems for members of the public to join, and in this specific case get loyalty points and rewards for purchases. So I asked him why he was using my email address? He replied - I didn't think it existed, I just made it up! Seriously? He's email personal details to email accounts that he doesn't know, hasn't checked, and has no way of checking? Moreover, his company is not employed 2 stage verification of email accounts - anyone who had any clue as to what they were doing should have set up a system that emailed my email address and said 'did you really want to set this account up?' I could then have ignored it and got on with the rest of my day.
I remain gobsmacked.