One thing I have never understood in this current age is how in the world so many companies, including ones that handle confidential data like banks, don’t require a user to verify their email address after it’s entered. I have an unfortunately very generic email address that’s easy to mistype, and I am almost every day receiving order receipts for expensive vacation hotels, bank transfer or wire transfer confirmations, a very long list of things that I should not be receiving simply because the companies sending those emails never had the user verify if they entered the right email address. They are legitimate emails, they are often addressed to someone with the same first name as me but a different last name, so that person simply typed the wrong email address accidentally.

It’s bonkers to me that there’s any developers out there working for these companies that never thought to implement simple email verification.

I have a very early gmail address. A very common first name plus two letters. It is almost unusable by now. Invoices, subscriptions, important documents about some persons real estate dealings. They all end up in my inbox.

I have around 20 or 30 google accounts attached where i am the backup email address. Those people forget their passwords or stop using their accounts and i get email notifications about that. No confirmation from my side necessary.

I set up a new address that is less likely to end up with this problem. But migrating away from the old one is not easy…

As is often repeated, the optimal amount of fraud is not zero

https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...

They are optimizing towards making it easy to purchase things on a whim.

Because confirming the email introduces friction. And everyone is optimising for low friction even if it risks private data leaks, which you can always blame on the user for typing their email wrong.

This is intentional. Email verification is friction, so it gives users a chance to reconsider whether their purchase is really necessary. This is bad for business, because they’d prefer if you were impulsive.

Also, people usually type their emails correctly, especially these days with auto-fill. So not sending confirmation emails is optimizing for the happy path.

I know e-mail has a faster round-trip, but they also don't ask you to confirm snail mail.

I think it would be quite annoying to have to verify my purchase everywhere, just like how I don't wanna sign up to every single merchant online. Let me purchase as guest without having to enter OTPs.

I am dismayed that it is legal to create an account attached to an email without validation of that email. It should be straight-up massive fine illegal to send any email other than account confirmation until validated. Validation emails should have a "do not contact me again" that works with a single click and a massive fine if it does not.

Yes it is insane. I am in same boat and have received mortgage applications, police details, applications for police jobs, massage receipts you name it. Many would be considered important leaks of customer data.

I have even had founder level emails that presumably are confidential sent to me because I share the name of someone operating in tech.

I respond or report when it's obviously some real person running a small group but for large monoliths there is very little to do except quickly reply to corporate email.

Really wish there was some kind of high level discussion about building something for this specific problem of non malicious wrong person same name errors.

Google could do it it's just not something that is monetizable at a scale they care about IMO and I have not been able to think of a way to make this work operating outside of email monoliths.

Would love to hear if anyone has ideas.

[dead]