Yesterday I got a curious, one-sentence email to the customer support address for my WordPress plugin with the subject “checkout” [sic].
Just wanted to confirm if everything went through.
The person had a weird* — but not too weird — name, and a Gmail address to match. I was immediately suspicious, but since there were no links in the email, I decided to give them the benefit of the doubt as just being a bad communicator, not a phishing attempt. I figured the worst I risked by replying was proving my email address was real, which… well, duh. So I tersely responded that there were no orders matching their name or email address.
This afternoon I got a reply:
I regret my mistake in not attaching the required files to my previous email, as I was unaware that our email system does not support large file attachments. With some assistance, I have now uploaded them to my OneDrive at [redacted] Sorry for the late response.
Don’t worry, I wasn’t stupid enough to click the link. I just blocked them and reported the phishing attempt instead. I’m glad my instinct was right, and I kind of wish I hadn’t felt the need to test it. I suspect I’m going to need to be extra vigilant about incoming emails for a while.
I definitely regret that — out of necessity — I replied with my real email address, but the support email for the plugin is just a forwarding address and can’t send email directly. Maybe it’s worth the $20/year it would take to change that.
*I feel compelled to explain what I mean by “weird,” because people can say someone has a weird name and basically mean something racist by it. That’s not the situation here. The surname was a very common English surname. The first name was the name of an animal that I have never heard used as a person’s name before.