Identity theft

I've just discovered that I've been an unwitting participant in an identity theft.

But not, perhaps, in the way that you might imagine.

As already chronicled, some of my writing recently made it in to The Guardian. As is the way of these things The Guardian like to pay their writers, so I sent off my details to their billing department and waited for the money to come rolling in (as you do).

It turns out that, by an odd coincidence, I'm not the only Nik Clayton to write for The Guardian. I'm not even the first. This other Nick Clayton (note the extra "c") has written a number of columns for them, and they're also about technology matters.

This much became apparent when I received an e-mail from The Guardian's billing department today confirming that they had dispatched payment for two articles that Nick had written to me. This e-mail contained Nick's name and address details, and the payment details (amounts) for the articles he's written. But it also contains my bank details (account number and sort code). The money hasn't been deposited in to my account yet, but I imagine it soon will be.

A bit of Googling turned up Nick's site, and a bit more Googling turned up a phone number, so I've called him, and had the slightly surreal experience of:

Good evening. Could I speak to Nick Clayton?


Hi. It's Nik Clayton here...

Now I know how Dave Gorman must feel.

I've tried calling The Guardian's billing department but the number given in the e-mail redirects to voice mail at the moment, so I'll be in touch with them again tomorrow morning.

There are at least four risks here.

First, The Guardian's billing department will apparently change the sort code, bank account, and e-mail address details that they hold for writers on the basis of a single unauthenticated e-mail. My message to them was:

Charles Arthur asked me to send my payment details for,,1954392,00.html

to you.

Sort code is XX XX XX, the account number is XXXXXXXX.

Please let me know if there are any problems.

Second, when they pay their writers they send out an e-mail that contains, in clear, the writer's name, reference number, full address, sort code, bank account number, and the values of the payments. This may well be enough to carry out a social engineering attack.

Third, this could easily have gone the other way, and my bank account details could have been forwarded to Nick Clayton. Had he been nefarious I imagine that (given that we share the same name) these could have been used to carry out a very effective identity theft.

Fourth, had I not been quite so honest I could probably have got away with this for some time -- at the very least, continuing to earn interest on the money that The Guardian have paid.

Hmm. I wonder if The Guardian would like to use this as the basis for an article...


  1. Thanks for being so honest Nik, It's not an ideal time to find that money you were expecting has gone elsewhere.

    Actually a friend of mine who shall remain nameless (you'll see why) has benefited from a similar error in the past. In his case though the person he was being paid for didn't exist.

    This may sound bizarre, but it results from a practice that isn't uncommon in newspapers. All papers subscribe to wire services such Press Association and Reuters. But what some of them do is to invent a name for a reporter to attach to these stories. Particularly on a page with lots of wire copy it can otherwise look as if there aren't many journalists. My friend had the good fortune (and lack of honesty) share names with the fictitious reporter on a paper for which he wrote occasionally.

    Well that's probably baffled everybody!

  2. Googling Nick Clayton, it seems your cheque might equally have been sent to a goat vetinarian in Worcester, a Malvern Town footballer, a Devon furniture maker a rapist in Derby or even me.
    The Guardian have occasionally published my letters or corrections but so far without financial acknowledgement.

    Nick Clayton

  3. I was going to name myself Nicholas Clayton for the purposes of this comment but that would just be pushing the realms of believability methinks.

    I'm curious to know how The Guardian resolved this matter and what, if any, safeguards they may have put in place to prevent reoccurence?

  4. The Guardian payed me correctly reasonably promptly, and, AFAIK, sent the correct amount to Nick Clayton pretty quickly too. They said they'd get in touch to request the amount they'd overpaid back.

    And a few weeks back (just prior to departing for .ch) I received a letter from RBS asking for the money back, which I duly sent back (minus a £12 administration fee that I decided to charge them).

    As to safeguards that have been put in place -- I couldn't tell you I'm afraid. So far, that's my one and only paid piece for them.