It was bound to happen. Large lists of account details have been leaked that were compromised through phishing, where the owners of the accounts replied to emails requesting their passwords and, in some cases, the login details to alternative accounts. We put out a message at LSE fairly frequently that people should never hand out their usernames and passwords to anyone – hopefully a fairly unambiguous statement. And yet, we still get people doing it.
I have tried to do a little research into why people continually reply to these messages, and the answer I usually get is that the email making the request “looked official”.
If you have any ideas on how to get the message across, I’d be very interested.