Monday, August 4, 2008

New Phishing Storm Aimed at PayPal

Today Richard Brewer-Hay, the eBay corporate blogger had a post about PayPal's 10th birthday on eBayInkBlog.

To celebrate the occasion the Phishing crooks & scammers have unleashed a storm of phishing emails.

On July 7th Richard had a post about phishing. I commented at the time,

The simplest, safest and most secure way to put an end to PayPal phishing would be for PayPal to cease putting clickable links in emails. Any customer communication requiring input from customers should be on the secure site.

“You have a message from PayPal which requires response, please log in to your account to access it.”

About three weeks later somebody called Square said,
Henrietta’s suggestion sounds simple enough, but it was already done in the last year and then changed back. I don’t think there was any explanation when it happened or was reversed, I’m guessing that enough sellers, who get tons of these emails and end up click on the transaction link to get more info, complained about the inconvenience. It may be like a safer approach, but it’s also creating an extra step to check on your payments, which is a pain when it multiplies out many times.

I have no knowledge whatsoever of PayPal doing what Square says they did, you would think I might have noticed since last year I was still selling actively on eBay and I accept PayPal on my website, but whatever. Personally I would never, ever, click on a link in an email purported to be from either eBay or PayPal. My advice to you dear reader would be to do the same, send them straight to

I have received three very high quality and almost believable Phishing communications today. You can see two of them here and here. Links have been disabled!

Giving credit where it is due PayPal responds very fast to reported phishing attempts.
Dear XXX,

Thanks for taking an active role by reporting suspicious-looking emails.
The email you forwarded to us is a phishing email, and our security team
is working to disable it.

Do you have any knowledge of PayPal ending clickable links in email messages last year and then reversing it?

Y'all come back


Anonymous said...

I've gotten a few of those scams. The one thing I take note is that all my correspondence with eBay and PayPal originating from one of those organizations contain my name or business name. When I get one that does not have my name or business name...PHISHING!

Anony Mouse

Justin Seibert said...

@Henrietta - Great point. You are 100% correct that the best way to cut down on it would be for them to remove links in all outgoing mail.

I wonder if that wouldn't hurt eBay's corporate and seller revenues.

Quick disclaimer - I'm a total eBay neophyte. I 'won' my first auction last Friday and don't have 0.0001% of the knowledge you do about eBay. I can only comment from my semi-virgin eyes.

2 quick thoughts related to the revenues:

1. Would folks buy fewer items and bid less frequently without reminders where they can click directly through to the product they're watching? I probably would, but again, I'm an atypical user, assuming that most buyers are not one-time or brand new.

2. How many of the people getting caught up in the scams are eBay users? If they're in eBay's database, eBay can send out an announcement about the new policy (I think I even got one about being wary of phishing scams like a year or two ago even though I had never purchased or bought anything). If the folks getting taken are not users and not able to be reached with a warning, would the policy change matter?

I don't know what statistics are out there, but it certainly seems like it would make sense for eBay to gather data and do some testing.

Again - you're right on. I don't personally click on links from any corporate emails unless it's something I'm expecting. I would just hate for eBay to do a sweeping change and have sellers get hurt in the process.

Your thoughts? I'm sure I'm missing something here.

Henrietta said...

@ Mouse
Both of these phishing emails had my company name on them, that is why I said 'almost believable' in my post.

@ Justin
First, welcome to RedINK. Semi-virgin is a very eBay concept!

What you are missing is that eBay & PayPal are two different entities owned by the same corporation. What is sound business practice and a normal part of marketing for a sales venue is unsafe and insecure for a financial institution, ie PayPal. I wrote about PayPal.

eBay needs to remind potential buyers of events as indicated on their contact preferences, with links. If PayPal has an issue their customer needs to address the customer should be directed to log in without a link.

I should probably also write about phishing to obtain your eBay ID & login for hijacking purposes, but I don't have a simple solution to that one.