[written]

It's a user's problem. If user is willing to click through some unsolicited email and pay, he will probably click on the verification link too if the service would send those.

It's still a statistics game. Not everyone would pay without verification and not everyone would click the big green button in the verification mail, but some people will without realizing what's up, just like people fall for Nigerian scams mails.

There's no technical solution, only education can help.

[georgeam]

I believe there is a technical solution. The verification link should ask you for a password or a passcode of some sort which is provided to you out-of-band --- ie, not via email. For example the webpage where you sign up can give you a short 6 digit passcode for the purposes of validating your email. Then the link that you are sent via your email directs you to a form that asks you for the passcode. That way another person can't validate the email if you mistype your email address as their email address and the validation link is sent to them.

[written]

That's pretty good. It would require some serious gullibility to defeat. If it's active attack, attacker may send the second mail with the passcode and instruct the user to enter it.

Though people are forwarding their second factor SMS confirmation codes for their banking accounts to attackers upon request, so it's not too far fetched someone would find a way to trick some users to enter it.

Here's one study about the phenomenon (the N is basically zero, but this happens and banks are warning people against doing this):

https://engineering.nyu.edu/files/VCFA_PasswordsCon15.pdf

[daveFNbuck]

Lots of services send me legitimate e-mails asking me to update my credit card information. I'm supposed to click on those. They come from Netflix and all of the text in the e-mail tells me to click on them. I don't click on them because I don't trust links from e-mails, but I'm supposed to.

No service ever sends me account verification e-mails for existing accounts. I'm not supposed to click on those. The text in the e-mail has instructions about whether I should click on it. This makes it different from the credit card e-mail.

[written]

You don't click because you're educated in these matters. Most people are not.

[daveFNbuck]

Not clicking on the credit card update e-mail requires being educated in these matters. Not clicking on the account verification e-mail just requires reading the e-mail before clicking. I think that's an important distinction.

[written]

Depends on the service. I've seen verification e-mails that just contain a link with no other text. Or with texts like "Continue here: [link]".