But not, perhaps, in the way that you might imagine.
As already chronicled, some of my writing recently made it in to The Guardian. As is the way of these things The Guardian like to pay their writers, so I sent off my details to their billing department and waited for the money to come rolling in (as you do).
It turns out that, by an odd coincidence, I'm not the only Nik Clayton to write for The Guardian. I'm not even the first. This other Nick Clayton (note the extra "c") has written a number of columns for them, and they're also about technology matters.
This much became apparent when I received an e-mail from The Guardian's billing department today confirming that they had dispatched payment for two articles that Nick had written to me. This e-mail contained Nick's name and address details, and the payment details (amounts) for the articles he's written. But it also contains my bank details (account number and sort code). The money hasn't been deposited in to my account yet, but I imagine it soon will be.
A bit of Googling turned up Nick's site, and a bit more Googling turned up a phone number, so I've called him, and had the slightly surreal experience of:
Good evening. Could I speak to Nick Clayton?
Hi. It's Nik Clayton here...
Now I know how Dave Gorman must feel.
I've tried calling The Guardian's billing department but the number given in the e-mail redirects to voice mail at the moment, so I'll be in touch with them again tomorrow morning.
There are at least four risks here.
First, The Guardian's billing department will apparently change the sort code, bank account, and e-mail address details that they hold for writers on the basis of a single unauthenticated e-mail. My message to them was:
Charles Arthur asked me to send my payment details for
Sort code is XX XX XX, the account number is XXXXXXXX.
Please let me know if there are any problems.
Second, when they pay their writers they send out an e-mail that contains, in clear, the writer's name, reference number, full address, sort code, bank account number, and the values of the payments. This may well be enough to carry out a social engineering attack.
Third, this could easily have gone the other way, and my bank account details could have been forwarded to Nick Clayton. Had he been nefarious I imagine that (given that we share the same name) these could have been used to carry out a very effective identity theft.
Fourth, had I not been quite so honest I could probably have got away with this for some time -- at the very least, continuing to earn interest on the money that The Guardian have paid.
Hmm. I wonder if The Guardian would like to use this as the basis for an article...